Texas Becomes Fifth Safe Harbor State, Cites CIS Controls in New Cybersecurity Law
New Texas Safe Harbor Law Recognizes CIS Critical Security Controls
EAST GREENBUSH, NY, UNITED STATES, August 6, 2025 /EINPresswire.com/ -- Texas has enacted a new cybersecurity safe harbor law that formally recognizes the Center for Internet Security® (CIS®) Critical Security Controls® (Controls) as a standard for demonstrating reasonable cybersecurity practices.
Governor Greg Abbott signed Senate Bill 2610 into law, making Texas the fifth state to implement a cybersecurity safe harbor and the sixth to meaningfully define “reasonable cybersecurity” in statute. The law incentivizes businesses to adopt strong cybersecurity programs by offering protection from exemplary (punitive) damages in the event of a data breach, provided they meet specific cybersecurity criteria.
A key provision of the law is its alignment with the CIS Controls, a globally recognized framework of prioritized cybersecurity best practices. For businesses with 20–99 employees, the law specifies implementation of CIS Controls Implementation Group 1 (IG1), also known as essential cyber hygiene, as a moderate requirement for achieving safe harbor protection.
The law introduces a tiered approach to cybersecurity requirements based on business size:
• Fewer than 20 employees: Simplified requirements
• 20–99 employees: Must implement CIS Controls IG1
• 100–249 employees: Must comply with broader frameworks such as the full CIS Controls, NIST CSF, NIST SPs, FedRAMP, or ISO/IEC 27000-series standards
"The inclusion of the CIS Critical Security Controls in the Texas Safe Harbor legislation highlights their importance as a foundational set of best practices for cybersecurity," said Curtis Dukes, CIS Executive Vice President and General Manager, Security Best Practices. "This law encourages Texas businesses to adopt a practical and actionable approach to cybersecurity, ultimately strengthening the security of businesses operating in the state."
Texas joins Ohio, Utah, Connecticut, and Iowa in offering safe harbor protections, and follows Nevada in recognizing the CIS Controls as a benchmark for reasonable cybersecurity when handling personally identifiable information (PII).
By incorporating industry-leading frameworks like the CIS Controls, Texas is setting a strong example for other states seeking to promote cybersecurity readiness and resilience across the public and private sectors.
To arrange an interview with CIS regarding its inclusion in Texas Senate Bill 2610, contact Kelly Wyland, Senior Media Relations Manager at kelly.wyland@cisecurity.com, or call/text 518-256-6978.
###
About CIS
The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks® guidelines, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) organization, the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities. To learn more, visit cisecurity.org or follow us on X: @CISecurity.
Kelly Wyland
Center for Internet Security
518-256-6978
email us here
Visit us on social media:
LinkedIn
Instagram
Facebook
YouTube
X
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
