What It Is

REACH (Regulation (EC) No 1907/2006) is a directly applicable EU regulation establishing a comprehensive framework for managing chemical risks across their lifecycle. Its primary purpose is to ensure a high level of protection for human health and the environment by requiring industry to identify, assess, and control chemical hazards. The core approach is industry-led responsibility, shifting the burden of proof from authorities to manufacturers and importers through data generation and submission.

Key Components

• Four pillars: Registration, Evaluation, Authorisation, and Restriction.
• Technical annexes (I-XVII) detailing data requirements, SDS rules, SVHC criteria, and lists like Annex XIV (Authorisation) and Annex XVII (Restrictions).
• Built on principles of precaution, substitution, and no-data-no-market.
• Compliance model relies on ECHA database submissions; no central certification but national enforcement with "effective, proportionate, dissuasive" penalties.

Why Organizations Use It

Legal obligation for EU market access; mitigates fines, product seizures, and market bans. Enables risk reduction, supply-chain transparency, innovation via safer alternatives, and ESG alignment. Builds stakeholder trust through SVHC communication (Article 33).

Implementation Overview

Phased approach: gap analysis, substance inventory, dossier preparation (IUCLID), SDS management, monitoring Annex updates. Applies to manufacturers/importers (>1 tpa), downstream users across sectors; global firms use Only Representatives. No formal certification; focuses on continuous dossier maintenance and audits.

What It Is

23 NYCRR Part 500 is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, a prescriptive state-level mandate for financial services entities. It establishes minimum risk-based cybersecurity requirements to protect nonpublic information (NPI) and ensure operational integrity, using a risk-assessment-centric approach with phased compliance timelines post-2023 amendments.

Key Components

• 14 core requirements including cybersecurity program, CISO governance, MFA, encryption, asset inventories, penetration testing, third-party oversight, and 72-hour incident reporting.
• Built on NIST CSF or equivalent frameworks; features annual CISO/CEO dual certification and five-year record retention.
• Class A companies (>$20M NY revenue, >2,000 employees or >$1B global) require enhanced controls like independent audits and EDR.

Why Organizations Use It

• Mandatory for NY-licensed financial entities to avoid multimillion-dollar fines (e.g., Robinhood $30M).
• Enhances resilience, reduces incident risk, builds stakeholder trust, and aligns with enterprise risk management.

Implementation Overview

• Phased roadmap: gap analysis, risk assessment, control deployment (MFA, PAM), vendor updates, testing.
• Applies to banks, insurers, mortgage firms in NY; involves governance, tech upgrades, evidence repositories.