1. Article: New Cybersecurity Package proposed by European Commission
Matheson LLP has a great explainer of the new New Cybersecurity Package proposed by European Commission. Broadly, the changes planned are:
- Enhanced role for ENISA, with budget increases more than 75%.
- ENISA will develop repositories of Cyber Threat Intelligence.
- A single-entry reporting point to be operated by ENISA for security breaches.
- New European Cybersecurity Certification Framework for public/private organizations.
- More requirements around ICT Supply Chain security.
- Amendments to NIS2.
Link: https://www.matheson.com/insights/new-cybersecurity-package-proposed-by-european-commission/
Link to the official page: https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-eu-cybersecurity-act
Here’s a snapshot of Matheson’s post:
2. Resource: Singapore Monetary Authority’s AI Risk Management Guidelines
Singapore’s Monetary Authority had a Consultation paper out on Guidelines on Artificial Intelligence (AI) Risk Management (AIRG) since November (now closed) that set out their supervisory expectations relating to AI risk management in financial institutions.
Here’s a conceptual overview from the source document:
3. Resource: OSCAL
Throughout my career, I used to document controls in Excel (in some cases Word/Confluence). But sometime back, I came across this framework called OSCAL (Open Security Controls Assessment Language) which was billed as a standard, machine-readable way to describe security controls and assessment evidence.
I never got to work on it but if you want to know more, I recommend this well-written article from StateTech Magazine as a primer.
The official site also has some great documentation.
- OSCAL Homepage: https://pages.nist.gov/OSCAL/
- Tutorials: https://pages.nist.gov/OSCAL/learn/tutorials/
- Series of videos and presentations from workshops: https://pages.nist.gov/OSCAL/learn/presentations/mini-workshop/
- OSCAL Architecture: https://pages.nist.gov/OSCAL/learn/concepts/layer/
This YouTube video is also pretty good:
4. Industry Report: Exabeam finds that 95% of organizations increasing
security spending in 2026, driven by AI
Exabeam has a new research report titled “From Adoption to Accountability: The New Economics of AI in Cybersecurity” based on a global survey of 750 security decision-makers, showing that 95% of organizations are increasing cybersecurity budgets in 2026, largely driven by AI investments.
What I found to be the most revealing part of the report:
Security leaders face mounting pressure to adopt AI quickly, yet many struggle to articulate its business value to boards and executive stakeholders.
Link (Registration Required): https://www.exabeam.com/hubs/from-adoption-to-accountability-the-new-economics-of-ai-in-cybersecurity/
Here’s a screenshot from one of the pages:
5. Resource: Building a Unified Control Framework for your organization
If you are trying to build a Controls Library, read this paper from Credo AI.
Link: https://arxiv.org/abs/2503.05937
They explain an approach to mapping compliance requirements from the Colorado AI Act to risks and controls, with detailed examples throughout. Although they used it for an AI regulation, I found their approach to be framework-agnostic — NIST CSF, ISO 27001, NIS 2, or a local regulation all work using this conceptual approach.
This is the conceptual model from the paper showing how requirements, risks, and controls layer together.
The full control library and its mappings are also available in an interactive visualization linked in the paper here:
https://facct2025-submission.netlify.app
Check out this video of the visualization site.
