Regulatory Context for Texas Cybersecurity

Texas cybersecurity regulation operates across a layered architecture in which federal mandates, state statutes, and sector-specific rules each impose distinct obligations on different classes of entities. The Texas Department of Information Resources (DIR) serves as the primary state-level authority for government entities, while the Texas Office of the Attorney General (OAG) holds primary enforcement authority over private-sector breach notification. Understanding how these layers interact — and where each layer's authority ends — is essential for organizations operating across Texas's public and private sectors.

Federal vs State Authority Structure

Federal cybersecurity authority in Texas derives from three primary sources: the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security, sector-specific federal regulators such as the Department of Health and Human Services (HHS) for healthcare and the Federal Energy Regulatory Commission (FERC) for bulk power systems, and cross-sector frameworks like the NIST Cybersecurity Framework published by the National Institute of Standards and Technology.

Texas state authority operates independently of — and in parallel to — these federal structures. The Texas Legislature has codified cybersecurity obligations in Texas Government Code, Chapter 2054, which governs state agencies and institutions of higher education, and in Texas Business & Commerce Code, Chapter 521, which governs breach notification for businesses holding sensitive personal information about Texas residents. These statutes do not displace federal requirements; they operate alongside them.

A critical distinction separates federal preemption scenarios from concurrent jurisdiction. HIPAA, for example, preempts weaker state privacy rules while permitting states to impose stricter standards where HHS has allowed it. North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards apply to bulk electric system operators including those in the ERCOT region regardless of state law. In contrast, Texas Business & Commerce Code §521.053 establishes a breach notification window of not more than 60 days after discovery (Texas B&C §521.053) — an independent state obligation that runs concurrently with any applicable federal reporting requirement.

For a detailed examination of Texas cybersecurity laws and statutes, including a full statutory inventory, the relevant page covers the complete legislative architecture.

Named Bodies and Roles

The following agencies and bodies hold defined roles in Texas cybersecurity regulation:

1. Texas Department of Information Resources (DIR) — The lead cybersecurity authority for state agencies and public higher education. DIR publishes the Texas Cybersecurity Framework (derived from NIST SP 800-53), administers mandatory cybersecurity training requirements under Government Code §2054.512, and operates the Texas Security Operations Center (SOC). DIR's oversight scope covers all state agencies subject to Chapter 2054.
2. Texas Office of the Attorney General (OAG) — Enforces Chapter 521 breach notification requirements against private-sector entities and publishes consumer data security guidance. The OAG's Consumer Protection Division also handles enforcement under the Deceptive Trade Practices Act as applied to data security failures.
3. Texas State Auditor's Office (SAO) — Conducts independent information security audit reviews of state agencies and publishes findings at sao.texas.gov. SAO audits provide external verification of DIR compliance status across agencies.
4. CISA (federal) — Provides threat intelligence, free vulnerability scanning services for Texas government entities, and binding operational directives that apply to federal civilian agencies. CISA guidance is advisory for state and local governments but carries strong normative weight.
5. Texas Education Agency (TEA) — Holds authority over K–12 public school cybersecurity obligations, particularly under Texas Education Code §11.175, which requires school boards to adopt cybersecurity policies. SB 820 (87th Legislature, 2021) further strengthened TEA's cybersecurity posture requirements for school districts.

For the full structure of Texas cybersecurity for state agencies and Texas cybersecurity for school districts, dedicated reference pages address those sector-specific regulatory environments in detail.

