March 28, 2026 | Actionable Regulatory Intelligence

File Feedback on EU Cyber Resilience Act Draft Implementation Guidance

The European Commission published its first CRA implementation guidance on March 3, 2026, with a feedback window that closes this Tuesday, March 31. After this date, the path toward September 11, 2026 vulnerability reporting obligations — requiring 24-hour initial notifications, 72-hour full reports, and 14-day final updates to CSIRTs and ENISA — becomes fixed. Companies selling digital products with network connectivity in the EU market have a narrow window to influence technical implementation standards before they harden.

Action: Review the Commission's CRA guidance now; prepare and file any objections or comments on the proposed vulnerability disclosure workflows before March 31.

Complete COPPA 2025 Rule Compliance Across All Child-Directed and Mixed-Audience Services

The FTC's amended COPPA Rule compliance deadline is 25 days away. Enforceable from April 22: separate verifiable parental consent for third-party targeted advertising; prohibition on indefinite retention of children's personal data; expanded personal information definition covering biometric identifiers; written data retention and information security policies; and new consent mechanisms including "Text Plus." The FTC's February 2026 policy statement also provides a safe-harbor for age verification data collection — enabling operators to verify age without separate COPPA violation risk.

Action: Audit all third-party data-sharing contracts for separate consent compliance; implement deletion schedules for children's data; create written information security and retention programs; update privacy notices to cover biometric identifiers.

Submit UK Online Safety Act Age Assurance Implementation Plans to Ofcom/ICO

Six named platforms received the ICO and Ofcom joint statement of March 25, 2026, setting an April 30 deadline to submit age assurance implementation plans. The joint framework confirms: self-declaration alone is not acceptable; methods must be risk-based, technology-neutral, and "highly effective" for preventing children from accessing harmful content. Dual compliance with the Online Safety Act and UK GDPR is required simultaneously. Platforms not among the six named entities should treat this as a strong signal of what regulators expect market-wide.

Action: Prepare age assurance implementation plan covering technical methods, DPIA, and GDPR lawful basis before April 30; ensure all methods satisfy both OSA and UK GDPR standards.

Key takeaway: Children's data monetization is the enforcement theme of 2026. The Reddit and PlayOn cases — across two continents — both involved using age-restricted users' data for advertising or exposing them to harmful content without adequate safeguards. If your product touches minors' data, enforcement risk is no longer theoretical.

🇮🇩 Indonesia — PP Tunas enforcement begins today. Eight "high-risk" platforms — YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox — must begin deactivating approximately 70 million accounts belonging to users under 16. Children aged 13–15 may access "medium-risk" services with parental consent; those 16–17 may access "high-risk" services with parental consent and guidance. Indonesia is the first Southeast Asian nation to enforce a comprehensive tiered social media age ban at this scale.

🇧🇷 Brazil — FELCA (Lei 15.211/2025 / Digital ECA) has been in force for 11 days. Mandatory age verification is now enforceable (self-declaration explicitly banned); accepted methods include CPF-based verification, biometric liveness detection, and app store age signals. Platforms with 1M+ minor users must produce semiannual data protection impact reports. ANPD enforcement powers include fines up to BRL 50M or 10% of Brazilian annual revenue.

🇦🇹 Austria — On March 27, Austria announced it will ban social media for users under 14, with draft legislation expected by end of June 2026. The 14-year threshold is notably lower than Australia (16), France (15), and Indonesia (16). Austria joins Spain, Denmark, Greece, and France in a wave of EU member-state national bans preceding any EU-wide framework.

🇨🇳 China — CAC published the second batch of certified personal information compliance audit institutions on March 26, adding 14 new approved auditors. This expansion signals enforcement of mandatory PI audits is scaling significantly. CAC's two-year review of cross-border data transfers also confirmed that the three-pathway framework (security assessment, SCC, certification) is now fully operational — with a 15.9% rejection rate on security assessments signaling scrutiny, not rubber-stamping.

Indonesia's PP Tunas (Government Regulation No. 17/2025) crosses from paper into practice today, March 28, 2026. Eight platforms — YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox — must begin deactivating accounts belonging to Indonesia's approximately 70 million under-16 users. The scale is staggering: Australia's landmark under-16 ban shuttered 4.7 million accounts at launch. Indonesia is enforcing at fifteen times that volume, in a country with limited digital identity infrastructure and extremely high youth social media penetration.

What makes PP Tunas technically distinct is its tiered risk classification rather than a blanket ban. Platforms are categorized as high-risk (the eight above), medium-risk, or low-risk. Children aged 13–15 may access medium-risk services with parental consent; those 16–17 may access high-risk services with both parental consent and parental "guidance." This layered framework imposes an obligation most platforms haven't encountered before: managing graduated access by age band and parental approval status simultaneously, at population scale, using Indonesia-specific identity verification without a universal digital ID system. The existing KTP (national ID) is limited to users 17 and older — creating an immediate infrastructure gap for the 13–16 age group that the parental consent pathway was designed to fill, but has not yet been tested at scale.

Compliance is commercially necessary. Indonesia is a 275 million-person market and one of the world's largest social media audiences. Komdigi, the Ministry of Communication and Digital Affairs, has authority to block non-compliant platforms from Indonesian internet entirely — a power it has exercised against services before. Australia's experience suggests circumvention via VPNs and proxy accounts will emerge within weeks. Whether Indonesian regulators respond with platform pressure, technical countermeasures, or education campaigns will define the enforcement posture for the region.

The regional ripple effects are significant. Indonesia's action is the first Southeast Asian implementation of a comprehensive tiered age ban. Philippines, Thailand, Vietnam, and Malaysia are all tracking this enforcement with policy interest. Every week that major platforms demonstrate operational compliance — or fail to — writes the playbook for the next wave of Asian nations considering similar measures.

