{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T20:13:09Z","timestamp":1776111189934,"version":"3.50.1"},"reference-count":139,"publisher":"Association for Computing Machinery (ACM)","issue":"2","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2026,1,31]]},"abstract":"<jats:p>As cyber-attacks become more frequent, sophisticated, and impactful, governments worldwide are responding by introducing or proposing new cybersecurity regulations. This article examines over 170 recent regulations and trends in cybersecurity across various regions, including the United States, Europe, and beyond. It identifies 17 key features in many of these regulations, which we have grouped into 5 categories, analyzes observed patterns, and proposes areas for improvement. This article's primary objective is to significantly contribute to the cybersecurity compliance domain by helping researchers understand the structure of these regulations and helping organizations to assess and mitigate their cyber risk within an increasingly complex and regulated cybersecurity environment. Our findings provide valuable direction to those trying to navigate the flood of new cybersecurity regulations and the governments enacting new cybersecurity regulations.<\/jats:p>","DOI":"10.1145\/3757318","type":"journal-article","created":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T11:17:17Z","timestamp":1754133437000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Analyzing and Categorizing Emerging Cybersecurity Regulations"],"prefix":"10.1145","volume":"58","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0021-1305","authenticated-orcid":false,"given":"Angelica","family":"Marotta","sequence":"first","affiliation":[{"name":"MIT Sloan School of Management","place":["Cambridge, United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9240-2573","authenticated-orcid":false,"given":"Stuart","family":"Madnick","sequence":"additional","affiliation":[{"name":"MIT Sloan School of Management","place":["Cambridge, United States"]}]}],"member":"320","published-online":{"date-parts":[[2025,9,8]]},"reference":[{"key":"e_1_3_3_2_2","article-title":"Executive order on improving the nation's cybersecurity","author":"Exec. Order No. 14028","year":"2021","unstructured":"Exec. Order No. 14028. 2021. Executive order on improving the nation's cybersecurity. Federal Register 86, 93 (2021), 26633--26647.","journal-title":"Federal Register"},{"key":"e_1_3_3_3_2","article-title":"Executive order on improving the nation's cybersecurity","author":"Exec. Order No. 14028","year":"2021","unstructured":"Exec. Order No. 14028. 2021. Executive order on improving the nation's cybersecurity. The White House. Retrieved February 23, 2023 from https:\/\/www.federalregister.gov\/documents\/2021\/05\/17\/2021-10460\/improving-the-nations-cybersecurity","journal-title":"The White House"},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-019-00434-1"},{"key":"e_1_3_3_5_2","unstructured":"Heather Adkins. 2024. Cyber safety review board i. Retrieved July 13 2024 from https:\/\/www.federalregister.gov\/documents\/2021\/05\/17\/2021-10460\/improving-the-nations-cybersecurity"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.1057\/s41284-022-00356-z"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-33631-7_10"},{"key":"e_1_3_3_8_2","first-page":"47","volume-title":"Conferences in Research and Practice in Information Technology Series 105","author":"Alfawaz Salahuddin","year":"2010","unstructured":"Salahuddin Alfawaz, Karen Nelson, and Kavoos Mohannak. 2010. Information security culture: A behaviour compliance conceptual framework. Conferences in Research and Practice in Information Technology Series 105 (2010), 47\u201355. Retrieved February 28, 2021 from https:\/\/eprints.qut.edu.au\/29221\/"},{"issue":"8","key":"e_1_3_3_9_2","article-title":"Quantitative assessment of cybersecurity risks for mitigating data breaches in business systems","volume":"11","author":"Algarni Abdullah M.","year":"2021","unstructured":"Abdullah M. Algarni, Vijey Thayananthan, and Yashwant K. Malaiya. 2021. Quantitative assessment of cybersecurity risks for mitigating data breaches in business systems. Applied Sciences (Switzerland) 11, 8 (2021), 3678. https:\/\/www.mdpi.com\/2076-3417\/11\/8\/3678","journal-title":"Applied Sciences"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99951-7_1"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.1142\/S0219265917400011"},{"key":"e_1_3_3_12_2","unstructured":"Australian Government. 2024. Federal register of legislation - privacy act 1988. Retrieved July 12 2024 from https:\/\/www.legislation.gov.au\/C2004A03712\/latest\/versions"},{"key":"e_1_3_3_13_2","unstructured":"Rahul Awati. 2022. What is NERC CIP (critical infrastructure protection)? TechTarget. Retrieved February 23 2023 from https:\/\/searchcompliance.techtarget.com\/definition\/NERC-CIP-critical-infrastructure-protection"},{"key":"e_1_3_3_14_2","article-title":"Why you really need a data BOM, not a software BOM","author":"Bommarito Michael","year":"2022","unstructured":"Michael Bommarito. 