General Assembly Raised Bill No. 403 aims to enhance cybersecurity measures in Connecticut by establishing a comprehensive framework that includes new definitions and compliance requirements for "covered entities," "AAL3 identity assurance," and "material security deficiency." Starting July 1, 2027, these entities must adhere to the "Cybersecurity Framework 2.0" and AAL3 standards to be considered compliant with state laws. The bill also mandates that critical infrastructure entities adopt decentralized security architectures by the same date, prohibits penalties against cybersecurity professionals who report deficiencies, and requires covered entities to notify the Division of Emergency Management and Homeland Security within 72 hours of a cybersecurity incident.

Additionally, the legislation introduces several initiatives to bolster cybersecurity readiness, including the establishment of the "Connecticut Cybersecurity Seed Fund" for grants supporting decentralized security solutions, a "bug bounty" program for identifying vulnerabilities, and the creation of a State Cybersecurity Intelligence Task Force to coordinate cybersecurity efforts. Critical infrastructure entities are also required to prepare for post-quantum cryptography by January 1, 2028, and implement minimum cybersecurity safeguards. The bill designates the Commissioner of Emergency Services and Public Protection as the primary liaison with local emergency management directors and will take effect on October 1, 2026. Notably, the bill includes multiple new sections detailing these provisions, with no deletions from current law.