SEC Crypto 2.0: SEC Announces New Crypto Task Force
On January 21, 2025, the SEC announced the formation of a new Crypto Task Force. Styled “Crypto 2.0” in the SEC press release, the announcement signals a shift in the agency’s approach to the digital asset sector coincident with the change in presidential administrations.
The task force will be led by Commissioner Hester Peirce and draw on staff from around the agency. Its mission is to “collaborate with Commission staff and the public to set the SEC on a sensible regulatory path that respects the bounds of the law.” The task force anticipates future roundtables and invites the submission of public comments. It will also coordinate with other state and federal agencies, including the Commodity Futures Trading Commission.
The SEC press release announcing the task force’s creation is somewhat critical of the agency’s prior approach to regulating digital assets, noting that the agency “relied primarily on enforcement actions to regulate crypto retroactively and reactively, often adopting novel and untested legal interpretations along the way.” The press release noted, “Clarity regarding who must register, and practical solutions for those seeking to register, have been elusive.” The announcement concludes, “The SEC can do better.”
The crypto industry heavily supported the candidacy of President Trump, and the President’s nominee for SEC chairman, Paul Atkins, is likely to support a reset of the SEC’s approach to regulating the sector. After the crypto winter, it appears spring is coming to the SEC.
5 Trends to Watch: 2025 Financial Services Litigation
Increasing Focus on Payments — Payments litigation will likely continue and increase in 2025 in the United States and globally, along with increased use of Automated Clearing House (ACH) transfers and wires, bank and non-bank competition, state regulation, and more sophisticated fraud schemes. This trend should continue regardless of the incoming administration’s enforcement priorities. Borrowing from Europe, the United States could see increasing pressure for a Payment Services Regulation or other laws to shift more risk of payment fraud to financial institutions. State-based efforts to regulate interchange fees may create additional risk.
Increasing Use of Mass Arbitration and Rise of International Arbitration — Mass arbitration in the United States is likely to continue and increase, particularly as plaintiffs’ counsels become more equipped, efficient, and coordinated at lodging these attacks. International arbitration also is likely to increase, given globalization and diversification, driven by the growing complexity of cross-border issues. The strategic advantage of leveraging global litigation offices in regions like Latin America, Europe, and the Middle East will be crucial, as these areas continue to be hot spots for international business activities and disputes. Reliance on local knowledge will become increasingly important as parties seek more efficient and culturally sensitive resolutions.
Anti-Money Laundering (AML), Know Your Customer (KYC), and Compliance-Related Issues — There was increased activity over the past year on AML-related matters globally, and this trend appears likely to continue. This increase also is likely to carry over to civil litigation, including complex fraud and Ponzi schemes and allegations relating to improper asset management or trust disputes, where financial institutions are being more heavily scrutinized over actions taken by their customers, and the plaintiffs’ bar is expected to try to create more hospitable case law and jurisdictions. As regulatory scrutiny intensifies globally, financial institutions will continue to find themselves at the intersection of civil litigation and concurrent regulatory/criminal investigations, creating additional risks. The growing complexity of these cases underscores the need for banks to maintain vigilance and adaptability.
Changing Enforcement and Regulatory Risks — A slowdown of Consumer Financial Protection Bureau (CFPB)-related activity, including a relative slowdown of crypto enforcement, could take place over the course of the year due to the change of administration and agency leadership, but there could be an increase in certain states’ attorneys general activity. State-based regulation and legislation would pose additional risks, creating jurisdictional and other challenges. State regulatory agencies may continue enforcement efforts related to consumer protections in the financial services space. There also may be continued focus on fair lending practices, with potential litigation concerning artificial intelligence’s (AI) role in lending or other decisions. The rise of digital currencies also has introduced new legal challenges. Cryptocurrency exchanges are being held accountable for frauds occurring on their platforms and ongoing uncertainties in digital asset regulations are resulting in compliance challenges and related litigation.
Information Use and Security — The increasing use of new technologies and AI likely will result in increased risks and a rise in civil litigation. Litigation may emerge over AI tools allegedly infringing on copyrights. Another area would be AI-based pricing algorithms being scrutinized for potential collusion and antitrust violations or discrimination and bias. More U.S. states are proposing and passing comprehensive AI and other laws that do not have broad financial institution or Graham Leach Bliley Act-type exemptions, so there could be additional regulation. States also could continue efforts to pass new laws in the privacy area to address areas not currently regulated through federal laws.
