December 2025

On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”).  According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI systems [and] identify[] opportunities for

On December 19, New York Governor Kathy Hochul (D) signed the Responsible AI Safety & Education (“RAISE”) Act into law, making New York the second state in the nation to codify public safety disclosure and reporting requirements for developers of frontier AI models.  Prior to signing, Governor Hochul secured several commitments from the legislature to

The 2025 proxy season saw significant developments with respect to proposals calling on companies to disclose information about their political contribution activity and lobbying activity, including an increase in support for political contribution proposals. That stronger support, particularly against the backdrop of reduced support for socially-oriented shareholder proposals, may lead to more such proposals filed

On November 21, 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (“Jam City”), a mobile app gaming company, for alleged violations of the California Consumer Privacy Act (“CCPA”) and Unfair Competition Law (“UCL”). The Jam City settlement marks Attorney General Bonta’s sixth settlement obtained under the CCPA and

On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here.  Established by the 2021 National Security Memorandum on Improving Cybersecurity for Critical

With innovation comes regulatory scrutiny. On December 9, 2025, the Financial Industry Regulatory Authority, Inc. (“FINRA”) released its 2026 Annual Regulatory Oversight Report (the “2026 Report”), which includes a new section dedicated to generative artificial intelligence (“GenAI”). The 2026 Report is the latest iteration of FINRA’s yearly summary of insights from its regulatory oversight activities,

On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”).  While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.

On 11 December 2025, the Council and European Parliament reached political agreement to revamp the EU’s Foreign Investment Screening Regulation.  The revamp aims at responding to perceived growing risks to national and economic security in the EU. It forms part of the EU’s recently unveiled Economic Security Doctrine. While the full text has not