2022. Why you really need a data BOM, not a software BOM. Licens.ioTM. Retrieved July 13, 2024 from https:\/\/medium.com\/licens-io-blog\/why-you-really-need-a-data-bom-not-a-software-bom-5c5185b605aa","journal-title":"Licens.ioTM"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-161R1-DRAFT2"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.18261\/olr.8.3.2"},{"key":"e_1_3_3_17_2","unstructured":"California Privacy Rights Act. 2020. Cal. Civ. Code \u00a7\u00a7 1798.100-1798.199. (2020). Retrieved July 13 2024 from https:\/\/thecpra.org\/"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.3390\/SU13052547"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.2202\/1547-7355.1577\/html"},{"key":"e_1_3_3_20_2","article-title":"Software bill of materials","author":"CISA","year":"2018","unstructured":"CISA. 2018. Software bill of materials. Cybersecurity and Infrastructure Security Agency. Retrieved February 23, 2023 from https:\/\/www.cisa.gov\/sbom","journal-title":"Cybersecurity and Infrastructure Security Agency"},{"key":"e_1_3_3_21_2","unstructured":"CISA. 2022. Cyber incident reporting for critical infrastructure act of 2022 (CIRCIA) | CISA. Retrieved February 23 2023 from https:\/\/www.cisa.gov\/circia"},{"key":"e_1_3_3_22_2","doi-asserted-by":"publisher","DOI":"10.1163\/25427466-06020001"},{"key":"e_1_3_3_23_2","article-title":"Translation: Cybersecurity law of the people's republic of china (effective June 1, 2017)","author":"Creemers Rogier","year":"2018","unstructured":"Rogier Creemers, Graham Webster, and Paul Triolo. 2018. Translation: Cybersecurity law of the people's republic of china (effective June 1, 2017). DigiChina, Stanford Cyber Policy Center. Retrieved July 11, 2024 from https:\/\/digichina.stanford.edu\/work\/translation-cybersecurity-law-of-the-peoples-republic-of-china-effective-june-1-2017\/","journal-title":"DigiChina, Stanford Cyber Policy Center"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.1057\/S41288-022-00266-6"},{"key":"e_1_3_3_25_2","unstructured":"Cyber Security Agency of Singapore. 2021. CSA-cybersecurity-certification-guide. (2021). Retrieved July 12 2024 from https:\/\/www.csa.gov.sg\/our-programmes\/certification-and-labelling-schemes\/cybersecurity-labelling-scheme"},{"key":"e_1_3_3_26_2","doi-asserted-by":"publisher","DOI":"10.7861\/futurehosp.6-2-94"},{"key":"e_1_3_3_27_2","article-title":"Cyber essentials scheme: Overview","author":"Department for Business Energy and Industrial Strategy.","year":"2014","unstructured":"Department for Business Energy and Industrial Strategy. 2014. Cyber essentials scheme: Overview. Department for Digital, Culture, Media and Sport. Retrieved February 23, 2023 from https:\/\/www.gov.uk\/government\/publications\/cyber-essentials-scheme-overview","journal-title":"Department for Digital, Culture, Media and Sport"},{"key":"e_1_3_3_28_2","unstructured":"Department of Defense Chief Information Officer. 2024. Cybersecurity maturity model certification (CMMC) model. Retrieved July 11 2024 from https:\/\/dodcio.defense.gov\/CMMC\/Model\/"},{"key":"e_1_3_3_29_2","unstructured":"Department of Justice Canada. 2019. Personal information protection and electronic documents act. Retrieved July 13 2024 from https:\/\/laws-lois.justice.gc.ca\/eng\/acts\/P-8.6\/index.html"},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/EITCE47263.2019.9094817"},{"key":"e_1_3_3_31_2","article-title":"NIS 2 Directive","author":"Directive (EU) 2016\/1148.","year":"2022","unstructured":"Directive (EU) 2016\/1148. 2022. NIS 2 Directive. Official Journal of the European Union. Retrieved February 23, 2023 from https:\/\/www.nis-2-directive.com\/","journal-title":"Official Journal of the European Union"},{"key":"e_1_3_3_32_2","article-title":"The critical entities resilience directive (CER)","author":"Directive (EU) 2022\/2557.","year":"2023","unstructured":"Directive (EU) 2022\/2557. 2023. The critical entities resilience directive (CER). Official Journal of the European Union as Directive. Retrieved February 23, 2023 from https:\/\/www.critical-entities-resilience-directive.com\/","journal-title":"Official Journal of the European Union as Directive"},{"key":"e_1_3_3_33_2","unstructured":"DLA Piper Global Data Protection Laws of the World. 2024. Law in Brazil. Retrieved July 12 2024 from https:\/\/www.dlapiperdataprotection.com\/index.html?t=law&c=BR"},{"key":"e_1_3_3_34_2","unstructured":"Nadine Dorries and House of the Commons. 2022. Data protection and digital information bill. UK Parliament Vol. HC Bill 143 London. Retrieved August 19 2025 from https:\/\/publications.parliament.uk\/pa\/bills\/cbill\/58-03\/0143\/220143lp.pdf"},{"key":"e_1_3_3_35_2","doi-asserted-by":"publisher","unstructured":"ENISA (European Union Agency for Cybersecurity). 2022. Coordinated vulnerability disclosure policies in the EU. European Union Agency for Cybersecurity 1--87. ISBN 978-92-9204-575-3. Retrieved August 19 2025 from 10.2824\/983447","DOI":"10.2824\/983447"},{"key":"e_1_3_3_36_2","doi-asserted-by":"publisher","unstructured":"European Union Agency for Cybersecurity M. Theocharidou and I. Lella (Eds.). 