By Era Anagnosti, Brent Bernell, Daniel Caprio, Steven Phillips, Andrew Serwin, and John Gevertz

On February 18, 2025, President Donald J. Trump signed an Executive Order (EO), entitled, “Restoring Democracy and Accountability in Government,” which asserts greater authority over all federal agencies, including those established by Congress as independent from direct presidential control. The EO specifically lists the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Labor Relations Board (NLRB), and the Federal Reserve Board as relevant agencies.  

The EO could lead to delays, if not cancellations, of pending and proposed regulations at those agencies. At a minimum, it introduces uncertainty as it newly subjects all of their “significant regulatory actions” to White House review. Moreover, the EO reflects an intent (or represents an effort) to fundamentally change the current regulatory environment.

Specifically:

• The EO asserts that Article II of the US Constitution vests all executive power in the President, meaning that all executive branch officials and employees are subject to the President’s supervision and control.
• The EO declares that all agencies must submit draft regulations for White House review – with no carve-out for so-called independent agencies, except for the monetary policy functions of the Federal Reserve.
• The EO further provides that agencies must consult with the White House on their priorities and strategic plans, and that the White House will set their performance standards, with the Office of Management and Budget adjusting the agencies’ funding apportionments to ensure tax dollars are spent in a manner that is consistent with White House priorities.
• The President and the Attorney General (subject to the President’s supervision and control) will interpret all applicable law for the executive branch, meaning that, instead of allowing separate agencies to interpret their own enabling legislation, they must accept the Justice Department’s and White House’s interpretation as binding.

The EO follows the firing of the leaders of some of the independent agencies – in apparent contravention of the statutes that bar their dismissal without cause before the expiration of their terms. A number of those dismissals are currently being challenged in various federal courts.

While the EO purports to limit the independence of the agencies even in their areas of expertise, the effect of the Loper Bright decision last year already had resulted in the courts no longer deferring to the agencies’ expertise. In a 6-3 decision in Loper Bright, the Supreme Court overruled the Chevron doctrine, which held that where a statute was ambiguous or had not addressed the precise question at issue, courts would defer to a reasonable interpretation by the agency charged with implementing the statute. Instead, the Supreme Court held the “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.”  It remains to be seen whether the courts will accept the EO’s assertion that the White House and the Attorney General are the sole and final arbiters of the meaning of laws passed by Congress.

The patina of independence at the FTC, FCC, and SEC has been blurred over the past two decades by various EOs and executive branch actions.  For example, the Biden Administration’s EO 14036 in 2021, titled “Promoting Competition in the American Economy” served to establish a “whole-of-government effort to promote competition in the American economy” by encouraging stronger enforcement of antitrust law.The Biden EO directed over a dozen federal agencies, including the FTC, to take action on 72 separate initiatives identified by the Biden Administration as beneficial for curbing anti-competitive practices. The order additionally established the White House Competition Council, a fifteen-member committee led by the National Economic Council. Also, in 2015, President Barack Obama called upon the FCC to take up the strongest possible rules to protect net neutrality, the principle that says internet service providers (ISPs) should treat all internet traffic equally. The FCC voted along party lines in favor of strong net neutrality rules to keep the internet open and free.

Still, the 2025 EO marks an unprecedented shift with its explicit assertion of control over executive branch agencies – which may increase the likelihood of legal challenges and the potential for a Congressional response, given that agencies such as the FTC, FCC, and SEC were created as independent agencies by Congress.

In recent years, rulings from the Supreme Court have cabined agency authority-.  Notably, the Court’s ruling in Loper Bright Enterprises v. Raimondo, 603 US 369 (2024), overruled the Chevron deference doctrine, which required courts to defer to an agency’s reasonable interpretation of an ambiguous provision it is charged with implementing.  The Supreme Court held that “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.” Loper Bright applies equally to all agencies – including agencies like the SEC, FTC, and FCC that are charged with interpreting particularly technical statutes in policy-laden areas of regulatory law. 

In combination, Loper Bright and the EO, which challenges their independence, usher in a new era of regulation of American businesses at a time when technology and the economy are rapidly growing more complex. In this new era, uncertainty for businesses may increase as the authority to interpret governing law shifts away from the institutions with the highest levels of technical expertise. At the same time, businesses have more opportunities than before to challenge proposed rules and final regulations that are averse to their interests – by bringing their concerns to the attention of the White House and, if promulgated, challenging them in court. 

