Signed on March 6, 2026, this executive order establishes a federal policy framework specifically targeting foreign-based Transnational Criminal Organizations (TCOs) and associated networks that conduct cyber-enabled attacks against U.S. persons, businesses, critical infrastructure, and public services. The order characterizes these threats—including ransomware, phishing, financial fraud, sextortion, and human trafficking-linked schemes—as coordinated foreign campaigns often enabled by state actors providing "willing or tacit" support, constituting a "shadow economy" that demands a whole-of-government response. Critically, this is not a broad domestic cybercrime strategy; its scope is deliberately bounded to foreign-origin threats and cross-border disruption, which materially shapes how agencies should interpret their mandates, allocate resources, and assess geopolitical risk. The order explicitly authorizes "commensurate" responses encompassing law enforcement, diplomacy, and potential offensive cyber operations—a notable escalation in policy framing.
The order's most significant governance development is the mandated creation of a dedicated operational cell within the National Coordination Center (NCC), originally established under Executive Order 14159 (January 20, 2025). This cell will centralize coordination of federal efforts to detect, disrupt, and dismantle foreign TCO-linked cyber activity, and will integrate commercial cybersecurity firms and other private-sector entities for attribution and disruption capabilities. This represents more than routine interagency coordination—it signals a deliberate centralization of operational leadership over cyber-enabled fraud tied to foreign criminal networks, with expanded federal-private collaboration as a core mechanism. The order also directs cabinet-level officials to complete a framework review within 60 days and submit a comprehensive action plan to the President within 120 days, with the Assistant to the President and Homeland Security Advisor (APHSA) serving as the central coordination point. CISA is separately tasked with extending training, threat intelligence, and resilience support to state, local, tribal, and territorial (SLTT) governments.
Senior leaders should note that the order does not itself create new punitive authorities or establish a victim compensation program—it directs recommendations and leverages existing legal tools. Within 90 days, the Attorney General must submit a recommendation regarding a potential Victims Restoration Program funded from seized or forfeited TCO assets, but no program is yet authorized. Similarly, the Secretary of State is directed to pursue diplomatic consequences—sanctions, visa restrictions, trade penalties, and expulsion of complicit foreign officials—against nations tolerant of TCO activity, using authorities already available under existing law and policy. The practical near-term impact therefore lies primarily in structured planning and governance realignment, with longer-term policy and operational changes contingent on the action plans and recommendations these milestones produce.