2023. ENISA threat landscape report - Health sector (January 2021 to March 2023). European Union Agency for Cybersecurity. Retrieved August 19 2025 from 10.2824\/163953","DOI":"10.2824\/163953"},{"key":"e_1_3_3_37_2","article-title":"The revised payment services directive (PSD2) and the transition to stronger payments security","author":"European Central Bank.","year":"2018","unstructured":"European Central Bank. 2018. The revised payment services directive (PSD2) and the transition to stronger payments security. MIP OnLine. Retrieved February 23, 2023 from https:\/\/www.ecb.europa.eu\/paym\/intro\/mip-online\/2018\/html\/1803_revisedpsd.en.html","journal-title":"MIP OnLine"},{"key":"e_1_3_3_38_2","article-title":"The revised payment services directive (PSD2) and the transition to stronger payments security","author":"European Central Bank.","year":"2018","unstructured":"European Central Bank. 2018. The revised payment services directive (PSD2) and the transition to stronger payments security. MIP OnLine. Retrieved February 23, 2023 from https:\/\/www.ecb.europa.eu\/paym\/intro\/mip-online\/2018\/html\/1803_revisedpsd.en.html","journal-title":"MIP OnLine"},{"key":"e_1_3_3_39_2","article-title":"European parliament legislative resolution of 12 March 2024 on the proposal for a regulation of the european parliament and of the council on horizontal cybersecurity requirements for products with digital elements and amending regulation (EU) 2019\/1020 (COM(2022)0454 \u2013 C9-0308\/2022 \u20132022\/0272(COD))","author":"European Commission.","year":"2024","unstructured":"European Commission. 2024. European parliament legislative resolution of 12 March 2024 on the proposal for a regulation of the european parliament and of the council on horizontal cybersecurity requirements for products with digital elements and amending regulation (EU) 2019\/1020 (COM(2022)0454 \u2013 C9-0308\/2022 \u20132022\/0272(COD)). Official Journal of the European Union (2024). Retrieved July 12, 2024 from https:\/\/www.europarl.europa.eu\/doceo\/document\/TA-9-2024-0130_EN.html","journal-title":"Official Journal of the European Union"},{"key":"e_1_3_3_40_2","article-title":"Regulation (EU) 2023\/2841 of the european parliament and of the council","author":"European Parliament.","year":"2023","unstructured":"European Parliament. 2023. Regulation (EU) 2023\/2841 of the european parliament and of the council. Official Journal of the European Union. Retrieved July 11, 2024 from https:\/\/eur-lex.europa.eu\/eli\/reg\/2023\/2841","journal-title":"Official Journal of the European Union"},{"key":"e_1_3_3_41_2","article-title":"European parliament legislative resolution of 24 January 2024 on the proposal for a regulation of the european parliament and of the council establishing the digital services act and amending directive 2000\/31\/EC (TA-9-2024-0130_EN)","author":"European Parliament.","year":"2024","unstructured":"European Parliament. 2024. European parliament legislative resolution of 24 January 2024 on the proposal for a regulation of the european parliament and of the council establishing the digital services act and amending directive 2000\/31\/EC (TA-9-2024-0130_EN). Official Journal of the European Union. Retrieved July 11, 2024 from https:\/\/www.europarl.europa.eu\/doceo\/document\/TA-9-2024-0130_EN.html","journal-title":"Official Journal of the European Union"},{"issue":"151","key":"e_1_3_3_42_2","first-page":"15","article-title":"Regulation (EU) 2019\/881 of the european parliament and of the council of 17 April 2019 on ENISA (the european union agency for cybersecurity) and on information and communications technology cybersecurity certification and repealing regulation (EU) No 526\/2013 (Cybersecurity Act)","author":"European Parliament and Council of the European Union.","year":"2019","unstructured":"European Parliament and Council of the European Union. 2019. Regulation (EU) 2019\/881 of the european parliament and of the council of 17 April 2019 on ENISA (the european union agency for cybersecurity) and on information and communications technology cybersecurity certification and repealing regulation (EU) No 526\/2013 (Cybersecurity Act). Fficial Journal of the European Union, L 151, 15\u201338. Retrieved July 13, 2024 from https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:32019R0881","journal-title":"Fficial Journal of the European Union"},{"key":"e_1_3_3_43_2","unstructured":"European Parliament and Council of the European Union. 2024. Regulation of the european parliament and of the council laying down harmonised rules on artificial intelligence and amending regulations (EC) No 300\/2008 (EU) No 167\/2013 (EU) No 168\/2013 (EU) 2018\/858 (EU) 2018\/1139 and (EU) 2019\/2144 and Directives 2014\/90\/EU (EU) 2016\/797 and (EU) 2020\/1828 (Artificial Intelligence Act). (2024)."},{"key":"e_1_3_3_44_2","unstructured":"European Parliament and Council of the European Union. 