It remains to be seen how this EO will be implemented and how either the courts or Congress will respond. However, at minimum, absent a court order barring its implementation, it is likely that the EO will delay pending rulemakings, including the FTC’s privacy “surveillance rule” launched during the Biden Administration.

There are many unanswered questions as to the impact of this EO, and DLA Piper is prepared to advise companies as they navigate through this uncharted territory.

In our highly connected world, technology and data have become increasingly material to most companies, regardless of industry or sector. As the value and importance of technology and data increases, so too do the risks and obligations associated therewith. On July 26, 2023, the Securities and Exchange Commission (“SEC” or the “Commission”) adopted its much-anticipated enhanced disclosure requirements regarding cybersecurity risks and incidents (the “Final Rules”) for all public companies including foreign private issuers (“FPIs”). The SEC initially proposed cyber rules in March 2022. As we recently reported, the Final Rules require registrants that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “1934 Act” or the “Exchange Act”) to, among other things, (i) disclose a material cybersecurity incident within four (4) business days of making a materiality determination, and (ii) disclose on an annual basis information regarding their risk management, strategy, and governance related to cybersecurity threats.

New Cyber-Specific Reporting Requirements

The Final Rules will explicitly require the filing of a Form 8-K (or Form 6-K for FPIs) to disclose material cybersecurity incidents within four (4) business days from determination that the cybersecurity incident is material. Public companies must make that materiality determination “without unreasonable delay.” The SEC has noted that a public company’s adherence to its normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance.

Pursuant to the Final Rules, any such disclosure must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operation” and if any such information is unavailable, the company must make a statement to that effect in its original filing. Furthermore, the Final Rules impose an updating requirement through the filing of an 8-K/A if certain information that was unknown or unavailable at the time of initial filing subsequently becomes available.

The Final Rules also require annual disclosures in the company’s Form 10-K (or Form 20-F for FPIs) regarding:

• The processes in place, if any, for assessing, identifying, and managing material risks from cybersecurity threats;
• Whether and how any such risks have materially affected or are reasonably likely to materially affect the company, its business strategy, results of operations, or financial condition;
• The Board’s oversight of risks from cybersecurity threats; and
• Management’s role in assessing and managing material risks from cybersecurity threats.

It is worth noting that in its adopting release, the Commission clarified that the Final Rules are intended to ensure that appropriate information is provided to investors, not “to influence whether and how companies manage their cybersecurity risk.” Rather than focus narrowly on substantive controls, the Final Rules emphasize the importance of cyber governance: strategy, oversight, implementation of appropriate controls, measurement of impact, and fulsome reporting.

Disclosure Obligations and DCPs

The general focus of such SEC reporting requirements, whether related to cybersecurity or otherwise, is to cause public companies to disclose to the investing public — keeping investors appropriately informed at the initial sale of securities, and on an ongoing basis, certain information.  As SEC Chair Gary Gensler stated in the press release accompanying the Final Rules, “whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” 

The new explicit requirements for cyber-related disclosures sit within the existing SEC disclosure framework. SEC disclosure rules can generally be boiled down to two fundamental obligations: (i) an obligation that public disclosures not contain untrue statements; and (ii) a requirement that public companies not fail to disclose a material fact that, if omitted, would render a disclosure misleading.¹ To help ensure that accurate and complete information is disclosed in reports filed with the SEC, pursuant to Exchange Act Rule 13a-15, public companies are required to maintain disclosure controls and procedures, and management must evaluate their effectiveness on a periodic basis.² 

“Disclosure Controls and Procedures” (“DCPs”) are defined as controls and procedures that are designed to ensure that information that is required to be disclosed is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.³  

The Commission’s 2018 Cybersecurity Guidance clarified that cybersecurity related DCPs should enable public companies to, among other things, identify cybersecurity risks and incidents, assess and analyze their impact on the company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. Since the prior guidance was issued, SEC cyber-related enforcement has focused on alleged deficiencies in cybersecurity related DCPs (e.g., failure to escalate information about the scope and impact of an ongoing cyber incident to senior management).

Understanding the Risks – Operational Risk v. Compliance Risk

When evaluating the performance of a business and the risks it faces, there are generally four principles to examine:

• Business strategy;
• Financial performance;
• Operational resiliency; and
• Legal compliance.

Business strategy and financial performance drive value, while operational resiliency and legal compliance are risk controls. 