CNIL Publishes 2025-2028 Strategic Plan
On January 16, 2025, the French Data Protection Authority (“CNIL”) unveiled its strategic plan for 2025-2028, highlighting its priorities for the coming years. Summarized below are the four key focus areas outlined in the CNIL’s strategic plan:
Artificial Intelligence (“AI”): With respect to AI, the CNIL commits to: (1) collaborating with European and international partners to promote harmonized AI governance; (2) providing guidance to stakeholders, clarifying applicable rules and implementing effective and balanced regulation of AI; (3) raising public awareness of the challenges raised by AI and the importance of exercising individuals’ rights; and (4) ensuring AI systems comply with applicable rules, including by creating a methodology and tools allowing such monitoring throughout the lifecycle of an AI system, and collaborating with other data protection authorities on EU-wide monitoring actions.
Protection of Minors: Recognizing the vulnerabilities of children in digital environments, the CNIL will prioritize safeguarding their personal data. Key actions include: (1) strengthening requirements for online platforms to ensure age-appropriate protections; (2) promoting tools and resources to enhance children’s understanding of their digital rights; (3) allowing minors to effectively exercise their rights; and (4) engaging with educators, parents, and industry stakeholders to create safer digital spaces for minors.
Cybersecurity and Resilience: With increasing cyber threats targeting organizations and individuals, the CNIL will focus on: (1) strengthening cooperation with all cybersecurity stakeholders; (2) supporting businesses and individuals in enhancing their data security practices and with facing cyber risks; (3) advocating for privacy-by-design approaches to mitigate cybersecurity risks; and (4) conducting investigations and enforcing sanctions to reinforce compliance with data breach notification requirements under the EU General Data Protection Regulation.
Everyday Digital Life: Apps and Online Identity: To address the pervasive role of technology in daily life, the CNIL commits to: (1) continuing the implementation of its apps strategy to protect individuals’ privacy, including by raising public awareness of the importance of privacy, monitoring the compliance of apps with applicable rules, and updating its guidelines for professionals working with apps; and (2) monitoring the development of apps and encouraging companies to adopt user-centric approaches that respect privacy.
Read the CNIL’s press release and strategic plan (in French).
TOO EARLY FOR TICKETS: Another Plaintiff Alleging TCPA Violation in Uncharted Territory
Hi folks!
A couple weeks back, we saw a lawsuit filed in the Northern District of California alleging a TCPA violation due to the times telemarketing messages were sent. The claims had nothing to do with consent. Rather, that plaintiff alleged violations of the TCPA because the messages were sent before 8 a.m.
The TCPA does prohibit calls and text messages before 8 a.m. and after 9 p.m. See 47 C.F.R. § 64.1200(c)(1). However, individual claims (let alone entire lawsuits) alleging violations of these TCPA time zone provisions are quite uncommon. Still, another lawsuit was filed, this time in the Central District of California, alleging only violations of the time zone provisions. Plaintiff’s counsel is the same as in the above Northern District of California case.
The Plaintiff in Alvarez v. Seated, Inc. alleges that four telephone solicitations were sent to her before 8 a.m. in her local time zone. No. 8:25-cv-00079, (C.D. Cal. filed Jan 16, 2025). Even though the text messages complied with the time zone provisions in the Defendant’s time zone, the TCPA does specify that the time zone of the recipient is the basis for liability, not that of the sender. See 47 C.F.R. § 64.1200(c)(1).
Based on Plaintiff’s allegations, it appears that she signed up to receive alerts when an artist (John Mayer) announced new concerts. So, Plaintiff got two, separate notifications when John Mayer announced new events. Then, Plaintiff received two verification codes—you know, the things you receive when you try to sign into a website.
Maybe Plaintiff just really wanted those tickets?
In any case, Plaintiff seeks to represent the following class based solely on the time zone provisions of the TCPA: “All persons in the United States who from four years prior to the filing of this action through the date of class certification (1) Defendant, or anyone on Defendant’s behalf, (2) placed more than one marketing text message within any 12-month period; (3) where such marketing text messages were initiated before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).” Alvarez v. Seated, Inc.,No. 8:25-cv-00079, at 5 (C.D. Cal. filed Jan 16, 2025).
In large part, it remains to be seen how courts will handle these types of TCPA class allegations. We will be sure to keep you posted!
While you’re here, the big news at TCPAWorld is the ongoing uncertainty as to the implementation of the FCC’s one-to-one consent rule, which (as of now) is set to take effect on January 27, 2025. Under the rule, businesses must obtain separate written consent for each entity that sends marketing communications.
