RSAC Podcast Episode Summary

Episode: What Cybersecurity Professionals Need to Know about Legal and Regulatory Developments: A World Tour
Date: February 25, 2026
Hosts: Tatiana Sanchez (B), Casey Serkis (C)
Guests: John Elliott (D), Laura Ketzel (A)
Theme: Navigating the evolving landscape of cybersecurity law, regulation, and standards globally—with special emphasis on trends, preparedness, and the practical implications for professionals.

Episode Overview

This episode offers a “world tour” of the current and emerging legal and regulatory environment for cybersecurity professionals. Hosts Tatiana and Casey are joined by regulatory experts John Elliott and Laura Ketzel, who break down key trends in global regulation, the evolving focus of laws (from confidentiality to integrity), and strategies for staying compliant and resilient in a rapidly changing landscape. The discussion includes actionable advice, global perspectives (EU, Singapore, Brazil), and special attention to the coming wave of integrity-focused regulation and post-quantum cryptography transitions.

Key Discussion Points & Insights

1. The Evolution of Cybersecurity Regulation (03:04)

• John Elliott introduces the "micro frame" of regulatory focus:
  Early regulation targeted confidentiality—personal data (GDPR, HIPAA, PCI), primarily via the classic CIA triad's “C.”

  • Move from “confidentiality” to “availability/resilience” (e.g., DORA, NIS2, UK banking regs)
  • Latest trend: emphasis on integrity

    “Now what I think we're seeing is a final change of regulatory focus… on integrity. And we can see that initially in the EU's AI Act. And I'm going to predict that other regulations will concern themselves with integrity.”
    —John Elliott, [05:19]

• Key prediction: Movement from regulating organizations to focusing on certified, verified products (as embodied by EU Cyber Resilience Act and AI Act).

2. Shift of Responsibility to Manufacturers (06:30)

• Laura Ketzel highlights the EU Cyber Resilience Act’s shift:
  Regulation is transitioning from guiding operators to holding manufacturers responsible for product security across the product lifecycle.

  “With the CRA, you see the EU promulgating a set of rules that say if you produce this type of product, these are the standards that you must implement. And if you don't... you will be assessed fines and rolled out of compliance.”
  —Laura Ketzel, [06:54]

  • Timeline: Enforcement ramps up in 2027, though initial “consultative enforcement” is likely ([08:13]).

3. Strategies for Navigating Regulatory Complexity (09:31)

• Practical advice to avoid being overwhelmed:

  • Take advantage of previous compliance efforts (e.g., GDPR, privacy by design).
  • Recognize that many global standards build on EU frameworks.

    “All of those things that you did should really help you comply with things in the future.”
    —Laura Ketzel, [10:58]

• John Elliott's emphasis on risk-based, process-oriented compliance:

  • European laws focus on risk assessments and impact on fundamental rights.
  • This framework is reflected in the AI Act governing high-risk AI.

    “The whole thing of working out how will what I am doing affect people's fundamental rights and freedoms is a really important step.”
    —John Elliott, [12:41]

4. The Unique Challenges of AI-focused Regulation (13:50)

• Laura and John dissect cybersecurity in the AI Act:
  • AI Act calls for appropriate measures to prevent model manipulation, yet practical solutions (logging, model monitoring, prompt injection defense) are still nascent.

    “Model poisoning and prompt injection is something that we, as an industry… we're probably 5% of the way into understanding the best ways of doing that at the moment.”
    —John Elliott, [14:30]

  • When asked how to comply: “Have a great story to tell… means lots of logging… step by step by step, especially if we're chaining agentic systems.” ([15:03])

5. Global Perspectives: Singapore and Brazil (15:35)

• Singapore:
  • Sectoral guidance, not law—but effective, fast, and globally connected.

    “Their kind of regulators tend to stay very far ahead of things and be willing to issue guidance quite quickly… a good place to look for guidance on leading edge technology stuff…”
    —Laura Ketzel, [18:08]

• Brazil:
  • AI law in draft, closely modeled on the EU’s approach. Elections will determine if/when it passes.

6. Regulatory Language: “Appropriate” and “Reasonable” (19:37)

• Both guests explain why regulators use flexible language:
  • Ensures future-proofing, prevents obsolescence.