2019. Directive (EU) 2019\/1937 of the european parliament and of the council of 23 October 2019 on the protection of persons who report breaches of Union law. Retrieved August 19 2025 from https:\/\/eur-lex.europa.eu\/legal-content\/en\/TXT\/?uri=CELEX%3A32019L1937"},{"key":"e_1_3_3_45_2","first-page":"1","article-title":"Regulation (EU) 2022\/2554 of the european parliament and of the council of 14 december 2022 on digital operational resilience for the financial sector and amending regulations (EC) No 1060\/2009, (EU) No 648\/2012, (EU) No 600\/2014 and (EU) No 909\/2014","volume":"333","author":"European Parliament and Council of the European Union.","year":"2022","unstructured":"European Parliament and Council of the European Union. 2022. Regulation (EU) 2022\/2554 of the european parliament and of the council of 14 december 2022 on digital operational resilience for the financial sector and amending regulations (EC) No 1060\/2009, (EU) No 648\/2012, (EU) No 600\/2014 and (EU) No 909\/2014. Official Journal of the European Union, L 333 (2022), 1\u201375. Retrieved July 13, 2024 from https:\/\/eur-lex.europa.eu\/eli\/reg\/2022\/2554\/oj","journal-title":"Official Journal of the European Union, L"},{"key":"e_1_3_3_46_2","article-title":"Regulation (EU) 2023\/2854 of the european parliament and of the council of 13 December 2023 on harmonised rules on fair access to and use of data and amending regulation (EU) 2017\/2394 and directive (EU) 2020\/1828 (Data Act)","author":"European Parliament and Council of the European Union.","year":"2023","unstructured":"European Parliament and Council of the European Union. 2023. Regulation (EU) 2023\/2854 of the european parliament and of the council of 13 December 2023 on harmonised rules on fair access to and use of data and amending regulation (EU) 2017\/2394 and directive (EU) 2020\/1828 (Data Act). Official Journal of the European Union. Retrieved July 12, 2024 from https:\/\/eur-lex.europa.eu\/eli\/reg\/2023\/2854","journal-title":"Official Journal of the European Union"},{"key":"e_1_3_3_47_2","article-title":"Health breach notification rule","author":"Federal Trade Commission.","year":"2024","unstructured":"Federal Trade Commission. 2024. Health breach notification rule. Federal Register. Retrieved July 12, 2024 from https:\/\/www.ecfr.gov\/current\/title-16\/chapter-I\/subchapter-C\/part-318","journal-title":"Federal Register"},{"key":"e_1_3_3_48_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-29053-5_5"},{"key":"e_1_3_3_49_2","unstructured":"Harley Geiger. 2021. Proposed security researcher protection under CFAA. RApid7. Retrieved July 12 2024 from https:\/\/www.rapid7.com\/blog\/post\/2021\/06\/04\/proposed-security-researcher-protection-under-cfaa-2\/"},{"key":"e_1_3_3_50_2","doi-asserted-by":"publisher","DOI":"10.1016\/b978-0-12-818438-7.00012-5"},{"key":"e_1_3_3_51_2","doi-asserted-by":"publisher","DOI":"10.1108\/14637150810888019"},{"key":"e_1_3_3_52_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2021.100361"},{"key":"e_1_3_3_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/BigData.2018.8622621"},{"key":"e_1_3_3_54_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-05563-8_9"},{"key":"e_1_3_3_55_2","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/6476274"},{"key":"e_1_3_3_56_2","doi-asserted-by":"publisher","DOI":"10.1108\/17561450910950223"},{"key":"e_1_3_3_57_2","article-title":"The apache log4j vulnerabilities: A timeline","author":"Hill Mike","year":"2022","unstructured":"Mike Hill. 2022. The apache log4j vulnerabilities: A timeline. CSO. Retrieved August 19, 2025 from https:\/\/www.csoonline.com\/article\/3645431\/the-apache-log4j-vulnerabilities-a-timeline.html","journal-title":"CSO"},{"issue":"1","key":"e_1_3_3_58_2","doi-asserted-by":"crossref","first-page":"110","DOI":"10.1108\/JMLC-08-2017-0041","article-title":"Following the cyber money trail: Global challenges when investigating ransomware attacks and how regulation can help","volume":"22","author":"Irwin Angela S. M.","year":"2019","unstructured":"Angela S. M. Irwin and Caitlin Dawson. 2019. Following the cyber money trail: Global challenges when investigating ransomware attacks and how regulation can help. Journal of Money Laundering Control 22, 1 (2019), 110\u2013131. https:\/\/www.emerald.com\/jmlc\/article-abstract\/22\/1\/110\/434946\/Following-the-cyber-money-trailGlobal-challenges","journal-title":"Journal of Money Laundering Control"},{"key":"e_1_3_3_59_2","unstructured":"Hannah-Beth Jackson. 2018. SB-327 Information privacy: Connected devices. California Legislative Information Sacramento CA Chapter 886 Statutes of 2018. Retrieved August 19 2025 from https:\/\/leginfo.legislature.ca.gov\/faces\/billNavClient.xhtml?bill_id=201720180SB327"},{"key":"e_1_3_3_60_2","unstructured":"Jim Lennon and Edward Odendaal. 2018. Data breach notification to become mandatory in Australia from 22 February 2018 - data protection report. Retrieved February 22 2023 from https:\/\/www.dataprotectionreport.com\/2018\/02\/data-breach-notification-to-become-mandatory-in-australia-from-22-february-2018\/"},{"key":"e_1_3_3_61_2","article-title":"Contrasting approaches to incident reporting in the development of safety and security- critical software","author":"Johnson Chris W.","year":"2015","unstructured":"Chris W. Johnson. 