Updating Defenses For New State Regulations

Your IT team is already stretched thin. They are managing updates, patching vulnerabilities, and responding to a daily flood of security alerts. Now, Maryland has rolled out some of the strictest cybersecurity regulations in the country, and most business owners remain unaware that these rules even exist.

The Maryland Cybersecurity Council’s July 2025 biennial report lays out exactly where the state expects businesses to shore up their security posture. These are not vague suggestions. They are the blueprint for new laws already on the books, covering everything from water utilities to AI safeguards.

Maryland businesses need immediate help updating their defenses for state regulations that took effect this year. We will break down which rules apply to your company, what compliance actually looks like, and where to focus your efforts so you are protected without wasting resources.

What the Maryland Cybersecurity Council Found

The Council’s Role and Recent Activity

The Maryland Cybersecurity Council was chartered in 2015 to assess cyber risk across the state and advise on policy. Its latest biennial report, released in July 2025, reveals a troubling acceleration in both attack frequency and impact. Since the last report two years ago, more than 1,800 public and private organizations nationwide experienced confirmed breaches. No critical infrastructure sector has escaped attack, regardless of whether it is public or private.

Maryland Specific Breach Data

Maryland has not dodged this trend. Breach notifications submitted to the Attorney General’s Office paint a stark picture. Before 2020, that office received between 50 and 100 notifications monthly. That number has jumped to between 120 and 180 each month since then. This acceleration shows no signs of slowing.

The human cost is staggering. In 2022 alone, breaches impacted more than 940,000 Maryland residents. These were not just inconveniences. Exposed personal information fuels identity theft, financial fraud, and other crimes that plague victims for years. Financial losses per capita placed Maryland 14th and 15th nationally in 2023 and 2024, according to FBI Internet Crime Complaint Center data.

Five Critical Risk Areas

Cybercrime does not just hit large corporations. Small and midsize businesses bear significant losses too, often without the resources to recover quickly. The Council focused on five critical risk areas:

• Utilities serving Maryland residents, including electric and water systems

• Healthcare ecosystem vulnerabilities ranging from providers to payment processors

• Legacy IT challenges with outdated state government systems creating security gaps

• Talent shortage affecting the availability of qualified cybersecurity professionals

• Consumer privacy issues related to the protection of personal data held by private entities

Each area received detailed analysis and resulted in specific legislative action. Several new laws directly affect private sector businesses operating in Maryland, creating compliance obligations that many owners do not yet understand.

Which Maryland Businesses Are Affected?

Community Water Service Providers Face New Standards

Senate Bill 871 and House Bill 1062 became law in May 2025, signed by Governor Moore after passing with strong bipartisan support. Maryland is now one of the first states in the country to establish cybersecurity standards specifically for community water and sewerage systems. Only Indiana appears close to enacting similar legislation. This groundbreaking law fills a gap that federal regulations left open after legal challenges forced the EPA to rescind its cybersecurity audit requirements.

Primary Compliance Obligations Community water service providers must now meet clear requirements that go far beyond basic security practices:

• Cybersecurity Point of Contact: Every provider needs to identify a primary contact for the Maryland Department of the Environment to act as the communication bridge during incidents.

• Mandatory Training: Annual training for operators is now required, with cybersecurity awareness built directly into operator and superintendent certification programs.

• Zero Trust Architecture: Systems must adopt a modern security model that assumes no user or device is trustworthy by default.

Assessment and Reporting Requirements Key compliance requirements include the following:

• Biennial maturity assessments measuring security posture against state standards

• Contingency plans for managing cyber disruptions with specific procedures

• Incident reporting protocols with immediate notification requirements

• Protection of operator contact information on public websites

• Self certification of compliance with established standards

Electric Utilities Under Enhanced Scrutiny

The Critical Infrastructure Act of 2023 set the stage for stricter utility oversight. Last December, the Maryland Public Service Commission finalized Rulemaking 76 to implement the Act’s requirements. Electric utilities serving Maryland residents now operate under specific cybersecurity mandates that mirror federal standards while adding state level enforcement.

Zero trust implementation requirements apply here too. The Commission worked with the Cybersecurity Council, FERC, and NERC to define exactly what zero trust means in the utility context. The final rules specify what evidence of implementation looks like and how utilities must demonstrate ongoing compliance.

Healthcare Organizations Preparing for Change

The devastating Change Healthcare ransomware attack in February 2024 exposed systemic vulnerabilities that lawmakers could not ignore. Maryland lawmakers recognized that healthcare cybersecurity depends on more than just hospitals and clinics. The ecosystem includes payment processors, electronic health record vendors, and pharmacy benefit managers.

Senate Bill 691 and House Bill 333 aimed to address these risks by creating a Healthcare Ecosystem Stakeholder Cybersecurity Workgroup. While the bills did not become law in 2025, they started an important conversation. Future regulations targeting the healthcare ecosystem are likely as lawmakers refine their approach based on stakeholder input.

The AI and Quantum Computing Mandate

Maryland’s General Assembly amended the Cybersecurity Council’s charter in 2025 through Senate Bill 294 to address emerging technology risks. The Council must now explicitly assess threats from artificial intelligence and quantum computing. This is not optional guidance; the mandate comes with statutory authority.

AI Threats Already Materializing

AI risk categories businesses face include these threats:

• Development risks from poorly configured AI systems exposing sensitive training data

• Manipulation risks through adversarial attacks causing AI models to malfunction or leak information

• Deepfake risks involving synthetic media used for fraud, harassment, or reputation damage

• Autonomous attack risks where AI agents conduct sophisticated multistage intrusions

Quantum Computing on the Horizon

Experts predict that Q Day will arrive before 2035, possibly much sooner. This is the moment when a true quantum computer becomes operational and accessible to attackers. Current encryption methods that would take classical computers hundreds of years to break could fall in minutes against quantum machines. Preparation needs to start now. The National Institute of Standards and Technology has published post quantum cryptography standards that organizations should begin evaluating immediately.

What Compliance Actually Looks Like

Expectations for All Maryland Businesses

Even if your industry is not directly regulated yet, these laws create ripple effects that touch every business.

• NIST Framework Assessment: Start by assessing your current security posture against NIST frameworks, particularly the Cybersecurity Framework that the state explicitly references.

• Consumer Privacy Compliance: Review how you handle consumer data under the Maryland Online Data Privacy Act. This law took effect in 2024 and gives residents rights over their personal information similar to California’s landmark privacy law.

• Supply Chain Security: Evaluate the cybersecurity practices of everyone you do business with, from your cloud hosting provider to your payroll processor. Contracts should include specific security requirements and breach notification clauses.

Immediate Action Steps

Smart compliance begins with understanding what you have and where the gaps exist between your current state and required standards.

1. Inventory Everything: Document all systems, applications, databases, and data flows.

2. Determine Applicability: Identify which state regulations apply to your specific industry.

3. Assess Gaps: Compare your current security posture to required standards using frameworks like NIST.

4. Prioritize Fixes: Rank remediation efforts based on both regulatory deadlines and actual risk.

5. Connect with Resources: Reach out to state agencies like the State Information Sharing and Analysis Center for threat intelligence.

Conclusion

The Maryland Cybersecurity Council’s latest report makes one thing clear: the state is taking a proactive stance on cybersecurity risks. These are active laws that apply to businesses across Maryland right now.

Certified CIO helps Maryland businesses navigate exactly these kinds of regulatory changes. We translate complex compliance requirements into practical security strategies that protect your operations without disrupting your workflow.