However, an executive order by the President and emergency petition filed with the FCC based on that order could delay its implementation.
Talk soon!
HIPAA Security Rule Updates: New Business for Business Associates
Bradley has launched a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, beginning last week with an overview. The Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. In this weekly series, we will continue to explore the key changes and their implications and provide insights and takeaways for covered entities and their business associates under HIPAA.
What’s New for BAs and BAAs?
This week’s installment is on the proposed changes specifically affecting business associates (BAs) and business associate agreements (BAAs) and responsibilities for covered entities related to business associates who serve as the HIPAA Security Official.
Revisions to BAAs
The NPRM requires regulated entities to include within their BAAs the following new provisions:
Notification to the covered entity (and downstream BAs to the business associate) within 24 hours of activating its contingency plan;
Written verification that the BA (and the downstream BA to the business associate) has deployed technical safeguards as required by HIPAA; and
Requirements to provide written assurances at least once every 12 months that the BA has implemented technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA.
In addition, as part of the required security risk assessment process, regulated entities must assess the risks of entering a BAA with a current or prospective BA based on this written verification.
The revisions will require updates to BAAs both in effect now and any new BAAs entered after the Final Rule is published. Similar to the HITECH rule implementation in 2013, these required revisions will have an on ramp for regulated entities to become compliant. Notably, the transition provisions of the NPRM state that BAAs will be deemed in compliance if the following circumstances exists: (1) if the BAA contains the required provisions applicable at the time the Final Rule is published, and (2) the BAA is not renewed or modified within 60 to 240 days after the Final Rule is published. However, all BAAs must be in compliance within a year plus 60 days after the Final Rule is published.
These revisions may create a significant administrative load for regulated entities small and large. In preparation for the Final Rule publication, regulated entities should review their current BAAs to confirm these agreements are up to date with current requirements in effect at the time of execution to take advantage of the on ramp for compliance. Even under current law, regulated entities also may benefit from updating their vendor management programs to request written verification of technical safeguards based on the level of risk associated with their business associate’s handling of PHI.
Covered Entity Delegation of Security Officials
The NPRM also confirms the possibility for a covered entity to appoint a business associate as the Security Officer. Importantly, the HHS clarifies its view that the covered entity still remains liable for ultimate compliance with the Security Rule even if the service is contracted to a business associate.
The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.
In our upcoming posts in this series, we will delve into changes to the HIPAA Security Rule affecting group health plans and current thinking related to AI technologies.
Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.
Listen to this post
EU Council Adopts European Health Data Space Regulation
On January 21, 2025, the Council of the EU adopted the European Health Data Space Regulation (the “EHDS Regulation”). The EHDS Regulation aims at making cross-border exchange and access to EU health data easier, improving individuals’ control over their personal electronic health data and enabling the reuse of certain health data for research and innovation purposes.
Background
On May 3, 2022, the European Commission unveiled its proposal for a regulation establishing a European Health Data Space. This initiative is part of the Commission’s European Strategy for Data that was released in 2020.
Key Takeaways
The new rules under the EHDS Regulation seek to provide individuals with faster and easier access to their electronic health data, regardless of whether they are in their home country or another EU member state. Moreover, individuals will have greater control over how their health data is used. To facilitate this, EU countries must establish a dedicated digital health authority to oversee the implementation of these provisions.
The EHDS Regulation aims to open new doors for researchers and policymakers by granting access to specific types of anonymized, secure health data.
Digitalization of health data currently varies significantly between EU member states, often creating barriers to cross-border data sharing. The EHDS Regulation seeks to address this challenge by mandating that all electronic health record systems align with the European electronic health record exchange format, ensuring interoperability across the EU.
The provisions of the EHDS Regulation will become applicable between two and six years after the entry into force of the Regulation. As a regulation, the EHDS Regulation will apply directly in all EU Member States.
The EHDS Regulation is now awaiting formal signature by the Council of the EU and the European Parliament. It will come into effect 20 days after its publication in the Official Journal of the EU.
Read the text of the EHDS Regulation and the Council’s Press Release.
No Co-Inventorship Absent Corroborated Conception
In a patent case concerning cryptocurrency data mining, the US Court of Appeals for the Federal Circuit affirmed a district court’s grant of summary judgment and its ruling that a state law conversion claim was preempted by patent law of inventorship. The Court also affirmed the denial of a correction to the inventorship claim. BearBox LLC v. Lancium LLC, Case No. 23-1922 (Fed. Cir. Jan. 13, 2025) (Stoll, Chen, Bryson, JJ.)