2015. Contrasting approaches to incident reporting in the development of safety and security- critical software. University of Glasgow. Retrieved March 14, 2023 from https:\/\/eprints.gla.ac.uk\/106410\/","journal-title":"University of Glasgow"},{"key":"e_1_3_3_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/CYCONUS.2016.7836618"},{"key":"e_1_3_3_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICBATS54253.2022.9759000"},{"key":"e_1_3_3_64_2","doi-asserted-by":"publisher","DOI":"10.1108\/ICS-08-2022-0139"},{"key":"e_1_3_3_65_2","doi-asserted-by":"publisher","DOI":"10.3390\/ELECTRONICS10101168"},{"key":"e_1_3_3_66_2","doi-asserted-by":"publisher","DOI":"10.1145\/3106723.3106730"},{"key":"e_1_3_3_67_2","article-title":"U. S. data privacy protection laws: 2024 guide","author":"Kirvan Paul","year":"2024","unstructured":"Paul Kirvan. 2024. U. S. data privacy protection laws: 2024 guide. TechTarget. Retrieved July 13, 2024 from https:\/\/www.techtarget.com\/searchsecurity\/tip\/State-of-data-privacy-laws","journal-title":"TechTarget"},{"key":"e_1_3_3_68_2","article-title":"WannaCry ransomware cyberattack raises legal issues","author":"Krotoski Mark L.","year":"2017","unstructured":"Mark L. Krotoski and Martin Hirschprung. 2017. WannaCry ransomware cyberattack raises legal issues. Morgan Lewis. Retrieved February 23, 2023 from https:\/\/natlawreview.com\/article\/wannacry-ransomware-cyberattack-raises-legal-issues","journal-title":"Morgan Lewis"},{"key":"e_1_3_3_69_2","unstructured":"Legislative Train Schedule. 2025. Cyber-security package. European Parliament Brussels. 1--3. Retrieved August 19 2025 from https:\/\/www.europarl.europa.eu\/legislative-train\/spotlight-C19\/file-cyber-security-package"},{"key":"e_1_3_3_70_2","unstructured":"Kai Li Feng Mai Rui Shen and Xinyan Yan. 2018. Corporate culture and merger success: Evidence from machine learning. Retrieved April 12 2021 from https:\/\/u.osu.edu\/riskresearchhub\/2019\/09\/04\/corporate-culture-and-mergers-and-acquisitions-evidence-from-machine-learning\/"},{"key":"e_1_3_3_71_2","doi-asserted-by":"publisher","unstructured":"F. J. Casalini L\u00f3pez Gonz\u00e1lez and T. Nemoto. 2021. Mapping commonalities in regulatory approaches to cross-border data transfers. OECD Trade Policy Papers No. 248 OECD Publishing Paris. Retrieved August 19 2025 from 10.1787\/ca9f974e-en","DOI":"10.1787\/ca9f974e-en"},{"key":"e_1_3_3_72_2","article-title":"New cybersecurity regulations are coming","author":"Madnick Stuart","year":"2022","unstructured":"Stuart Madnick. 2022. New cybersecurity regulations are coming. Here's How to Prepare. Retrieved February 22, 2023 from https:\/\/hbr.org\/2022\/08\/new-cybersecurity-regulations-are-coming-heres-how-to-prepare","journal-title":"Here's How to Prepare"},{"key":"e_1_3_3_73_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-83164-6_2"},{"key":"e_1_3_3_74_2","doi-asserted-by":"publisher","DOI":"10.1111\/rmir.12109"},{"key":"e_1_3_3_75_2","doi-asserted-by":"publisher","DOI":"10.3390\/S21186057"},{"key":"e_1_3_3_76_2","doi-asserted-by":"publisher","DOI":"10.1080\/00207543.2021.1984606"},{"key":"e_1_3_3_77_2","doi-asserted-by":"publisher","DOI":"10.1177\/20539517221108369"},{"key":"e_1_3_3_78_2","unstructured":"Ministry of Electronics and Information Technology. 2023. Digital personal data protection act 2023. Government of India New Delhi No. 25 of 2023 1--41. Retrieved August 19 2025 from https:\/\/www.meity.gov.in\/static\/uploads\/2024\/06\/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf"},{"key":"e_1_3_3_79_2","unstructured":"Ministry of Foreign Affairs of Japan. 2019. Japan-EC mutual recognition agreement (MRA). Retrieved July 13 2024 from https:\/\/www.mofa.go.jp\/region\/europe\/eu\/agreement.html"},{"key":"e_1_3_3_80_2","article-title":"Gartner unveils the top eight cybersecurity predictions for 2022-23","author":"Moore Susan","year":"2022","unstructured":"Susan Moore. 2022. Gartner unveils the top eight cybersecurity predictions for 2022-23. Gartner. Retrieved July 13, 2024 from https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2022-06-21-gartner-unveils-the-top-eight-cybersecurity-predictio","journal-title":"Gartner"},{"key":"e_1_3_3_81_2","doi-asserted-by":"publisher","DOI":"10.1016\/J.TECHSOC.2019.03.005"},{"key":"e_1_3_3_82_2","doi-asserted-by":"publisher","unstructured":"National Institute of Standards and Technology. 2024. The NIST cybersecurity framework (CSF) 2.0. NIST Gaithersburg MD NIST CSWP.29. 1--32. Retrieved August 19 2025 from 10.6028\/NIST.CSWP.29","DOI":"10.6028\/NIST.CSWP.29"},{"key":"e_1_3_3_83_2","article-title":"Part 500 Cybersecurity requirements for financial services companies","author":"New York Consolidated Laws.","year":"2022","unstructured":"New York Consolidated Laws. 2022. Part 500 Cybersecurity requirements for financial services companies. Westlaw.","journal-title":"Westlaw"},{"key":"e_1_3_3_84_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2009.10.005"},{"key":"e_1_3_3_85_2","volume-title":"National Telecommunications and Information Administration, NTIA","author":"NTIA.","unstructured":"NTIA. 2021. Software bill of materials related efforts. National Telecommunications and Information Administration, NTIA. Technical Report, 1--12. Retrieved August 19, 2025 from https:\/\/www.ntia.gov\/sites\/default\/files\/publications\/sbom_related_efforts_oct2021_0.pdf"},{"key":"e_1_3_3_86_2","unstructured":"NY State Senate. 