Topics:
Chief information security officers (CISOs) are clearly frustrated by the disparities in global cybersecurity laws. Recently, a coalition of more than 40 CISOs representing some of the largest organizations in the world sent a letter to the G7 and Organization for Economic Co-operation and Development (OECD), asking for increased harmonization of cybersecurity regulations around the world.
CISOs’ frustration stemmed from a growing fragmentation of laws that introduces overwhelming complexity and risk that must be managed. Specifically, they said in their letter:
“Growing fragmentation… creates difficulty in implementing consistent security measures across different jurisdictions, complexity to time-sensitive incident response activities, potential negative impact on reporting due to conflicting requirements, delays in cybersecurity regulatory implementation due to the need of managing multiple regulatory landscapes and exacerbates the cybersecurity talent shortage.”
That disparity and fragmentation is about to become a reality in the U.S. Due to recent Federal policy changes and a strong legislative agenda at the state level, cybersecurity and AI regulation is about to have a significantly larger number of jurisdictions in play than just the United States federal approach. It’s about to get a lot more complicated. Fifty times more.
For the first time since federal cybersecurity policy began in 1998, there is a refocusing of roles and responsibilities in cybersecurity, and it is essential for CISOs and companies to prepare for change. In March, the White House issued a new Executive Order (EO), entitled “Achieving Efficiency Through State and Local Preparedness.” The EO shifts roles and responsibilities for cybersecurity in the US, with an emphasis on states and municipalities:
“It is the policy of the United States that State and local governments and individuals play a more active and significant role in national resilience and preparedness, thereby saving American lives, securing American livelihoods, reducing taxpayer burdens through efficiency, and unleashing our collective prosperity. In addition, it is the policy of the United States that my Administration streamline its preparedness operations; update relevant Government policies to reduce complexity and better protect and serve Americans; and enable State and local governments to better understand, plan for, and ultimately address the needs of their citizens.”
This is a critical policy shift to keep in mind. The EO sets in motion a cybersecurity reset that will cascade this policy across a significant number of domains as the administration implements the EO, and the reallocation of responsibilities to state and local governments will be a major paradigm shift for the entire sector.
Key dates include a new national resilience plan and the AI Action Plan released July 23, 2025; new National Critical Infrastructure Policy and a new National Continuity Policy in mid-September, 2025; new preparedness and response policies and a National Risk Register in mid-November, 2025, and revisions to our national response functions that are a part of disaster and cyber response by mid-March 2026.
These time frames may shift, but the reality is that a wave of new federal cyber and AI policies will be coming over the next year that will include new roles for state and local responders. It remains unclear what states and major municipalities will do with these new responsibilities, particularly if they are assigned without resources from Congress.
State CISOs and government responders will similarly need to think about how to “catch” these new taskings and coordinate cybersecurity crises with the private sector. Given the global nature of major incidents and attackers, there will be a natural tension between coordination at the state and local level and service providers driving a global or national response. CISOs and legal teams should consider reaching out to states with major business operations to start a conversation as soon as possible. This may provide insight into the planning for any new state and local efforts and create opportunities to raise questions to federal responders early.
For our colleagues in the privacy community, there’s an important lesson that cybersecurity can learn from state compliance. Federal legislators have been unable to pass comprehensive privacy legislation for a very long time, resulting in state-specific privacy and data breach requirements for all 50 states. State legislatures have filled that void for privacy, and AI and cybersecurity now feature prominently on state legislative agendas.
CISOs and their legal team partners should be watching state governments for priority AI and cybersecurity legislation to determine whether a company’s products or customers are impacted. According to the National Council on State Legislators (NCSL), in the past several years, more than 1,000 laws have been introduced at the state level on artificial intelligence and 28 states and the Virgin Islands adopted or enacted more than 75 new laws on artificial intelligence this year. On the cybersecurity front, “48 states and Puerto Rico introduced or considered more than 500 bills or resolutions that deal significantly with cybersecurity. At least 19 states enacted at least 28 bills and adopted at least fifteen resolutions in 2025.”
It's this state legislative turbulence that caused Congress to consider a 10-year moratorium on AI laws at the state level. While the measure lost 99-1 in the Senate, the fact that legislative volume at the state level had become enough of a concern that Congress was debating the measure, with the backing of the administration. Given that in most states, the legislature is in session only for a few months, it’s a short window of time for CISOs to partner with counsel to track new AI measures before they become law.
States have also shown a willingness to enforce privacy laws – now to a level with fines seen only in Europe. In Texas, Attorney General Ken Paxton has collected over $2.7 billion in fines from Google and Meta for data privacy violations in the past two years. State attorneys general have also joined together in suits relating to privacy and data protection issues, with significant fines ranging from the tens to the hundreds of millions (e.g., Marriott, $52 million; Google, $391 million). As new state laws come into force that impact cybersecurity and artificial intelligence, it will be important for CISOs and counsel to remember that state AGs will be watching.
Increase awareness:
Consider trade associations or organizations that track and engage in state activity
Work with in-house or outside counsel to identify state legislation that impacts the business and potentially weigh in with legislators (either directly or via a trade association or coalition)
Comply:
Ensure compliance teams track new legislation and ingest new requirements as controls inside the company
Confirm that new controls are a part of the company’s enterprise risk management process
Prepare for customers to have to meet new state requirements
Establish State Relationships:
Reach out to the State CIO or CISO, and have your cybersecurity counsel engage with the Attorney General’s office so that if an incident occurs, relationships are in place
Understand the state’s cyber incident response process and where it may be able to provide support, and where it will be lacking
Cristin is the managing partner of Advanced Cyber Law, a boutique law firm focused on cybersecurity, incident response, threat intelligence, and artificial intelligence. She and her team leverage Cristin’s 17 years as lead cybersecurity counsel at Microsoft, where she was head lawyer for the Microsoft Security Response Center, the Microsoft Threat Intelligence Center, the Government Security Program, cybersecurity law and compliance, and built Microsoft’s Digital Security Unit, fusing threat intelligence with geopolitical analysis, including Microsoft’s seminal Ukraine Report in April 2022. Cristin is also the founder and CEO of Advancing Cyber, a regulatory technology startup.