BearBox was an entity founded by Austin Storms that developed and designed mobile cryptocurrency data centers. It operated a half-megawatt data center but was unprofitable as a consequence of the high cost of electricity and the data center’s high energy requirements. Lancium was an entity that aimed to co-locate data centers at wind farms to use the highly variable power generated for data mining but sell excess electricity to the grid when electricity cost was high. BearBox and Lancium met in 2019 at a cryptocurrency mining summit. At that time, BearBox was looking to find customers for its newly developed BearBox containers, and Lancium was in the market for those containers. Both BearBox and Lancium had developed similar software to detect profitable time periods for cryptocurrency mining. Their systems aimed to mine cryptocurrency during periods when electricity prices were low, while selling the energy to the grid when prices were high. Lancium disclosed these concepts in an international patent application filed 15 months before Storms met anyone at Lancium.
BearBox’s system was discussed over dinner at the summit and in a single email exchange afterwards. However, BearBox never disclosed any source code associated with the BearBox system to Lancium. The email exchange was the last communication between the two parties. About five months after the meeting, Lancium filed a patent application that related to a set of computing systems configured to perform computational operations using electricity from a power grid and to a control system that monitored a set of conditions and received power option data based at least in part on a power option algorithm. After that application matured into a patent, BearBox filed suit asserting sole or joint inventorship of the patent and conversion under Louisiana state law.
Lancium moved for summary judgment on the conversion claim. The district court granted the motion, noting that federal patent law preempted the claim. However, the district court denied Lancium’s motion for summary judgment on the inventorship claims – claims that were then heard at a bench trial. At trial, the district court concluded that BearBox failed to prove by clear and convincing evidence that BearBox’s founder, Storms, conceived any part of the claimed invention. BearBox appealed.
The Federal Circuit began by assessing the ruling on preemption of BearBox’s conversion claim. Relying on its 2005 decision in Ultra-Precision Mfg. v. Ford Motor, the Court noted that although the state law of conversion does not squarely implicate federal patent law, the way a conversion claim is pled may “[stand] as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.” Thus, a conversion claim cannot offer “patent-like” protection that would otherwise not garner protection under federal patent law. Based on this reasoning, the Court affirmed that BearBox’s state law conversion claim was preempted by federal patent law because, as pled, the claim was “essentially an inventorship cause of action and infringement cause of action.”
The Federal Circuit next addressed the district court’s decision denying BearBox’s inventorship claims. BearBox argued that the district court erred in “analyzing individual claim elements (rather than a combination of elements) [and] . . . comparing them, element-by-element, to Mr. Storms’s corroborating documents,” and by “applying the rule of reason by evaluating corroborating documents in isolation.”
An omitted inventor seeking to have their name listed on a patent must prove their inventorship by clear and convincing evidence. In its 1998 decision in Ethicon v. U.S. Surgical Corp., the Federal Circuit held that “an alleged joint inventor’s testimony alone is insufficient to establish inventorship by clear and convincing evidence.” Instead, the alleged joint inventor “must supply evidence to corroborate his testimony.” As the Ethicon court explained, “[c]orroborating evidence may take many forms,” including “contemporaneous documents” or physical evidence, “[c]ircumstantial evidence about the inventive process,” and “oral testimony of someone other than the alleged inventor.”
To corroborate its testimony, BearBox used the four attachments in the one-time email exchange with Lancium, none of which evidenced inventorship or patented subject matter. While a rule of reason standard is applied to the corroboration evaluation, clear and convincing evidence is required to prevail on the ultimate inventorship issue.
The Federal Circuit saw no issue with the district court’s limitation-by-limitation analysis. The Court went even further and determined that regardless of approach, BearBox could not prove that Storms had introduced the subject matter of the patent claims prior to Lancium’s independent conception.
As the Federal Circuit explained, an alleged joint inventor “must show that he contributed significantly to the conception – the definite and permanent idea of the invention – or reduction to practice of at least one claim.” These contributions must also arise from “some element of joint behavior, such as collaboration or working under common direction” with the other inventor(s).
Thus, the Federal Circuit affirmed that BearBox did not and could not prove by clear and convincing evidence that Storms was the sole or joint inventor of the patent claims.
Sarah Mezini also contributed to this article.