2019. Bill 2019-S5575B (New York Shield Act). Retrieved July 11 2024 from https:\/\/www.nysenate.gov\/legislation\/bills\/2019\/S5575"},{"key":"e_1_3_3_87_2","article-title":"SolarWinds hack explained: Everything you need to know","author":"Oladimeji Saheed","year":"2023","unstructured":"Saheed Oladimeji and Sean Michael Kerner. 2023. SolarWinds hack explained: Everything you need to know. TechTarget. Retrieved July 12, 2024 from https:\/\/www.techtarget.com\/whatis\/feature\/SolarWinds-hack-explained-Everything-you-need-to-know","journal-title":"TechTarget"},{"key":"e_1_3_3_88_2","article-title":"The cybersecurity threat: Compliance and the role of whistleblowers","volume":"11","author":"Pacella Jennifer M.","year":"2016","unstructured":"Jennifer M. Pacella. 2016. The cybersecurity threat: Compliance and the role of whistleblowers. Brooklyn Journal of Corporate, Financial and Commercial Law 11, 1 (2016), 39. Retrieved January 31, 2024 from https:\/\/brooklynworks.brooklaw.edu\/bjcfcl\/vol11\/iss1\/3\/","journal-title":"Brooklyn Journal of Corporate, Financial and Commercial Law"},{"issue":"4","key":"e_1_3_3_89_2","doi-asserted-by":"crossref","first-page":"507","DOI":"10.1108\/IJDRBE-07-2019-0046","article-title":"Cyber security and the disaster resilience framework","volume":"11","author":"Panda Abhilash","year":"2020","unstructured":"Abhilash Panda and Andrew Bower. 2020. Cyber security and the disaster resilience framework. Int J Disaster Resil Built Environ 11, 4 (2020), 507\u2013518. https:\/\/www.emerald.com\/ijdrbe\/article-abstract\/11\/4\/507\/115868\/Cyber-security-and-the-disaster-resilience","journal-title":"Int J Disaster Resil Built Environ"},{"key":"e_1_3_3_90_2","unstructured":"Paris Call. 2018. The call and the 9 principles \u2014 paris call. Retrieved February 23 2023 from https:\/\/pariscall.international\/en\/principles"},{"key":"e_1_3_3_91_2","unstructured":"Paris call. 2018. Supporters \u2014 paris call. Retrieved February 23 2023 from https:\/\/pariscall.international\/en\/"},{"key":"e_1_3_3_92_2","first-page":"89","article-title":"Shooting the messenger: remediation of disclosed vulnerabilities as CFAA \u201closs","volume":"29","author":"Pfefferkorn Riana","year":"2022","unstructured":"Riana Pfefferkorn. 2022. Shooting the messenger: remediation of disclosed vulnerabilities as CFAA \u201closs.\u201d Richmond Journal of Law and Technology 29 (2022), 89. Retrieved July 12, 2024 from https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=4224982","journal-title":"Richmond Journal of Law and Technology"},{"key":"e_1_3_3_93_2","unstructured":"Nancy [R-SC-1] Rep. Mace. 2024. Text - H.R.5255 - 118th Congress (2023-2024): Federal Cybersecurity Vulnerability Reduction Act of 2023. (2024). Retrieved July 12 2024 from https:\/\/www.congress.gov\/bill\/118th-congress\/house-bill\/5255\/text"},{"key":"e_1_3_3_94_2","unstructured":"Frank Jr. [D-NJ-6] Rep. Pallone. 2022. H.R.8152 - 117th Congress (2021-2022): American Data Privacy and Protection Act. (2022). Retrieved July 13 2024 from https:\/\/www.congress.gov\/bill\/117th-congress\/house-bill\/8152"},{"key":"e_1_3_3_95_2","unstructured":"Rhode Island General Assembly. 2023. Rhode island house bill 5684. Retrieved July 12 2024 from https:\/\/legiscan.com\/RI\/text\/H5684\/id\/2827109"},{"key":"e_1_3_3_96_2","article-title":"Attacking SCADA systems: a practical perspective","author":"Rosa Lu\u00eds","year":"2017","unstructured":"Lu\u00eds Rosa, Tiago Cruz, Paulo Sim\u00f5es, Edmundo Monteiro, and Leonid Lev. 2017. Attacking SCADA systems: a practical perspective. IFIP\/IEEE International Symposium on Integrated Network Management (2017), 741--746.","journal-title":"IFIP\/IEEE International Symposium on Integrated Network Management"},{"key":"e_1_3_3_97_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-022-00623-5"},{"key":"e_1_3_3_98_2","article-title":"Security researchers battle against the DMCA","volume":"22","author":"Sardaryzadeh Andre","year":"2023","unstructured":"Andre Sardaryzadeh. 2023. Security researchers battle against the DMCA. Journal of Intellectual Property Chicago-Kent Journal of Intellectual Property 22, (2023). Retrieved July 12, 2024 from https:\/\/scholarship.kentlaw.iit.edu\/ckjip\/vol22\/iss2\/10\/","journal-title":"Journal of Intellectual Property Chicago-Kent Journal of Intellectual Property"},{"key":"e_1_3_3_99_2","article-title":"Whistleblower program rules: Conformed to federal register version","author":"Securities and Exchange Commission","year":"2022","unstructured":"Securities and Exchange Commission. 