Welcome back to Hall of Hacks Weekly

This quarter saw a global tightening of cybersecurity rules, with governments moving aggressively on AI accountability, ransomware reporting, cross-border data controls, and platform liability. From landmark fines in Canada and the UK to new ISO standards and U.S. executive orders, Q2 2025 confirmed that cybersecurity law is no longer reactive, it is anticipatory.

First time seeing this?

🌍 Overview Cybersecurity Policies

Q2 2025 recorded 92 new cyber policies globally, comprising:

The quarter highlighted a shift toward mandatory cyber incident reporting, corporate liability for AI misuse, and harmonized international standards.

🇺🇸 United States

AI and Cybersecurity Executive Orders

In April, President Trump issued Executive Order 14117, which tightened supply chain security measures and expanded sanctions against malicious cyber actors. This was followed in June by Executive Order 14144, which restructured federal cybersecurity priorities with a new emphasis on secure software development, AI governance, and the use of cyber-related sanctions as enforcement tools. Together, these executive actions mark a decisive federal push to align emerging technology oversight with national security imperatives.

Legislative Movement

Congress advanced several significant initiatives during the quarter. The NO FAKES Act targeted synthetic identity fraud and deepfake exploitation, while the DELETE Act sought to strengthen consumer data rights by advancing deletion requirements. Additionally, Senate Bill 1337 extended the federal framework for cybersecurity information sharing all the way through 2035, ensuring continuity of collaborative defense across government and industry. These measures reflect a legislative strategy aimed at simultaneously protecting citizens, safeguarding data, and future-proofing cyber cooperation.

State Developments

States were equally active. New York enforced new compliance deadlines for rapid cyber incident reporting. Oregon signed House Bill 3936, restricting foreign adversary AI from use in government IT systems. Montana signed both SB 297 and HB 514 into law, amending consumer privacy protections. These state-level moves underscored how local governments are filling gaps in the absence of comprehensive federal privacy law.

🇪🇺 Europe

Cyber Resilience Expansion

The European Union advanced revisions to the Cybersecurity Act and the Cyber Resilience Act, strengthening enforcement and consultation mechanisms. The launch of the DNS4EU initiative further reinforced European digital sovereignty, ensuring a secure alternative to foreign-controlled DNS infrastructure.

Standards and Frameworks

The European Commission published the Cybersecurity Blueprint 2025 under the NIS2 Directive, setting expectations for member states to harmonize crisis management. Alongside this, ISO updated several international standards, including ISO 27001:2025 with stronger cloud and AI security controls, and introduced the Safe Framework and privacy engineering models, which together expand global guidance on resilience and privacy-by-design.

🇬🇧 United Kingdom

• Cyber Security and Resilience Bill introduced, mandating ransomware reporting and expanding state resilience planning.

• Data Act & DUAA (June): Introduced severe penalties – daily fines of £100,000 and up to £17.5M or 4% of global turnover.

🌏 Asia-Pacific

China

Beijing opened public consultation on draft amendments to its Cybersecurity Law, which are expected to expand requirements on data handlers and tighten control of cross-border information flows.

Japan

Japan enacted the Active Cyber Defense Law, which introduced penalties for failing to report cyber incidents, signaling a more proactive approach to national defense against cyberattacks.

Malaysia

Malaysia passed the Data Sharing Act 2025, creating a legal framework for managing cross-border data transfers while strengthening protections for citizens’ personal information.

🌍 Africa

Zambia

In April, Zambia enacted the Cyber Crimes Act 2025. The law created a comprehensive framework criminalizing unauthorized access, cyber extortion, and online child exploitation. It also reinforced child protection obligations in digital spaces, positioning Zambia among Africa’s leaders in codifying cybercrime law.

Get Help

🇨🇦 Canada

Record Financial Penalties

Canada passed Bill C-8, which introduced unprecedented financial penalties for cybersecurity violations. Corporations now face daily fines of up to $15 million, while individuals can be fined up to $1 million per day for non-compliance. This law is one of the harshest globally, signaling a strong deterrent stance by Canadian regulators.

⚖️ Enforcement and Legal Cases

• US v. Matthew Lane – guilty plea in the PowerSchool student data breach.

• Vincent Dolan v. USAA – breach settlement approved in New York.

• DOJ & International Partners – takedown of crypting services.

• Brazil – new law established civil liability for platforms failing to meet cyber obligations.

Get Help

🌐 Cross-Cutting Trends

🔐 Mandatory Reporting Rules

Governments pushed harder on cyber incident disclosure. Japan’s new Active Cyber Defense Law penalizes organizations that fail to report breaches, while New York’s financial regulator enforced strict compliance deadlines. Indiana added a two-day reporting rule, making it clear that slow or vague disclosures are no longer acceptable.

🤖 AI Accountability

AI oversight became a legal priority. The U.S. issued an executive order tying AI governance to national security, and Oregon barred foreign adversary AI from government systems. France’s regulator clarified rules on training data, signaling that AI compliance is now part of cybersecurity, not a separate debate.

💰 Heavy Corporate Fines

Canada and the UK introduced some of the toughest penalties seen to date. Canada’s new law allows daily fines of up to $15 million for corporations and $1 million for individuals. The UK went further with daily fines of £100,000 and maximum penalties reaching £17.5 million or 4% of global turnover, putting boards on notice worldwide.

🌍 Data Sovereignty Battles

Data transfer rules tightened across regions. China advanced amendments to its Cybersecurity Law to control how foreign firms handle local data, while Malaysia’s new Data Sharing Act created a stricter framework for cross-border flows. In Europe, the launch of DNS4EU reinforced sovereignty over digital infrastructure.

📘 Standards & Harmonization

International standards gained momentum. ISO updated 27001:2025 to address AI-driven threats, introduced the Safe Framework for IT governance, and published privacy-by-design models. In parallel, the EU’s Cybersecurity Blueprint 2025 under NIS2 pushed member states toward harmonized crisis management and coordinated response.

Get Help

🚀 Why These Policies Matter

The implications of these Q2 developments are clear. Global liability is rising, and regulators are no longer satisfied with voluntary compliance. AI is under active regulation, with governments treating its misuse as both a security and civil rights risk. Data flows are becoming increasingly fragmented, forcing multinational businesses to adjust their operations region by region. Cybercrime enforcement is growing more aggressive, with international coalitions dismantling services once considered untouchable. In short, compliance in cybersecurity has become a boardroom issue, demanding sustained attention, resources, and accountability.

📅 Coming Next Week

Hall of Hacks – Cybercrime Judicial Actions of Q2 2025

We will explore how courts and regulators are punishing cybercriminals, fining corporations, and shaping global enforcement trends.

Subscribe and Comment.

Copyright © 2025 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.