CFPB Seeks Public Comment on Digital Payment Privacy and Consumer Protections
On January 10, 2025, the U.S. Consumer Financial Protection Bureau (“CFPB”) invited public comment on strengthening privacy protections for, and a proposed interpretive rule extending financial consumer protections to, emerging payment mechanisms. The agency’s request for information (“RFI”) aims to clarify how existing financial privacy laws apply to emerging consumer payment mechanisms, including digital currencies and gaming platforms. Additionally, the agency issued a proposed interpretive rule (“Proposed Rule”) meant to extend financial consumer protections against errors and fraud to emerging payment mechanisms.
The CFPB’s RFI focuses on how companies collect, use and share consumer financial data. The agency’s research indicates that some digital payment platforms collect more data than necessary to complete transactions, often integrating this data with broader consumer information such as location and browsing history. This practice raises concerns about personalized pricing and potential consumer harm. The CFPB is evaluating whether existing regulations, such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, sufficiently address modern data surveillance practices.
In addition to privacy concerns, the CFPB has issued the Proposed Rule to clarify the application of Regulation E of the Electronic Fund Transfer Act to emerging payment mechanisms. Regulation E provides consumer protections against errors and unauthorized transactions in electronic fund transfers. The proposed rule would expand key definitions within Regulation E to include:
Financial Institutions: Extending coverage to nonbank entities that facilitate electronic fund transfers.
Funds: Broadening the definition to encompass digital assets that function as a medium of exchange, including stablecoins and similar payment instruments.
Accounts: Expanding the definition to cover virtual currency wallets, gaming accounts and credit card rewards points used for transactions.
The CFPB’s proposal highlights the growing role of digital payment options beyond traditional banking systems and seeks to ensure consumer protection measures apply consistently across emerging platforms.
Public comments may be submitted on the Proposed Rule by March 31, 2025, and the RFI by April 11, 2025.
NCLC RESPONDS TO R.E.A.C.H. PETITION: Takes Extreme Position–Rock and Roll
So NCLC has scrambled to put together their opposition to R.E.A.C.H.’s emergency petition to stay the one-to-one rule.
Their position– Trump can’t stay agency rulings without a separate notice and comment period.
We’ll see about that.
Appreciate the hard work they put in though.
Opposition here: NCLC against Stay
More soon.
France Launches Long-Awaited Procedure to Support the Production of Renewable or Low-Carbon Hydrogen
Legal and Regulatory Framework
Just before Christmas, France took another major step forward in its decarbonization strategy with the launch of the competitive bidding procedure designed to award financial support for the production of renewable[1] or low-carbon[2] hydrogen (H2) by water electrolysis.
This support mechanism falls within the legal framework defined by Ordinance no. 2021-167 of February 17, 2021, codified in a dedicated chapter of the Energy Code.[3] Articles L.812-1 et seq. and R.812-1 et seq. of the Energy Code provide a framework for the State to grant public operating and/or investment aid, in order to accelerate the deployment of green hydrogen production capacity.
The support mechanism set out in the current procedure launched by Ademe provides for the granting of aid over 15 years, with a ceiling price of 4 euros/kgH2.
Details of the Procedure
The published consultation document specifies that the power allocated to this first phase of competitive bidding is 200 MW of indicative electrolysis for the period 2024-2025, with a planned ramp-up to 1000 MW spread over several periods, and in particular 250 MW in 2026 and 550 MW in 2027.
The procedure comprises three successive phases:
Selection of candidates on the basis of their technical and financial capabilities, assessed on the basis of the requirements detailed in article 3.4 of the consultation document. In principle, between three and 12 candidates will be admitted to the dialogue procedure.
The competitive dialogue phase with the selected candidates in order to refine their projects.
Designation of the winners who will be awarded financial support after evaluation of the final applications.
The deadline for applications for the first period is March 14, 2025. Applications will be analyzed within two months of this date, with a view to selecting the candidates for the dialogue phase in May. The date for submission of the final bids and selection of the winning projects remains to be confirmed.
Project Eligibility Criteria and Information Expected From Candidates
First of all, it should be noted that only entirely new installations are eligible. This means that work on the project must not have begun prior to the selection of candidates or at the time of the final application for aid (excluding any connection work), that investments must not be committed before the winners are chosen, and that the plant must not produce H2 before the contract comes into force (except in the test phases).
As part of the procedure, candidates must demonstrate their technical capabilities, their experience in the development of industrial projects involving technological risks (and present a minimum of three relevant references) and the stage of maturity and development of their project.
They must submit a file detailing in particular:
A description of the project: only projects with an electrolysis capacity of more than five MW and less than 100 MW, located in France, are eligible.