2022. Whistleblower program rules: Conformed to federal register version. Final Rule. 17 CFR Part 240, Release No. 34-95620, File No. S7-07-22, RIN 3235-AN03. (2022). Retrieved July 12, 2024 from https:\/\/www.sec.gov\/about\/offices\/owb\/reg-21f.pdf","journal-title":"Final Rule"},{"key":"e_1_3_3_100_2","article-title":"Cybersecurity risk management, strategy, governance, and incident disclosure","author":"Securities and Exchange Commission","year":"2023","unstructured":"Securities and Exchange Commission. 2023. Cybersecurity risk management, strategy, governance, and incident disclosure. Release Nos. 33\u201311216; 34-97989; File No. S7-09-22 (2023).","journal-title":"Release Nos"},{"key":"e_1_3_3_101_2","unstructured":"Jon [R-AZ] Sen. Kyl. 1996. S.982 - 104th Congress (1995-1996): National information infrastructure protection act of 1996. (1996). Retrieved July 12 2024 from https:\/\/www.congress.gov\/bill\/104th-congress\/senate-bill\/982"},{"key":"e_1_3_3_102_2","unstructured":"Brian [D-HI] Sen. Schatz. 2023. S.744 - 118th Congress (2023-2024): Data care act of 2023. (2023). Retrieved July 13 2024 from https:\/\/www.congress.gov\/bill\/118th-congress\/senate-bill\/744"},{"key":"e_1_3_3_103_2","unstructured":"Singapore Statutes Online. 2021. Personal data protection regulations 2021. Retrieved July 11 2024 from https:\/\/sso.agc.gov.sg\/SL-Supp\/S63-2021\/Published\/20210129?DocDate=20210129"},{"key":"e_1_3_3_104_2","doi-asserted-by":"publisher","DOI":"10.1111\/rego.12168"},{"key":"e_1_3_3_105_2","doi-asserted-by":"publisher","DOI":"10.1057\/s41288-018-0082-7"},{"key":"e_1_3_3_106_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2018.09.063"},{"key":"e_1_3_3_107_2","unstructured":"United States Senate Committee on Armed Services. 2024. Summary of the fiscal year 2024 national defense authorization act for Fiscal Year 2024 Defense Funding Levels. Retrieved August 19 2025 from https:\/\/www.armed-services.senate.gov\/imo\/media\/doc\/fy24_ndaa_conference_executive_summary1.pdf"},{"key":"e_1_3_3_108_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA-C50368.2020.00043"},{"key":"e_1_3_3_109_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ssci.2020.105143"},{"key":"e_1_3_3_110_2","doi-asserted-by":"publisher","DOI":"10.1080\/10357718.2017.1347139"},{"key":"e_1_3_3_111_2","unstructured":"Tech Accord. 2018. Cybersecurity tech accord. Retrieved February 23 2023 from https:\/\/cybertechaccord.org\/"},{"key":"e_1_3_3_112_2","unstructured":"The European Parliament and the Council of the European Union. 2016. Regulation (EU) 2016\/679 of the european parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR). Retrieved March 25 2021 from https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&from=ES"},{"key":"e_1_3_3_113_2","volume-title":"SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies","author":"Securities The","year":"2022","unstructured":"The Securities and Exchange Commission. 2022. SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Washington D.C."},{"key":"e_1_3_3_114_2","article-title":"National cybersecurity startegy","author":"The White House.","year":"2023","unstructured":"The White House. 2023. National cybersecurity startegy. U. S. Government Printing Office (GPO) (2023). Retrieved March 15, 2023 from https:\/\/bidenwhitehouse.archives.gov\/oncd\/national-cybersecurity-strategy\/","journal-title":"U. S. Government Printing Office (GPO)"},{"key":"e_1_3_3_115_2","unstructured":"Transportation Security Administration. Security Directives and Emergency Amendments. Retrieved July 13 2024 from https:\/\/www.tsa.gov\/sd-and-ea"},{"key":"e_1_3_3_116_2","doi-asserted-by":"publisher","DOI":"10.1108\/JMLC-02-2020-0012"},{"key":"e_1_3_3_117_2","article-title":"TSA eases pipeline cybersecurity rules issued after colonial hack","author":"Uberti David","year":"2022","unstructured":"David Uberti. 2022. TSA eases pipeline cybersecurity rules issued after colonial hack. Wall Street Journal. Retrieved February 23, 2023 from https:\/\/www.wsj.com\/articles\/tsa-eases-pipeline-cybersecurity-rules-issued-after-colonial-hack-11656511031","journal-title":"Wall Street Journal"},{"key":"e_1_3_3_118_2","article-title":"Online Safety Act 2023","author":"UK Government.","year":"2023","unstructured":"UK Government. 2023. Online Safety Act 2023. UK Public General Acts (2023). Retrieved July 12, 2024 from https:\/\/www.legislation.gov.uk\/ukpga\/2023\/50","journal-title":"UK Public General Acts"},{"key":"e_1_3_3_119_2","article-title":"Cybercrime legislation worldwide","author":"UNCTAD.","year":"2021","unstructured":"UNCTAD. 2021. Cybercrime legislation worldwide. UNCTAD. Retrieved July 11, 2024 from https:\/\/unctad.org\/page\/cybercrime-legislation-worldwide","journal-title":"UNCTAD"},{"key":"e_1_3_3_120_2","unstructured":"U. S. Copyright Office. 2018. Section 1201. Retrieved July 12 2024 from https:\/\/www.copyright.gov\/1201\/2018\/"},{"key":"e_1_3_3_121_2","unstructured":"U. S. Department of Commerce. 2022. EU-U. S. Data Privacy Framework. Retrieved July 13 2024 from https:\/\/www.dataprivacyframework.gov\/EU-US-Framework"},{"key":"e_1_3_3_122_2","doi-asserted-by":"publisher","DOI":"10.1016\/J.CLSR.2023.105890"},{"key":"e_1_3_3_123_2","doi-asserted-by":"publisher","DOI":"10.11610\/isij.4812"},{"key":"e_1_3_3_124_2","unstructured":"White House. 