🔒 This analysis continues for CyberEyeQ Pro subscribers. Unlock the full recommendations: specific compliance steps, responsible party assignments, and timelines for platform teams navigating PP Tunas. Upgrade to Pro →

Paid recommendations (3 of 5 steps shown for Pro subscribers):
1. Implement Indonesia-specific age verification layer. Owner: Product/Legal. Timeline: Immediate — begin parallel testing now for users flagging as Indonesian. Accepted methods: parental consent portal with KTP proxy for parents, app store age signal (where available), or partnership with Indonesian telco age verification providers.
2. Audit all eight named "high-risk" platform accounts against available age signals. Owner: Trust & Safety. Timeline: Rolling deactivation commencing March 28 — document methodology for Komdigi compliance evidence.
3. Prepare parental consent mechanism for 16–17 age band. Owner: Product/Engineering. Timeline: Q2 2026 — this cohort requires consent + guidance, meaning parental dashboard features that don't yet exist for most platforms.

[Items 4–5 for CyberEyeQ Pro — covers cross-ASEAN regulatory horizon and legal entity compliance obligations for Indonesian market presence.]

The March 21 deadline to submit the first DORA Register of Information has passed. For EU financial entities that scrambled to complete their ICT third-party dependency registers on time, the relief may be temporary. Supervisory authorities — BaFin, the Central Bank of Ireland, the AFM, and the rest — are now in possession of the most detailed operational technology map of the European financial system ever assembled. And they are reviewing it.

What's changed as of Q2 2026: 2025 was explicitly a transition year. Supervisors told institutions they understood the difficulty and would focus on identifying gaps rather than imposing penalties. That framing is gone. The Joint Oversight Forum (EBA/ESMA/EIOPA) is preparing critical ICT third-party provider designations expected in Q2 2026 — once designated, those providers face direct ESA oversight, on-site inspections, and daily penalty mechanisms. In parallel, national authorities are using automated tooling to flag incomplete submissions, data quality issues, and inconsistencies between the contractual dependencies declared in RoI filings and the actual ICT relationships their examination teams have previously observed. The gap between what was submitted and what's true is a supervisory liability.

The compliance statistics are sobering. Based on pre-submission surveys, only approximately 50% of institutions expected to achieve full DORA compliance by end of 2025. A further 38% targeted 2026. That means a material share of European financial entities closed the RoI window with known gaps — and have now placed those gaps under regulatory scrutiny. The most common issues: incomplete mapping of subcontractor chains below primary ICT vendors, incident reporting templates not aligned with ITS 2024/2956, and concentration risk analysis that identifies the risk but doesn't document a mitigation plan.

Here's what organizations need to do, and the window is shorter than most teams realize...

🔒 This analysis continues for CyberEyeQ Pro subscribers. Complete DORA Q2 action plan with responsible parties and timelines. Upgrade to Pro →

Paid recommendations (3 of 5 steps shown for Pro subscribers):
1. Conduct a post-submission RoI quality review before supervisors do. Owner: DORA Program Office / Chief Risk Officer. Timeline: April 2026. Identify any entries where subcontractor chains are incomplete, contractual data is estimated rather than documented, or data classifications are inconsistent. Self-identified gaps are manageable; regulator-identified gaps are enforcement conversations.
2. Assign a supervisory follow-up response team now. Owner: Compliance / Legal. Timeline: Immediate. Financial entities should treat supervisory queries on the RoI submission as a Q2 2026 certainty, not a possibility. Designate a named contact, establish an internal escalation protocol, and ensure access to the original submissions.
3. Validate incident reporting processes against ITS 2024/2956 before the first real incident. Owner: SOC / Operational Risk. Timeline: May 2026. The incident classification thresholds, notification timelines, and information requirements in ITS 2024/2956 are more granular than legacy breach notification frameworks. A live incident is not the time to discover a classification gap.

[Items 4–5 for CyberEyeQ Pro — covers TLPT exercise planning for O-SIIs and critical ICT TPP designation risk assessment.]

1. File CRA feedback before Tuesday. Review EU Cyber Resilience Act draft implementation guidance and submit comments on vulnerability disclosure workflows by March 31. Context: September 11, 2026 reporting obligations are 167 days away — this is the last structured opportunity to influence technical requirements.

2. Audit COPPA third-party data sharing for separate consent. Map all third-party data flows from child-directed and mixed-audience services and verify that targeted advertising has separate parental consent from general service consent. Context: FTC enforcement begins April 22. The PlayOn fine shows state regulators won't wait.

3. Review UK age assurance methods against the ICO/Ofcom joint framework. Assess whether current age assurance relies on self-declaration. If yes, begin implementing risk-based alternatives before the April 30 deadline. Context: The Reddit £14.47M fine established that self-declaration alone, without proportionate verification, creates serious regulatory exposure.

🔒 Items 4 and 5 are for Pro subscribers. Upgrade to Pro →

Unlock the Full Deep Dive

Pro subscribers get complete analysis, all 5 action items, and priority alerts before they hit the public briefing.

→ Upgrade to Pro

Our team of regulatory experts can help you navigate complex compliance requirements, build programs, and respond to enforcement actions.

→ Schedule a Consultation

CyberEyeQ — Actionable Regulatory Intelligence

Website · Consulting · Go Pro

This newsletter is for informational purposes only and does not constitute legal advice. Always consult qualified legal counsel for compliance decisions.

You're receiving this because you subscribed to CyberEyeQ.
[Unsubscribe] · [Manage Preferences]

Generated by weekly-newsletter skill (automated pipeline) | 2026-03-28 | Test Issue