New CLTC Report Analyzes Cybersecurity Policy Across State Legislatures

A new report from researchers at the Center for Long Term Cybersecurity Public Interest Cybersecurity Program presents an empirical analysis of every cybersecurity related bill enacted in all 50 states during the 2025 legislative sessions. The research identifies nationwide patterns in the cyber policy issues states addressed, the regulatory approaches they adopted, and the entities and sectors they chose to regulate. The report titled Tracking Cybersecurity Policy Developments Across State Legislatures 2025 Enacted Legislation was Researchers sourced the dataset from LegiScan and analyzed all bills enacted in 2025 with the keywords cybersecurity or cyber security. They manually reviewed each bill for inclusion and extracted each cybersecurity specific provision. Lawmakers across 37 states passed 99 cybersecurity related bills in 2025, establishing 393 new cybersecurity rules cumulatively. The researchers mapped each rule to one of the six functions of the National Institute of Standards and Technology Cybersecurity Framework 2.0 and categorized each State legislatures built out cybersecurity leadership and governance structures, expanded requirements for public and private organizations to implement baseline cybersecurity controls, increased obligations for organizations to report on cyber security programs and compliance, prioritized stronger cybersecurity incident preparedness and response, mandated representation of cybersecurity experts within state decision making, and passed cybersecurity safe harbor laws. The report includes five recommendations for state legislatures considering cybersecurity legislation in 2026. The