2023. FACT SHEET: President biden issues executive order on safe secure and trustworthy artificial intelligence. Retrieved July 12 2024 from https:\/\/bidenwhitehouse.archives.gov\/briefing-room\/statements-releases\/2023\/10\/30\/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence\/"},{"key":"e_1_3_3_125_2","unstructured":"Lance Whitney. 2021. Kaseya supply chain attack impacts more than 1 000 companies | TechRepublic. TechRepublic. Retrieved March 14 2023 from https:\/\/www.techrepublic.com\/article\/kaseya-supply-chain-attack-impacts-more-than-1000-companies\/"},{"key":"e_1_3_3_126_2","unstructured":"Andrew Wisniewski. 2022. Cyber whistleblowers: The black sheep of whistleblowing? 1 (2022). Retrieved January 31 2024 from https:\/\/digitalcommons.odu.edu\/covacci-undergraduateresearch\/2022fall\/projects\/1\/"},{"key":"e_1_3_3_127_2","unstructured":"World Economic Forum. 2023. Facilitating global interoperability of cyber regulations in the electricity sector [position paper]. Retrieved January 7 2024 from https:\/\/www3.weforum.org\/docs\/WEF_Facilitating_Global_Interoperability_Cyber_Regulations_2023.pdf"},{"key":"e_1_3_3_128_2","unstructured":"Boming Xia Tingting Bi Zhenchang Xing Qinghua Lu and Liming Zhu. 2023. An empirical study on software bill of materials: Where we stand and the road ahead. arXiv:2301.05362v3 (2023). Retrieved January 31 2024 from https:\/\/ieeexplore.ieee.org\/document\/10172696"},{"key":"e_1_3_3_129_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSA.2018.00015"},{"key":"e_1_3_3_130_2","article-title":"Memorandum for The Heads of Executive Departments and Agencies","author":"Young Shalanda D.","year":"2022","unstructured":"Shalanda D. Young. 2022. Memorandum for The Heads of Executive Departments and Agencies. The White House (2022).","journal-title":"The White House"},{"key":"e_1_3_3_131_2","unstructured":"APEC Cross-Border Privacy Rules System. 2019. Policies Rules and Guidelines. Asia-Pacific Economic Cooperation (APEC). Retrieved August 19 2025 from https:\/\/cbprs.org\/wp-content\/uploads\/2019\/11\/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting-3-16-updated-1709-2019.pdf"},{"key":"e_1_3_3_132_2","unstructured":"2018. California Consumer Privacy Act of 2018 (CCPA) Civil Code - CIV Title 1.81.5. California Legislative Information. Retrieved July 12 2024 from https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5"},{"key":"e_1_3_3_133_2","unstructured":"2018. AB-1906 Information privacy: Connected devices. California Legislative Information Sacramento CA Chapter 860 Statutes of 2018. Retrieved August 19 2025 from https:\/\/legiscan.com\/CA\/text\/AB1906\/id\/1793434"},{"key":"e_1_3_3_134_2","unstructured":"2022. H.R.7900 - National Defense Authorization Act for Fiscal Year 2023. U.S. House of Representatives Washington DC. Retrieved August 19 2025 from https:\/\/www.congress.gov\/bill\/117th-congress\/house-bill\/7900"},{"key":"e_1_3_3_135_2","unstructured":"2023. House Bill No. 5684 (2023 Regular Session). LegiScan. Retrieved July 11 2024 from https:\/\/legiscan.com\/RI\/bill\/H5684\/2023"},{"key":"e_1_3_3_136_2","unstructured":"World Economic Forum. 2023. Response to the White House's Request on Harmonizing Cybersecurity Regulations. Retrieved August 19 2025 from https:\/\/www3.weforum.org\/docs\/WEF_Response_to_the_White_House%E2%80%99s_Request_on_Harmonizing_Cybersecurity_Regulations_2023.pdf"},{"key":"e_1_3_3_137_2","unstructured":"2024. Federal Acquisition Regulation (FAR). Acquisition.GOV. Retrieved July 11 2024 from https:\/\/www.acquisition.gov\/browse\/index\/far"},{"key":"e_1_3_3_138_2","unstructured":"2024. A New Roadmap for FedRAMP. FedRAMP.gov. Retrieved July 13 2024 from https:\/\/www.fedramp.gov\/2024-03-28-a-new-roadmap-for-fedramp\/"},{"key":"e_1_3_3_139_2","unstructured":"U.S. Congress. 2024. H.R.8070 - Servicemember Quality of Life Improvement and National Defense Authorization Act for Fiscal Year 2025. 118th Congress. Retrieved August 19 2025 from https:\/\/www.congress.gov\/bill\/118th-congress\/house-bill\/8070"},{"key":"e_1_3_3_140_2","unstructured":"NYDFS Proposes Amendments to Cybersecurity Regulation | Insights | Holland and Knight. Retrieved February 23 2023 from https:\/\/www.hklaw.com\/en\/insights\/publications\/2022\/11\/nydfs-proposes-amendments-to-cybersecurity-regulation"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3757318","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,27]],"date-time":"2025-09-27T12:12:33Z","timestamp":1758975153000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3757318"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,8]]},"references-count":139,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,1,31]]}},"alternative-id":["10.1145\/3757318"],"URL":"https:\/\/doi.org\/10.1145\/3757318","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,9,8]]},"assertion":[{"value":"2024-10-29","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-07-11","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-08","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}