How Rules Propagate

Regulatory requirements reach Texas organizations through four distinct propagation channels:

1. Direct statutory mandate — The Texas Legislature enacts statutes that impose specific obligations (e.g., breach notification timelines, training mandates). These apply automatically upon the effective date to covered entities.
2. Agency rulemaking — DIR adopts administrative rules under Government Code Chapter 2054, including security control standards. These rules carry the force of law for covered state entities and are codified in the Texas Administrative Code (TAC), Title 1, Chapter 202.
3. Federal regulatory adoption — Federal agencies such as HHS (HIPAA Security Rule), FERC (NERC CIP standards), and the FTC (Safeguards Rule under the Gramm-Leach-Bliley Act) impose requirements on sector-specific entities operating in Texas. These propagate through federal notice-and-comment rulemaking and are enforced by federal regulators.
4. Contractual and procurement channels — DIR's Cooperative Contracts program and state procurement vehicles impose cybersecurity requirements on vendors serving Texas government entities. Third-party vendors must meet DIR-specified security standards as contract conditions, which effectively extends regulatory reach into the private sector supply chain.

The Texas cybersecurity frameworks and standards page covers the technical standards layer, including how NIST SP 800-53 controls are adopted into the Texas Administrative Code.

Enforcement and Review Paths

Enforcement mechanisms differ substantially by sector and by whether a violation involves a state entity or a private actor.

For state agencies and institutions of higher education, DIR has authority to conduct compliance reviews, and the SAO conducts independent information security audits. Non-compliant agencies face internal administrative remediation requirements. DIR may also refer matters to the Governor's office or the Legislature.

For private-sector entities, the OAG holds primary enforcement authority over Chapter 521 breach notification violations. The OAG may pursue civil penalties and injunctive relief through Texas state courts. The Texas data breach notification requirements page describes the procedural obligations that trigger OAG enforcement jurisdiction.

For healthcare organizations, enforcement runs through HHS Office for Civil Rights (OCR) at the federal level. The OCR imposes civil monetary penalties under HIPAA, with penalty tiers ranging from $100 to $50,000 per violation category (HHS OCR HIPAA Enforcement). Texas-specific obligations for covered healthcare entities are addressed at Texas cybersecurity for healthcare organizations.

For financial institutions, the Texas Department of Banking and the Texas Department of Savings and Mortgage Lending hold state-level supervisory authority, while the FTC Safeguards Rule (16 CFR Part 314) applies to non-bank financial institutions. The Texas cybersecurity for financial institutions page covers this dual-regulator environment.

Incident reporting obligations — including the 48-hour state agency reporting requirement to DIR under Government Code §2054.1125 — are administered separately from enforcement. Reporting cyber incidents in Texas covers mandatory notification timelines and submission channels across all affected sectors.

Scope, Coverage, and Limitations

This reference covers the regulatory structure applicable to entities operating within Texas jurisdiction — state agencies, Texas-chartered businesses, public educational institutions, and organizations subject to Texas statutory breach notification obligations. It does not constitute legal advice and does not address multi-state regulatory obligations beyond the Texas nexus.

Federal mandates (HIPAA, NERC CIP, GLBA Safeguards Rule, FISMA) apply to their respective covered entities regardless of state location and are not fully addressed here. International data flows, EU General Data Protection Regulation (GDPR) obligations, and obligations arising from states other than Texas fall outside this page's scope.

Texas's consumer data protection and privacy law and cybersecurity pages address the evolving Texas privacy statutory framework, including the Texas Data Privacy and Security Act (TDPSA), which introduces additional private-sector obligations beyond Chapter 521.

The main site index provides a complete map of reference materials across the Texas cybersecurity regulatory and operational landscape.

References

• Texas Government Code, Chapter 2054 — Information Resources
• Texas Business & Commerce Code, Chapter 521 — Protection of Sensitive Personal Information
• Texas Administrative Code, Title 1, Chapter 202 — Information Security Standards (DIR)
• Texas Department of Information Resources (DIR)
• Texas Office of the Attorney General — Data Security Breaches
• Texas State Auditor's Office — Information Security Audits
• CISA — Cybersecurity and Infrastructure Security Agency
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls
• HHS OCR — HIPAA Enforcement
• [FTC Safeguards Rule — 16 CFR Part 314](https://www.ecfr.