In assessing a public company’s material cyber threats and risks for disclosure, cyber professionals must not lose sight of operational resiliency risks, in addition to legal compliance risks for escalation to management. For example, the risk of a cyber incident impacting mission critical systems and causing business disruption is an operational resiliency risk that may trigger reporting obligations under the SEC rules, even if the company implements an incident response plan, takes steps to comply with “reasonable security” standards, provides notice in compliance with state data breach laws, and otherwise satisfies its legal compliance obligations.

Key cyber risks to note include a public company’s inability to:

• Identify, evaluate and understand its cyber environment (e.g., shadow IT and a lack of data mapping for critical systems or systems that can create material risks);
• Understand and/or see the risks, for example, due to a lack of visibility into the business processes, inability to understand interdependencies of the systems, and a lack of technology (such as logging and monitoring system activity);
• Understand and/or see the value that is implicated by the process or activity; and
• “Connect the dots.”

Considerations for Implementing More Robust Cyber DCPs

While DCPs, and their supporting cyber processes, will vary from company to company depending on the size of the company’s business, complexity of its data practices, and management structure, creating and documenting an escalation process related to cyber matters is essential for any company.

At the heart of risk governance is the need to get the right information to the right executives, at the right time. Without appropriate channels for escalating material risks, senior management and the board of directors will not know what information or systems their company has that are truly sensitive or material to operations, nor will they be able to evaluate the potential risks associated therewith. In many cases, material information is maintained in stove-piped verticals that do not talk to each other. Documenting thoughtful escalation processes and procedures, including what needs to be escalated and the cadence for these key conversations, will help to ensure that critical information is appropriately and efficiently shared with key stakeholders for making appropriate disclosure decisions.

In working to comply with the Final Rules, companies may wish to evaluate whether:

• Their disclosure committee charters, or in the absence thereof, any internal processes or policies a company has established for assessing its relevant disclosure obligations, are appropriate in scope and, as part of the decision-making process, expressly include those employees actually involved in managing and addressing cybersecurity threats and incidents;
• The cybersecurity risk and incident escalation criteria, timing, and contacts are sufficiently developed within the supporting cyber processes underlying their DCPs;
• Their current cybersecurity-related processes, policies and procedures, governance and risk management support the disclosures required by the Final Rules;
• The company’s information systems produce adequate information to inform decision-makers about the company’s processes and technology that have the potential to create material risks, and whether training around the same is sufficient;
• The current risk assessments provide an understanding of the business’s current risk posture (for both legal compliance risk and operational resiliency risk); and
• Their incident response plans are updated to include the new definitions from the Final Rules, incorporate new roles on the incident response team for a disclosure or similar committee member (if one exists), and align with new escalation criteria and timing for SEC disclosures.

Companies should also consider developing training on the Final Rules for senior management, the board of directors, the disclosure or any similar committee, and relevant cybersecurity / privacy personnel.

For more information on cybersecurity processes, or how public companies can prepare for compliance, please contact your DLA Piper relationship partner, the authors of this blog post, or any member of our Data Protection team.

[1] See, e.g., 15 U.S.C. §§ 78j(b) and 78m(a)(2); 17 C.F.R. § 240.12b-20.

[2] 17 C.F.R. § 240.13a-15.

[3] Id.

By Verena Grentzenberg, Philipp Schmechel, Dr. Jonas Kranz

On 4 July 2023, the European Court of Justice (“CJEU”) delivered its judgment in Meta vs Bundeskartellamt Case C-252/21. The decision imposes important requirements in relation to the interpretation of the GDPR and the interplay between competition authorities and data protection supervisory authorities, in particular, with regards to the personalised use of consumers’ personal data for targeted advertising by social media platforms.

In particular, the CJEU ruled that competition authorities of a Member State have the authority to investigate and sanction an infringement of the GDPR, if companies exploit their dominant market position. In case of data protection violations, the competition authorities must consult with the competent data protection supervisory authority.

In addition, the case deals, in particular, with requirements for the combined personalised processing of Facebook users’ personal data collected by Meta within Facebook, and of so-called off-Facebook data, collected by websites and applications outside of the social media platform. In this regard, the CJEU imposes strict limitations on the interpretation of the ‘necessity for the performance of a contract’ legal basis and also significantly limits Facebook’s legitimate interests to process the users’ personalised social network data and imposes limitations and strict requirements for obtaining lawful consent for a company dominant on the market. The CJEU clarifies that it cannot be inferred from the mere visit to websites or apps by a user that sensitive personal data generated in this process were manifestly made public by that user within the meaning of Article 9(1)(e) GDPR.

For further information on the decision, please see our article available here