Top Cyber Policies – Q1 2025
From AI regulation to critical infrastructure security, Q1 2025 saw 133 new cybersecurity policies across 34 countries.
Welcome back to Hall of Hacks Weekly!
This quarter marked a surge in cybersecurity regulation around the world, as governments expanded legal frameworks to address AI, critical infrastructure, ransomware, and digital privacy. From state-level privacy laws in the U.S. to sweeping AI oversight in Europe and Asia, Q1 2025 showed that cybersecurity has become a legislative priority from Washington to Wellington.
First time seeing this?
🔍 Overview: Cybersecurity Policies
Q1 2025 recorded 133 new cyber policies across 34 countries, comprising:
The quarter saw high legislative activity in AI transparency, data privacy, smart device security, and cyber incident reporting, with a global shift toward future-proofing security governance.
🇺🇸 United States
State Privacy Laws Expansion
Delaware, Iowa, Nebraska, and New Hampshire enacted consumer data protection laws granting rights to access, correct, delete, and opt out of data processing, signaling a fragmented but maturing privacy landscape in absence of a federal law.
Children’s Online Privacy
Virginia’s CDPA was amended to restrict data practices for users under 13. At the federal level, COPPA 2.0 was reintroduced to limit tracking of minors and mandate a data eraser function.
AI Executive Order & Legislative Momentum
President Trump’s Executive Order 14179 mandates a national AI plan focused on secure innovation. New York introduced bills for AI dataset transparency and the creation of an AI ethics commission.
Critical Infrastructure Resilience Strategy
A March EO mandates the creation of a National Resilience Strategy, empowering local authorities to prepare for cyber threats and requiring updated federal continuity plans.
Consumer Opt-Out Signals
Connecticut became a pioneer in implementing global privacy control signals, enabling universal browser-based opt-outs from data sales.
🇪🇺 Europe
Cyber Sanctions & Resilience
The EU launched cyber sanctions via Implementing Regulation 2025/173 and progressed on DORA and the Cyber Solidarity Act, fortifying financial and collective cyber defense systems.
Digital Health & AI Regulation
The finalized EHDS Regulation standardizes electronic health record sharing while ensuring GDPR-grade privacy. New AI guidelines clarify prohibited uses ahead of the EU AI Act’s adoption.
🇬🇧 United Kingdom
Online Safety Act entered implementation, requiring proactive content moderation to protect minors.
A new AI Regulation Bill proposes the creation of a centralized “AI Authority” with risk assessments and transparency mandates.
A Cybersecurity Code of Practice for AI (voluntary) was published with 13 principles for securing AI systems.
🌏 Asia-Pacific
🇨🇳 China
The Network Data Security Management Regulations expanded obligations for all network data handlers. China also introduced facial recognition laws and personal data audit mandates.
🇯🇵 Japan
A new AI Strategy Headquarters was proposed to coordinate national AI governance. The cybersecurity industry strategy focuses on talent and R&D.
🇸🇬 Singapore
Passed Protection from Scams Bill and criminalized the misuse of SIM cards for fraud, giving regulators real-time powers to freeze suspected accounts.
🇭🇰 Hong Kong
New law requires critical infrastructure operators to follow cyber standards and report incidents under the Protection of Critical Infrastructures Ordinance.
🇦🇺 Australia
Cyber Security Act 2024 enforced security standards for IoT devices and established a Cyber Incident Review Board.
Ransomware Payment Reporting Rules now require mandatory reporting of ransom payments to build threat intelligence.
🇻🇳 Vietnam
Telecom law updates mandate registration, disclosure, and data security compliance for domestic and foreign providers.
🇲🇲 Myanmar
A sweeping and controversial Cybersecurity Law No. 1/2025 imposes harsh online content controls and surveillance powers, drawing global scrutiny.
🌎 Latin America
🇨🇱 Chile
Became a regional pioneer with its Cybersecurity Framework Law, establishing the ANCI to oversee critical infrastructure protection and incident reporting.
🇲🇽 Mexico
Dissolved INAI and centralized data protection under a new executive-controlled entity. This restructuring sparked concerns about enforcement independence.
Other Developments
Brazil and Colombia advanced breach notification laws, and the OAS held talks on a regional cybersecurity strategy.
🌍 Middle East & Africa
Data Sovereignty in the Gulf
Saudi Arabia issued a Risk Assessment Guideline for cross-border data transfers, including sensitive data controls and alignment with GDPR principles.
Africa’s Cyber Rise
Zimbabwe released licensing guidelines for data controllers; Nigeria built out its Data Protection Commission; South Africa proposed amendments to its cybercrime law.
🇹🇷 Turkey
Drafted during Q1 and passed in Q2, Cybersecurity Law No. 7545 establishes a national Cybersecurity Presidency and mandates certified secure technologies for critical infrastructure.
🌐 Cross-Cutting Trends
📜 Data Privacy Proliferation
From Brunei to Brazil, countries introduced or updated privacy laws, with user rights, data portability, and enforcement measures increasingly modeled on GDPR principles.
🧒 Protection of the Vulnerable
Youth-focused policies emerged across jurisdictions (Virginia, the UK, Italy) all limiting data processing and mandating safety-by-design features.
🛡️ Critical Infrastructure Defense
Governments across five continents enacted or enhanced rules to defend healthcare, energy, transport, and finance from cyberattacks (Chile, Turkey, Hong Kong, and Australia).
🤖 AI Governance & Security Integration
A global consensus is forming around AI risk assessments, transparency in training datasets, AI labeling, and embedding security in AI lifecycles (UK, EU, Japan, and U.S. led this charge)
💣 Cybercrime & Ransomware Reporting
New reporting requirements (Australia, Brazil), anti-scam tools (Singapore), and increased penalties (Pakistan, Zimbabwe) mark an aggressive push to combat cybercrime and build shared threat intel.
🌐 Geopolitics & Data Sovereignty
Cross-border frictions intensified. U.S. moves cast uncertainty on the EU–US Privacy Framework, prompting others (e.g., Saudi Arabia) to define their own data transfer rules.
🔐 Future-Proofing Against Emerging Tech Risk
From quantum encryption migration efforts (U.S., EU) to baseline IoT security standards (Australia, EU), policy leaders are beginning to legislate not just for today, but for tomorrow’s cyber challenges.
🚀 Why These Policies Matter
Compliance Complexity: Fragmented yet growing privacy and cybersecurity mandates require global companies to track and adjust to dozens of regimes.
AI is a Legislative Priority: The governance of generative AI is no longer theoretical; it's in active rulemaking across continents.
Critical Infrastructure Is Core: Energy grids, transport, finance, and healthcare are now policy battlegrounds for cybersecurity resilience.
Privacy Rights Are Expanding: Consumer empowerment via data rights is reshaping the business-consumer dynamic.
Incident Visibility Is Mandatory: Reporting rules for cyberattacks and ransomware are becoming the norm, not the exception.
📌 Coming Next Week
Hall of Hacks – Cybercrime Judicial Actions of Q1 2025 See how courts and regulators are penalizing cybercriminals, fining corporations, and what it means for compliance and incident response teams.
Subscribe and Comment.
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.