On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors. This final rule established a November 10, 2025 go-live date for the start of phase 1 of CMMC. As we covered in our prior
In June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued draft updated guidance for public comment on the Minimum Elements for a Software Bill of Materials (SBOM), which the National Telecommunications and Information Administration (NTIA) first published in 2021 for federal agencies in response to Executive Order 14028 on Improving the Nation’s Cybersecurity.
Continue Reading Software Bill of Materials Guidance for Government Contractors
Cybersecurity month starts with a critical compliance date for the Department of Justice (DOJ)’s Data Security Program (DSP). Starting on Oct. 6, any U.S. person or company handling Americans’ bulk sensitive or personal data or U.S. government-related data must implement a written data compliance program that lays out specified due diligence, audit, reporting, and recordkeeping processes for covered data transactions.
Continue Reading Incoming Deadlines and Requirements for DOJ’s Data Security Program on Oct. 6, 2025
On Sept. 23, 2025, the California Privacy Protection Agency (CPPA) announced that the state’s Office of Administrative Law (OAL) had formally approved the CPPA’s wide-ranging package of revised and new California Consumer Privacy Act (CCPA) regulations.
Continue Reading Revised and New CCPA Regulations Set to Take Effect on Jan. 1, 2026 – Summary of Near-Term Action Items
The EU Data Act (Regulation (EU) 2023/2854) introduces a comprehensive framework to enhance data portability and reduce vendor lock-in across the EU digital economy. One impactful component is the cloud switching regime (Chapter VI), which establishes broad obligations to facilitate switching between “data processing services.” For providers of cloud-based services (such as Infrastructure
Greenberg Traurig is hosting a timely webinar on October 15, guiding organizations through the upcoming DOJ enforcement of the Data Security Program. GT experts will cover compliance obligations, risk mitigation strategies, and practical steps to identify and manage sensitive data transactions ahead of the July 2025 enforcement deadline.
Greenberg Traurig’s 2025 Data Privacy Symposium in Chicago gathered more than 100 professionals for interactive sessions exploring the latest in data privacy, cybersecurity, and technology. Expert speakers led conversations on AI, AdTech, breach response, privacy litigation, and more, while attendees enjoyed networking opportunities at a lively reception and dinner.
Continue Reading Highlights from the Data Privacy Symposium 2025
The effective date for Colorado’s groundbreaking Artificial Intelligence Act has been pushed back by five months, now set for June 30, 2026. Gov. Jared Polis signed amendments after extensive debate in a special legislative session, giving lawmakers more time to address substantive concerns. With continued disagreement among stakeholders, it remains uncertain if further changes will be made before the new deadline.
Continue Reading Colorado Delays Comprehensive AI Law With Further Changes Anticipated
On Sept. 3, 2025, in a much-anticipated legal decision, the European General Court (EGC) rejected the request of a French member of Parliament to annul the EU-U.S. Data Privacy Framework (DPF or Framework).
Although this decision reinforces that U.S. organizations that have self-certified as to their adherence to the DPF principles may continue to receive