4 Regions With New and Changing Cybersecurity Legislation

Cyber crime will cost the world $10.5 trillion annually by 2025, a growth rate of 15% per year. With massive amounts of proprietary data and employee and customer personal information at risk, organizations that experience a cyber attack (e.g., data breaches, ransomware) must be prepared to mitigate reputational damages, operational disruptions, system vulnerabilities and critical infrastructure risks. As a result, security and risk leaders are feeling the pressure to strengthen their security posture and ensure they can comply with cybersecurity regulations.

The latter has become more challenging given that many global standard setters and countries have proposed, recently enacted or updated legislation and regulations as a way to combat the sharp rise in cyber attacks. According to PwC’s 2025 Global Digital Trust Insights survey, many chief information security officers (CISOs) are less optimistic than CEOs about their organization’s ability to meet regulatory requirements.

Here, we share four key regions with cybersecurity regulations that organizations must pay attention to.

U.S. cyber regulations

Cyber attacks are becoming more frequent and severe in the U.S. About 82% of U.S. organizations experienced a data breach in the past 12 months, according to the latest Cyberthreat Defense Report. In 2024, the average cost of a data breach in the U.S. was $9.36 million—roughly twice the global average. 

In response, the U.S. Securities and Exchange Commission (SEC) passed cybersecurity incident disclosure regulations that went into effect in December 2023, and published additional guidance in June 2024. Under the new rules, publicly traded organizations operating in the U.S. are required to disclose their cyber risk management strategies, governance and “material” cyber incidents—those that potentially impact a shareholder’s investment decisions. 

In addition, the Biden administration signed the Strengthening American Cybersecurity Act in March 2022, a bill that is broken into three parts. One of these parts—the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)—mandates a strict reporting period for 16 sectors deemed the most essential to the nation. 

The list of sectors includes:

• Critical manufacturing
• Energy
• Financial services
• Food and agriculture
• Government facilities
• Healthcare and public health

Organizations that operate in any of the 16 critical sectors, will be legally obliged to inform the U.S. Cybersecurity & Infrastructure Security Agency (CISA) about a cyber incident within 72 hours; 24 hours for a ransomware attack. 

In March 2024, CISA proposed additional rules, estimating that CIRCIA will apply to over 300,000 organizations. At least 25,000 incident reports are expected within the first year of the rule becoming effective. As of October 2024, reporting requirements have not yet been finalized, and CIRCIA will not take effect until the final rules are established. Organizations might not have to start reporting cyber incidents to CISA until early 2026.

European cyber laws

Europe is facing its own cybersecurity crisis, witnessing more than 11,000 cyber attacks in 2024. In October, the European Commission officially adopted a new legislation to combat the problem: the European Cyber Resilience Act (CRA). The goal of CRA is to establish common cybersecurity standards for connected devices and services and is in response to the sharp rise in cyber attacks on software and hardware products.

Organizations that distribute or manufacture products in the European Union (EU) will need to determine if their products would be subject to the new legislation. If yes, they are required to follow specific cybersecurity requirements on designing, developing, producing and placing secure products with digital elements—such as web browsers, industrial automation and control systems, microprocessors, and operating systems. 

The act builds on previously established cybersecurity guidelines, such as the 2016 NIS Directive, which has now been replaced by the NIS2 Directive that came into force in 2023. All EU member states must enact it into law by October 17, 2024. The directive establishes a set of security principles to enhance digital resilience and security, applying to organizations across critical sectors such as: energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

Another European regulation organizations must be aware of is the Digital Operational Resilience Act (DORA), a recent addition to the EU’s existing laws aimed at creating operational resilience in financial entities in all the member states. The bill provides frameworks that enable financial institutions to reliably maintain operations when cybersecurity incidents or disruptions occur. Although DORA went into effect January 2023, enforcement of the new regulation begins January 17, 2025.

Chinese cyber legislation

As one of the world’s largest nations, China ranks third in the world for cyber breaches, according to a recent study by the World Cybercrime Index. 

Taking cues from the EU’s General Data Protection Regulation (GDPR), a strict set of protections for personal data permissions, the Chinese government passed official laws to guide cyber activity in 2017. Three frameworks sit at their center: 

• Cybersecurity Law (CSL)
• Data Security Law (DSL)
• Personal Information Protection Law (PIPL)

Building on the existing PIPL, in September 2024, China introduced the new Regulations for the Administration of Network Data Security, which will take effect on January 1, 2025. The regulations provide more detailed guidelines on personal data protection—such as stricter informed consent requirements and clearer definitions and obligations regarding “important data”—as well as contractual requirements for data sharing between data handlers and cross-border data transfers.

Previously, in September 2021, China had updated the cybersecurity frameworks, requiring that organizations must investigate and submit an evaluation report to the local government within five days should a cybersecurity incident involving more than 100,000 users occur. 

International entities (non-Chinese organizations), however, are often still unclear about where their security practices fit into this. China wants to send third-party inspectors into organizations’ networks, tracing the true scale of any damage or data incident. But the extent of the analysis (and how far they might want to go into your network) is very vague. Asia Online reports that Yahoo shut down its services in China on the day the law came into effect, while LinkedIn withdrew from the country a month later. 

It’s highly recommended that non-Chinese IT leaders with operations in China: 

1. have a plan in place for unannounced inspections 
2. establish a group of people ready to greet local enforcers, walk them through the data architecture, draw up cyber incident reports and provide any other needed documentation

Indian cyber regulation

Cyber crime is rising rapidly in India, with organizations facing over 3,000 attacks per week, according to a recent Check Point Research report. In September 2024, one of the country’s largest health insurers, Star Health Insurance, suffered a massive data breach that allegedly compromised the personal data of 31 million customers.

A number of the country’s cyber laws are either already in place or proposed. For example, in August 2024, India’s Ministry of Communications released the draft Telecommunications (Telecom Cyber Security) Rules, 2024, which aim to strengthen the cybersecurity of telecom networks and services through new guidelines for data collection, security measures and incident reporting.

In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act 2023—the country’s first comprehensive data protection law that draws on fundamental concepts found in the EU’s GDPR.

There is also a proposed Digital India Act, which was first discussed in March 2023 as a replacement for the Information Technology Act 2000. It’s meant to offer a contemporary regulatory framework for today’s technologies, with core constituents such as: 

• online safety
• trust and accountability
• open internet
• regulations for modern technologies (e.g. AI , blockchain, etc.). 

While the draft bill is yet to be made public, if passed, the Digital India Act will be one of the most landmark legislations in the country.

India is also home to one of the strictest reporting requirements for cyber crime around the world. In June 2022, the country mandated a six-hour reporting window in the event of a data breach, ransomware attack, identity theft or any large-scale malicious activity within a corporate network.

A continued focus on cybersecurity legislation

It’s become abundantly clear that cyber crime is a top priority for governments worldwide. As threats and attacks continue to increase, countries are likely to enact more legislation to combat their costs and impact on national security, critical industries and infrastructure and the public at large. For example, through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, according to Gartner. 

This new legislation-heavy future means it will be incumbent upon security and risk leaders—whether their focus be on the physical or digital domain—to stay abreast of cybersecurity measures and what each means for their organization.

This insight article has been updated from the original, published on March 23, 2023, to reflect new events, conditions and/or research.