Cyber rulebook in shreds as Trump rewrites the playbook

A new Executive Order signed by President Donald J. Trump on Friday has abruptly altered the landscape of U.S. cybersecurity policy. Marking a decisive pivot away from the compliance-centric frameworks of the Biden and Obama eras. The order reverses key initiatives on software supply chain security, digital identity, and artificial intelligence, signaling a philosophical shift towards operational flexibility over regulatory mandates.

For Chief Information Security Officers (CISOs) and risk managers in the financial and fintech sectors, this move dismantles established compliance pathways and introduces a new wave of strategic uncertainty. While some may welcome the reduction in regulatory burden. The changes place a greater onus on individual firms to navigate a less-defined security environment, particularly concerning vendor risk and digital transformation.

The new order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity, explicitly amends or repeals major components of previous directives. With the White House fact sheet criticizing the prior administration’s last-minute policies as “problematic and distracting.”

Here are the key shifts and their implications for the financial industry:

From mandated attestation to vendor ambiguity

Perhaps the most significant change is the elimination of mandatory secure software development attestations for federal contractors. This requirement, a cornerstone of the Biden administration’s response to the SolarWinds supply chain attack, sought to use the government’s vast purchasing power to enforce higher security standards across the software industry. Vendors were required to formally attest that their products met the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).

The Trump administration has cast this as removing “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.” In its place, the new order directs NIST to establish a voluntary, industry-led consortium to develop guidance on implementing these practices.

Impact on finance

For fintech firms and financial institutions that act as federal contractors, the immediate compliance pressure is eased. However, this creates a vacuum. The attestation model, while burdensome, provided a clear, if imperfect, benchmark for vetting third-party software—a critical function for any bank or investment firm. Now, the responsibility shifts squarely back to the institutions to conduct their deep-dive due diligence on their software supply chain. A process that is often more costly and less standardized. The lack of a federal baseline could lead to a fragmented and potentially weaker security posture across the vendor ecosystem on which finance relies.

The digital identity dilemma deepens

The new EO completely reverses federal efforts to promote and standardize digital identity solutions for accessing government services. The Biden administration had encouraged agencies to explore accepting digital IDs, like mobile driver’s licenses, to streamline access and combat fraud, establishing pilot programs and standards for interoperability.

Citing risks of “widespread abuse by enabling , immigrants without papers to improperly access public benefits,” the Trump administration has halted these initiatives. This decision has drawn sharp criticism, with Mark Montgomery, senior director at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, noting, “The fixation on revoking digital ID mandates is prioritizing questionable immigration benefits over proven cybersecurity benefits.”

Impact on finance

The financial sector is a leader in leveraging digital identity for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance, fraud prevention, and secure customer onboarding. The federal government’s withdrawal from this space creates a significant obstacle. While the EU forges ahead with comprehensive digital identity frameworks like eIDAS 2.0, the U.S. remains a patchwork of state-level initiatives and private-sector solutions. This lack of a national strategy complicates efforts for U.S. and UK firms operating in the American market to develop scalable, secure, and interoperable identity verification systems, potentially stifling innovation and increasing fraud risk.

A recalibration of AI and quantum computing urgency

The executive order also recalibrates the government’s approach to emerging technologies. On Artificial Intelligence, the focus is narrowed from promoting AI’s broad use in cyber defense to a more cautious stance centered on “identifying and managing vulnerabilities” within AI systems themselves. The White House stated this refocuses efforts away from “censorship,” a politically charged term alluding to concerns over AI’s role in content moderation.

Similarly, the urgency for adopting post-quantum cryptography (PQC) has been tempered. While long-term goals remain, such as the required adoption of TLS 1.3 by 2030, immediate mandates for agencies to transition to quantum-resistant encryption have been rolled back.

Impact on finance

The financial sector is a primary target for future threats from quantum computers, which could break the encryption that protects trillions of dollars in daily transactions. While the EO relaxes the government’s immediate PQC adoption timeline, the threat itself has not diminished. Financial institutions cannot afford to interpret this as a signal to slow their own transition planning. The shift in AI policy also serves as a crucial reminder: as firms increasingly deploy AI for everything from algorithmic trading to fraud detection, they must simultaneously build robust frameworks to secure the AI models themselves from data poisoning, model inversion, and other novel attacks.

The bottom line

This executive order is the latest example of the policy pendulum that has defined U.S. cybersecurity strategy for over a decade, swinging between prescriptive regulation and industry-led flexibility. For finance and fintech leaders, the key takeaway is that relying on the stability of federal cybersecurity mandates is a losing strategy.

The explicit naming of China, Russia, Iran, and North Korea as primary adversaries underscores that cyber policy is inextricably linked to geopolitics. As administrations change, so will the approach. A durable and effective security strategy must be built on a foundation of risk-based principles, adaptable to a constantly shifting regulatory environment. While the immediate compliance burden may have lightened, the long-term burden of strategic planning has just become heavier.