Katten's Privacy, Data and Cybersecurity Quick Clicks is a monthly newsletter highlighting the latest news and legal developments involving privacy, data and cybersecurity issues across the globe.

To read more issues of Katten's Privacy, Data and Cybersecurity Quick Clicks, please click here.


Navigating DORA Compliance: Recent Developments

By Nathaniel Lalone and Ciara McBrien

The EU Digital Operational Resilience Act (DORA) took effect on January 17 after a two-year implementation period. DORA sets out new requirements for financial entities (FEs) and their information technology and communication (ICT) third-party service providers (TPPs). This note highlights recent developments in the EU's efforts to facilitate in-scope firms' compliance with DORA and authorities' attempts to avoid duplication of operational resilience requirements. Read more about the updates, including requirements and procedures for reporting ICT-related incidents and cyber threats.


Canada Announces Refreshed Advisory Council on AI to Promote Safe and Responsible AI

By Trisha Sircar

On March 6, François-Phillipe Champagne, Canada's Minister of Innovation, Science and Industry, announced a series of initiatives to support responsible and safe artificial intelligence (AI) adoption, including a refreshed membership for the Advisory Council on Artificial Intelligence; the launch of the Safe and Secure Artificial Intelligence Advisory Group to advise the government on the risks associated with AI systems and ways to address them; and the publication of a guide for managers of AI systems to support the implementation of Canada's Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Read more about the government's measures to secure Canada's AI advantage.


Turning Up the Heat — Ofcom Ramps Up Pressure for Platforms under the Online Safety Act

By Terry Green

As of March 17, online platforms are expected to have risk assessments in place to understand how likely it is for their users to encounter illegal content on their service. Over 100,00 services are estimated to be in scope under the Online Safety Act (OSA), whether they are user-to-user services or search engines. There is no requirement for service providers to have a physical presence in the United Kingdom to be in scope, only if they "have links to the [United Kingdom]," so it is likely that most service providers that offer online services to UK customers must comply with the duties under the OSA. Read more about the 40 recommended measures that the Office of Communications (Ofcom) expects service providers to implement.

*London Corporate Trainee Larry Wong contributed to this article.


President Trump Fires Two Democratic FTC Commissioners

By Christopher Cole, David Gonen, Timothy Gray and Trisha Sircar

On March 18, President Donald Trump fired the Democratic commissioners, Rebecca Slaughter and Alvaro Bedoya, from the Federal Trade Commission (FTC). This leaves two Republicans, Chairman Andrew Ferguson and Melissa Holyoak, and a Republican nominee, Mark Meador. However, the dismissal of two Democratic commissioners runs contrary to decades of precedent at the FTC and apparently tees up a battle over presidential control over so-called "independent" federal agencies that seems headed to the US Supreme Court. Read more about how this will impact the FTC's composition and competition enforcement direction.


NYDFS Annual Compliance Submissions Due April 15, 2025, and New Compliance Requirements Effective on May 1, 2025

By Trisha Sircar

As Katten previously reported, in 2023, the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). As of November 1, 2024, Class A Companies and Covered Entities were required to comply with numerous Part 500 compliance obligations outlined here. Covered Entities have been required to submit annual compliance with Part 500 since the regulation's adoption; however, since 2024, Covered Entities now have the option to submit either a Certification of Material Compliance (certifying they materially complied with the regulation requirements that applied to them in the prior year) or an Acknowledgement of Noncompliance (identifying all sections of the regulation with which they have not complied and providing a remediation timeline). Read more about the April compliance certification deadline and compliance obligations as of May 1.