Originally published by Schellman.
Written by Jordan Hicks.
Generally, with new cybersecurity regulations, organizations affected are provided a “grace period” to make the necessary adjustments to achieve full compliance before enforcement begins. Looking toward the horizon and 2025, many new laws will be coming into full effect, which means organizations will now likely be subject to various penalties if they’re not ready and haven’t satisfied all relevant requirements.
So, are you ready?
We know how difficult it is to pivot and accommodate new regulations. Cybersecurity is already a complicated balance, and these new laws are demanding in their mandates. So, having seen what happens to non-compliant organizations, we’re going to point you in some important directions.
In this article, we’ll overview five big cybersecurity regulations that are upping the ante as of 2025, along with several other, more niche laws that are becoming effective as well. Altogether, you should get a complete picture of the upcoming cybersecurity landscape that is set to change in 2025 with at least a few months left to prepare for those changes.
5 Cyber Regulations to Prepare for Ahead of 2025
The following important cybersecurity regulations set to take effect in 2025 are sourced from Europe and the U.S., and all aim at enhancing digital resilience and tightening cybersecurity.
1. NIS 2 Directive
Applicable to: | A much wider range of EU organizations (comparatively to the original NIS) classified as essential to the functioning of modern society, including both medium and large enterprises in critical public AND private sectors. |
Enforcement Begins: | October 17, 2024 |
This one is technically already in effect, so if your organization hasn’t already implemented what it needs to for compliance, you’ll definitely need to make immediate moves.
As an update to the original NIS published back in 2016, the NIS 2 Directive aims to further enhance the cybersecurity resilience of critical infrastructure and key services across the EU through mandatory provisions around:
- Incident reporting
- Third-party risk management
- Access control
- Cybersecurity training
The NIS 2 also holds top management accountable for making the necessary implementations, as the Directive also contains details on potential fines and liabilities upon non-compliance.
2. The EU’s Digital Operational Resilience Act (DORA)
Applicable to: | Financial institutions, ICT (Information and Communication Technology) service providers, and others deemed part of critical financial market infrastructures—e.g., stock exchanges, central counterparties (CCPs), and central securities depositories—within the EU. |
Enforcement Begins: | January 17, 2025 |
Aimed at improving the operational resilience of Europe’s critical sectors to better withstand and respond to cyber threats, some key provisions of DORA revolve around:
- Improving risk management (including for third parties);
- Specific incident reporting requirements; and
- Mandated resilience testing.
Given its complexities and stringency, DORA represents a decisive step by the EU to support service continuity after cyberattacks or IT failures, and you must begin prepping now to ensure you cover all your bases.
3. EU Cyber Resilience Act (CRA)
Applicable to: | Manufacturers, importers, and distributors of connected devices and software on the EU market |
Enforcement Begins: | Sometime in 2025 |
Adopted on October 10, 2024, the EU CRA is expected to be signed and published soon with enforcement beginning 20 days after publication and its provisions will gradually apply until full compliance will be expected 26 months post-publication.
As such, organizations involved with "products with digital elements" will need to begin:
- Adopting the now-required cybersecurity-by-design principles;
- Elevating your incident response and vulnerability management programs up to standard;
- Creating a Software Bill of Materials (SBOM)
- Introducing measures to support the mandated transparency and lifecycle support; and
- Planning for the independent assessments required for “high-risk” products.
4. The EU AI Act
Applicable to: | Providers and users of AI systems in both the public and private sectors |
Enforcement Begins: | Officially became effective on August 1, 2024, but enforcement will be phased with stage 1 in 2025 |
With its focus on safety, fundamental rights, and transparency, the EU AI Act aims to strengthen the responsible development and use of artificial intelligence within the EU by:
- Banning dangerous AI systems outright (e.g., social scoring and real-time biometric surveillance);
- Categorizing all other AI systems by risk; and
- Introducing measures to satisfy the related security obligations based on your system’s category.
To achieve compliance with the new law, you’ll need to get started now with setting up an organizational governance structure, which should include robust AI risk management and quality control measures, as well as protocol regarding transparency around AI systems.
5. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
Applicable to: | Entities designated as part of America’s critical infrastructure (as defined in a 2013 presidential policy directive by President Obama) |
Enforcement Begins: | The Cybersecurity and Infrastructure Security Agency (CISA) is under a March 2025 deadline to establish the final rules of the Act |
Under the CIRCIA, entities in sectors such as healthcare, transportation, communications, and energy and water utilities, will be subject to the law’s requirements, including:
- Stringent incident reporting deadlines for:
- Cybersecurity incidents: Within 72 hours
- Ransomware payments: Within 24 hours
More guidance on further security standards under CIRCIA is expected to be released by CISA at some point, but for now, organizations supporting American critical infrastructure will need to at least begin preparing to strengthen their procedures so that they’re able to meet those reporting requirements.
Bonus: The NYDFS Cybersecurity Regulation
Though the NYDFS Cybersecurity Regulation is a bit more niche than the ones we’ve mentioned prior—it applies to financial institutions licensed, registered, or authorized to operate in New York State—its amended requirements are definitely still of note.
They include provisions regarding:
- Mandatory independent audits, privileged access management, and endpoint detection and response systems for “Class A” companies
- Required annual penetration testing, vulnerability scans, and risk assessments
- Signed annual compliance certifications from each organization’s chief information security officer (CISO) and the organization's highest-ranking executive
- Stricter password policies, including multi-factor authentication (MFA) for remote access and access to non-public information, and restrictions on privileged accounts
- Expanded reporting obligations
- Annual tests of implemented business continuity and disaster recovery plans
Insofar as its goals to better enhance the security and resilience of NY financial organizations against cyber threats, this law is already effective to an extent, but enforcement against specific requirements regarding access control and MFA will become effective as of May 2025 and November 2025.
Other Notable Security and Privacy Regulations with 2025 Implications
Several state laws regarding data privacy will also become effective in 2025, including:
- Delaware Personal Data Privacy Act (DPDPA): Considered one of the nation's most robust data privacy bills on paper, this is set to take effect on January 1, 2025 (though the law will allow businesses to implement universal opt-out mechanisms in 2026).
- Nebraska Data Privacy Act (NDPA): Set to take effect on January 1, 2025, the NDPA contains significant obligations businesses must meet, including documentation of a privacy policy and other robust protections against data misuse.
- New Hampshire Privacy Act (NHPA): With aims to give consumers control over their personal data by laying down specific requirements for how organizations handle said data, this law is slated to take effect January 1, 2025.
- New Jersey Data Privacy Act (NJDPA): Applicable to organizations that conduct business in the state or who produce products or services targeted to those who live in New Jersey, this regulation goes into effect on January 15, 2025.
- Texas Data Privacy and Security Act (TDPSA): Though it truly became effective July 1, 2024, the “grace period” for organizations to fully comply—provided so as to allow consumers to make use of the built-in opt-out mechanisms—ends January 1, 2025.
- Tennessee Information Protection Act (TIPA): Taking effect on July 1, 2025, this law applies to organizations that do business with Tennessee or its residents and either control or process the personal information of at least 175,000 consumers.
- Iowa Consumer Data Protection Act: Described as “business-friendly,” this bill becomes effective on January 1, 2025, with its provisions regarding protecting consumer rights and mandated transparency.
- Maryland Online Data Privacy Act: “MODPA” grants Maryland consumers the ability to access, correct, or delete their data and opt out of targeted advertising or the sale of personal data, and it goes into effect on October 1, 2025.
- Minnesota Consumer Data Privacy Act (MCDPA): With its new limits on what organizations can do with the personal data of Minnesotans, the MCDPA becomes enforceable on July 31, 2025.
Preparing for 2025’s Cybersecurity Landscape
Securing your organization from cyber threats is difficult enough, and having to simultaneously navigate an increasingly complex regulatory landscape can make things seem much more daunting. As we’ve noted, 2025 will be significant in terms of enforcement of new laws, so organizations—if you’ve not already gotten started understanding your obligations—must jumpstart your compliance efforts now.