An electricity supply plan demonstrating that 30 percent of the total volume of electricity used is secured over 10 years by means of memoranda of understanding, letters of intent or other forms of pre-contractual clauses signed by the applicant, and that the electricity used is of renewable or low-carbon origin.
Commercial commitments covering at least 60 percent of production for direct industrial use.[4] The applicant must therefore be able to demonstrate that 60 percent of the offtake (Hydrogen Purchase Agreement – HPA) is secured by memoranda of understanding, letters of intent or other forms of pre-contractual clauses.
Financial guarantee: A guarantee equivalent to eight percent of the maximum amount of support requested is required, which must take the form of a GAPD (Guarantee on First Demand) or a deposit in the hands of the CDC.
Strict timetable for financial closure and industrial commissioning: Financial closure must take place within 30 months of signature of the aid contract between the French government and the winning candidate, and industrial commissioning within 60 months (except in exceptional circumstances, duly justified, which will be specified in the specifications).
Cybersecurity criteria: Facilities must be operated and data stored within the EEA (European Economic Area).
The consultation document also emphasizes the resilience of projects and their contribution to Europe’s “net zero” strategy, notably by limiting to 25 percent of the project’s electrolysis capacity (in electrical MW) the supply of cell stacks whose surface treatment, cell unit production or assembly has been carried out in a non-EU country.[5] The procedures for checking this requirement will be detailed in the specifications at the end of the dialogue phase.[6]
Summary of Selection Criteria and Weighting Issues
At the end of the dialogue phase, successful applicants will be asked to submit their final applications. Project selection will be based on two criteria,[7] with a weighting that strongly favors the financial criterion:
Price criterion (at least 70 percent of the weighting): Projects will be assessed on the level of subsidy requested, expressed in euros per kilogram of hydrogen produced. The amount of the subsidy may not exceed the ceiling of four euros/kgH2. However, the consultation document does not specify how this weighting is to be applied. Should we deduce, for example, that a request for four euro/kg would be equivalent to a score of zero?
Non-price criteria (maximum 30 percent of the weighting): These criteria will assess the energy, technological and environmental impact of the projects.
The high weighting of the price criterion encourages applicants to limit their subsidy requests to maximize their chances of being selected. However, non-price criteria, although secondary, will play a decisive role in differentiating projects on strategic aspects such as innovation, energy efficiency and environmental benefits.
Opportunities and Challenges for Economic Operators
This procedure represents a significant opportunity for economic players wishing to position themselves on the green hydrogen market in France. However, it implies rigorous preparation of applications, mastery of regulatory requirements, and the ability to structure a sustainable and secure business model. The conditions for participation require a well-defined strategy and a perfect command of the commitments required by the consultation document and future specifications.
Interested operators should therefore familiarize themselves with the requirements of the consultation document and prepare for the various phases of the procedure. Particular attention should be paid to compiling administrative and technical files, identifying industrial partnerships and securing supply and sales contracts.
In particular, the technical information to be provided by bidders should focus on the progress and strategy of engineering, procurement and construction contracts (EPC, O&M, MOE, MOA, etc.), securing offtake and selecting equipment suppliers. It seems illusory to expect bidders to present firm commitments or signed contracts at the bid submission stage, given the uncertainty surrounding their selection, the risk of exposure linked to the indexation of material prices and the impossibility for their co-contractors to commit to a firm price at this stage.
Finally, given the prices currently observed in France for green hydrogen compared with those for grey hydrogen, it is legitimate to question the level of support envisaged in this procedure. Is a ceiling of €4/kg sufficient to enable a transition to scale and provide an adequate incentive for the development of the sector? This is doubtful.
Read a French language version of this update.
[1] As defined in article L. 811-1 of the French Energy Code, supplemented by decree.
[2] Ibid.
[3] Chapter II of Title I of Book VIII on hydrogen.
[4] For the purposes of the consultation document, direct industrial use does not include heating (with the exception of high-temperature thermal processes ( >400°C)); injection into the natural gas network; or electricity production from hydrogen.
[5] If the volume concerned makes the EU dependent.
[6] This clarification is welcome, as the entire legal framework for implementing the NZIA Regulation is not yet in force at the time of writing.
[7] Defined by article R. 812-14 of the French Energy Code.
Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity and Potential Implications Under the Trump Administration
On January 16, 2025, President Joe Biden signed the “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” This directive seeks to tackle the increasingly complex and evolving cybersecurity threats confronting the United States. From nation-state actors to sophisticated cybercriminal organizations, the U.S. faces unprecedented challenges to its critical infrastructure, government systems, and private sector networks. The executive order outlines a multifaceted strategy aimed at safeguarding the nation’s digital landscape while encouraging innovation and collaboration in cybersecurity technologies.