    “And so appropriate means what's appropriate for the time you are doing something… I would definitely look at the OWASP stuff.”
    —John Elliott, [20:31]

  • “Infinitely preferable to… requirements that stay on the books for 10 years and you’re stuck doing something obsolete…”
    —Laura Ketzel, [21:10]

7. The Coming Post-Quantum Cryptography Transition (21:48)

• Urgency & approach for transitioning to post-quantum encryption:
  • Inventory all uses of cryptography: symmetric and asymmetric.
  • Assess value and lifespan of data (“capture now, decrypt later” threat).
  • Work with partners, ensure “cryptographic agility.”

    “The hardest thing that we found… is… things that are important but not urgent. And we tend to be really bad at important but not urgent things.”
    —John Elliott, [25:10]

  • Laura: Timeline unknown, but best to be ready.

    “You would want to be moving faster. And even if you don’t have data of that type, you don’t want to have to do this under the gun, as it were.”
    —Laura Ketzel, [27:05]

8. The Shift Toward Integrity and Its Implications (28:11)

• Evaluating integrity in systems and regulation:

  • Emerging standards (OWASP, MITRE, NIST) are key to “appropriate” controls.
  • Logging, data provenance, and cryptographic proofs will underpin integrity claims.

    “How do you verify that you took the appropriate measures? …comes down to a lot of logging and data retention…”
    —John Elliott, [29:07]

• Impact on trust and individual burden:

  • Regulation should shift responsibility from users to manufacturers and institutions, countering digital trust collapses like deepfakes.

    “The reason why it [integrity-focused regulation] matters is because… successful integrity-focused regulation has the sort of potential to make those deficits of trust at least get less bad, less quickly, if not improve.”
    —Laura Ketzel, [32:14]

  • “Too much of this onus has shifted on to the individual… regulation… is designed to shift some of that onus back onto the people who produce the products and to the systems themselves.”
    —Laura Ketzel, [32:53]

Notable Quotes & Memorable Moments

• John Elliott:

  “We can't fix system vulnerabilities, but now we think we can legislate them away, which I think is a really positive thing.” [14:00]
  "Are we taking appropriate measures to ensure integrity? And if somebody came to us and said how are you ensuring integrity?” [28:16]

• Laura Ketzel:

  “All of those things that you did should really help you comply with things in the future.” [10:58]
  “If regulation and cryptographic implementation… isn’t successful, then you’ll continue to see the kind of institutional and counterparty trust collapse that everybody worries about.” [32:10]
  “The number of people who can actually do all those things successfully, even in our community, is very, very small.” [33:22]

• On regulatory philosophy:

  “It's infinitely preferable to a bunch of requirements that say you must do this specific thing that then stay on the books for 10 years and you're stuck doing something sort of obsolete because the law requires you to.”
  —Laura Ketzel, [21:15]

Key Timestamps

| Time | Segment / Topic | |-------|------------------------------------------------------| | 03:04 | History and direction of cybersecurity regulation (Elliott) | | 06:30 | EU Cyber Resilience Act and shift to product responsibility (Ketzel) | | 09:31 | Strategies for handling regulatory complexity | | 12:41 | Risk-based impact assessments and the AI Act | | 14:00 | AI security requirements and practical gaps | | 15:35 | Global regulation: Singapore, Brazil | | 19:37 | "Appropriate"/"Reasonable" legal language | | 21:48 | Preparing for post-quantum cryptography transitions | | 25:10 | The "important but not urgent" challenge | | 28:11 | Future of integrity-focused regulation | | 32:10 | Integrity, trust, and shifting responsibility |

Resources & Recommendations

• Review previous compliance frameworks: Especially GDPR/privacy by design, as many newer regulations build on these.
• Monitor and implement guidance from:
  • OWASP GenAI Security Top 10
  • NIST AI security guidance
  • MITRE AI frameworks
  • Singapore and Brazilian AI regulation developments
• Prioritize:
  • Regulatory risk assessments tied to “fundamental rights and freedoms”
  • Cryptography inventory and “cryptographic agility” for quantum-readiness
  • Logging, audit trails, and data provenance for integrity assurance
• Stay up-to-date:
  Attend relevant RSAC sessions (see community slides), and monitor enforcement timelines (especially in the EU).

Closing Note

The episode underscores that while the regulatory landscape is evolving and complex—with focus shifting toward product integrity and resilience—the fundamental tools and approaches of good security and risk management remain powerful. The ability to pivot and adapt, leverage established frameworks, and anticipate future requirements will continue to be vital for cybersecurity professionals worldwide.