However, the future of this order has come into question following President Donald Trump’s inauguration on January 20, 2025. President Trump has shown a readiness to reassess policies set by his predecessor, including the potential revocation of previous executive orders. This client alert offers a summary of President Biden’s cybersecurity order, explores potential implications under the Trump administration, and provides guidance for businesses navigating this uncertain regulatory landscape.
Overview of President Biden’s Executive Order
President Biden’s executive order is a comprehensive initiative aimed at addressing the most pressing challenges in cybersecurity. The directive outlines crucial measures that federal agencies, contractors, and private sector partners are required to adopt to enhance their resilience against cyber threats. Key components of the order include:
Development of Minimum Cybersecurity Standards
The order requires the development of baseline cybersecurity standards for federal contractors and suppliers. These standards encompass requirements for multi-factor authentication (MFA), endpoint detection and response (EDR) systems, and the encryption of sensitive data both in transit and at rest. Contractors must demonstrate compliance to secure or maintain government contracts.
Enhanced Public-Private Collaboration
Acknowledging the interconnected nature of the public and private sectors, the order establishes a framework for improved information sharing. Federal agencies are directed to share threat intelligence and vulnerability information with private entities to enable faster responses to emerging threats.
Sanctions on Foreign Cyber Actors
To deter nation-state-sponsored cyberattacks, the executive order allows for sanctions against foreign actors targeting U.S. entities, including critical infrastructure such as health care facilities and energy systems. This provision underscores the administration’s commitment to holding adversaries accountable for malicious cyber activities.
Quantum-Resistant Cryptography
The order prioritizes transitioning federal systems to quantum-resistant cryptographic algorithms to safeguard sensitive data from future quantum computing threats. Agencies are required to develop implementation plans and timelines for this transition.
Artificial Intelligence in Cybersecurity
The executive order calls for pilot programs to investigate the use of artificial intelligence (AI) in cybersecurity applications, particularly in the energy sector. These programs seek to leverage AI for real-time threat detection, automated responses, and enhanced incident recovery.
Potential Impacts Under the Trump Administration
The Trump administration’s approach to cybersecurity remains uncertain, but early signs indicate possible adjustments to Biden’s executive order. Historically, the administration has focused on minimizing regulatory burdens and encouraging industry-led solutions, which may influence the implementation of this directive.
Adjustments to Cybersecurity Standards
The administration may choose to implement less prescriptive cybersecurity requirements, encouraging businesses to adopt voluntary best practices rather than enforceable mandates for federal contractors. This could lead to greater flexibility but might also introduce variability in security practices.
Reevaluation of Quantum-Resistant Cryptography
While quantum-resistant cryptography addresses long-term risks, the administration might prioritize immediate cybersecurity challenges, potentially delaying the transition to quantum-resistant algorithms.
Focus on Targeted Sanctions
The Trump administration may refine its sanctions policy to focus on specific high-impact cases rather than broad deterrence, which could influence the overall effectiveness of this measure.
Shifts in Public-Private Collaboration
Efforts to enhance public-private collaboration may evolve, with businesses potentially taking on a larger role in independently managing cybersecurity risks. This could lessen the emphasis on centralized federal support for information sharing.
Guidance for Companies
In light of these developments, businesses must proactively adapt to an evolving cybersecurity landscape. Regardless of whether the executive order remains in effect, organizations should prioritize cybersecurity to mitigate risks and uphold resilience. Below are suggested actions for companies:
Strengthen Internal Cybersecurity Measures
Conduct a thorough assessment of existing cybersecurity protocols to identify vulnerabilities and opportunities for enhancement.
Implement multi-factor authentication (MFA), endpoint detection and response (EDR) tools, and robust encryption practices to protect sensitive data.
Develop and test incident response plans to ensure rapid recovery from cyber incidents.
Monitor Regulatory Changes
Stay updated on possible changes to the executive order and associated cybersecurity policies from the Trump administration.
Engage with legal and compliance teams to assess the effects of regulatory changes on business operations.
Monitor state and international regulations to ensure compliance with relevant standards.
Invest in Cybersecurity Innovation
Investigate emerging technologies, such as AI-driven cybersecurity tools, to enhance threat detection and response capabilities.
Evaluate the feasibility of transitioning to quantum-resistant cryptographic algorithms, even in the absence of federal mandates.
Collaborate with industry partners to embrace innovative solutions and exchange best practices.
Foster Public-Private Partnerships
Engage in information-sharing initiatives like the Cybersecurity and Infrastructure Security Agency’s (CISA) programs to remain informed about threat intelligence.
Promote policies that encourage collaboration between the public and private sectors to strengthen collective security.
Prepare for Geopolitical Risks
Monitor geopolitical developments and their potential impact on cyber threats, particularly those originating from nation-states.
Strengthen supply chain security to reduce risks associated with foreign adversaries.
Conduct tabletop exercises to simulate responses to nation-state cyberattacks.
Implications for the Private Sector
The uncertainty surrounding the executive order underscores the necessity for businesses to adopt a proactive and flexible approach to cybersecurity. Key implications include:
Increased Responsibility on Businesses
With potential adjustments to federal oversight, companies may need to be more proactive in managing their cybersecurity risks. Implementing strong internal policies and investing in advanced security technologies will be crucial.
Fragmented Regulatory Environment
If federal mandates are modified, businesses may face a patchwork of state and international regulations. Navigating this fragmented landscape will demand considerable resources and expertise.
Heightened Cyber Threats
The evolving threat landscape, along with potential policy changes, could make critical infrastructure and private networks more vulnerable to sophisticated attacks. Companies must remain vigilant and prepared to respond to emerging threats.
Competitive Differentiation
Organizations that prioritize cybersecurity and demonstrate a commitment to protecting customer data may gain a competitive advantage in the market. Establishing trust with stakeholders through transparency and robust security measures will be crucial.
Final Thoughts
President Biden’s executive order marks a significant advancement in addressing the nation’s cybersecurity challenges. However, its future under the Trump administration remains uncertain, with the potential for policy adjustments. Businesses must navigate this evolving landscape by bolstering internal measures, staying updated on regulatory shifts, and investing in innovation.
While the federal government’s role in cybersecurity may evolve, the responsibility for safeguarding critical systems and data ultimately rests with the private sector. By implementing proactive strategies and encouraging collaboration, companies can enhance their resilience against cyber threats and contribute to a more secure digital ecosystem.
For additional information about President Biden’s executive order, check out President Biden Issues Second Cybersecurity Executive Order.
President Biden Issues Last-Minute Cybersecurity Executive Order
On January 16, 2025, President Biden issued Executive Order 14144, titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” (“EO 14144”). EO 14144 builds on President Biden’s Executive Order on Improving the Nation’s Security (“EO 14028”), and aims to strengthen software supply chain security, impose more stringent cybersecurity requirements on federal contractors, combat cybercrime, and encourage the development of identity verification technologies.
EO 14144 prescribes detailed supply chain cybersecurity standards for developers that provide software to the federal government, and recommends that federal agencies treat cybersecurity as a key consideration in software procurements and in the assessment of contractor performance. Building on an existing requirement that software developers submit attestations of their secure development practices to sell products to the federal government, EO 14144 introduces additional supply chain security measures, including a requirement that such developers submit to the Cybersecurity and Infrastructure Security Agency (“CISA”) the following: (1) machine-readable attestations of secure development practices; (2) high-level validation artifacts; and (3) a list of federal government customers. EO 14144 urges CISA to develop an audit process to verify the completeness of the attestations received, and directs CISA to regularly validate sample attestations.
EO 14144 also directs CISA to update the software development attestation form based on future guidance from the National Institute of Standards and Technology (“NIST”), and instructs NIST to provide guidance on industry cybersecurity practices and controls. Based on NIST’s guidance, the Federal Acquisition Regulatory Council will update its regulations to mandate minimum cybersecurity practices for federal contractors, and to require that compliant Internet-of-Things products sold to the federal government carry the United States Cyber Trust Mark label. Further, EO14144 instructs federal agencies to transition to quantum-resistant cryptography standards by the year 2030 and encourages federal agencies to adopt yet-to-be-issued best practices for using open-source software.
EO 14144 also contains a number of provisions addressing cybercrime, including the expansion of the scope of Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”), which authorizes the seizing the assets of persons engaged in malicious cyber-related activities. In addition, EO 14144 calls for the establishment of public-private pilot programs to use advanced AI models for cyber defense, and urges the federal government to share data with the academic community to support research into the use of AI in cyber defense. Aiming to reduce identity fraud, EO 14144 also recommends expanding the use of digital identification documents and the development of attribute validation services.
EO 14144’s provisions require federal agencies to develop cybersecurity rules and programs during the first few months of the Trump Administration. As of the date of this publication, EO 14144 remains in effect.