Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Published 11/20/2024

Home
Industry Insights
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Originally published by Schellman.

Written by Jordan Hicks.


Generally, with new cybersecurity regulations, organizations affected are provided a “grace period” to make the necessary adjustments to achieve full compliance before enforcement begins. Looking toward the horizon and 2025, many new laws will be coming into full effect, which means organizations will now likely be subject to various penalties if they’re not ready and haven’t satisfied all relevant requirements.

So, are you ready?

We know how difficult it is to pivot and accommodate new regulations. Cybersecurity is already a complicated balance, and these new laws are demanding in their mandates. So, having seen what happens to non-compliant organizations, we’re going to point you in some important directions.

In this article, we’ll overview five big cybersecurity regulations that are upping the ante as of 2025, along with several other, more niche laws that are becoming effective as well. Altogether, you should get a complete picture of the upcoming cybersecurity landscape that is set to change in 2025 with at least a few months left to prepare for those changes.


5 Cyber Regulations to Prepare for Ahead of 2025

The following important cybersecurity regulations set to take effect in 2025 are sourced from Europe and the U.S., and all aim at enhancing digital resilience and tightening cybersecurity.


1. NIS 2 Directive

Applicable to:

A much wider range of EU organizations (comparatively to the original NIS) classified as essential to the functioning of modern society, including both medium and large enterprises in critical public AND private sectors.

Enforcement Begins:

October 17, 2024

This one is technically already in effect, so if your organization hasn’t already implemented what it needs to for compliance, you’ll definitely need to make immediate moves.

As an update to the original NIS published back in 2016, the NIS 2 Directive aims to further enhance the cybersecurity resilience of critical infrastructure and key services across the EU through mandatory provisions around:

  • Incident reporting
  • Third-party risk management
  • Access control
  • Cybersecurity training

The NIS 2 also holds top management accountable for making the necessary implementations, as the Directive also contains details on potential fines and liabilities upon non-compliance.


2. The EU’s Digital Operational Resilience Act (DORA)

Applicable to:

Financial institutions, ICT (Information and Communication Technology) service providers, and others deemed part of critical financial market infrastructures—e.g., stock exchanges, central counterparties (CCPs), and central securities depositories—within the EU.

Enforcement Begins:

January 17, 2025

Aimed at improving the operational resilience of Europe’s critical sectors to better withstand and respond to cyber threats, some key provisions of DORA revolve around:

  • Improving risk management (including for third parties);
  • Specific incident reporting requirements; and
  • Mandated resilience testing.

Given its complexities and stringency, DORA represents a decisive step by the EU to support service continuity after cyberattacks or IT failures, and you must begin prepping now to ensure you cover all your bases.


3. EU Cyber Resilience Act (CRA)

Applicable to:

Manufacturers, importers, and distributors of connected devices and software on the EU market

Enforcement Begins:

Sometime in 2025

Adopted on October 10, 2024, the EU CRA is expected to be signed and published soon with enforcement beginning 20 days after publication and its provisions will gradually apply until full compliance will be expected 26 months post-publication.

As such, organizations involved with "products with digital elements" will need to begin:

  • Adopting the now-required cybersecurity-by-design principles;
  • Elevating your incident response and vulnerability management programs up to standard;
  • Creating a Software Bill of Materials (SBOM)
  • Introducing measures to support the mandated transparency and lifecycle support; and
  • Planning for the independent assessments required for “high-risk” products.


4. The EU AI Act

Applicable to:

Providers and users of AI systems in both the public and private sectors

Enforcement Begins:

Officially became effective on August 1, 2024, but enforcement will be phased with stage 1 in 2025

With its focus on safety, fundamental rights, and transparency, the EU AI Act aims to strengthen the responsible development and use of artificial intelligence within the EU by:

  • Banning dangerous AI systems outright (e.g., social scoring and real-time biometric surveillance);
  • Categorizing all other AI systems by risk; and
  • Introducing measures to satisfy the related security obligations based on your system’s category.

To achieve compliance with the new law, you’ll need to get started now with setting up an organizational governance structure, which should include robust AI risk management and quality control measures, as well as protocol regarding transparency around AI systems.


5. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Applicable to:

Entities designated as part of America’s critical infrastructure (as defined in a 2013 presidential policy directive by President Obama)

Enforcement Begins:

The Cybersecurity and Infrastructure Security Agency (CISA) is under a March 2025 deadline to establish the final rules of the Act

Under the CIRCIA, entities in sectors such as healthcare, transportation, communications, and energy and water utilities, will be subject to the law’s requirements, including:

  • Stringent incident reporting deadlines for:
    • Cybersecurity incidents: Within 72 hours
    • Ransomware payments: Within 24 hours

More guidance on further security standards under CIRCIA is expected to be released by CISA at some point, but for now, organizations supporting American critical infrastructure will need to at least begin preparing to strengthen their procedures so that they’re able to meet those reporting requirements.


Bonus: The NYDFS Cybersecurity Regulation

Though the NYDFS Cybersecurity Regulation is a bit more niche than the ones we’ve mentioned prior—it applies to financial institutions licensed, registered, or authorized to operate in New York State—its amended requirements are definitely still of note.

They include provisions regarding:

  • Mandatory independent audits, privileged access management, and endpoint detection and response systems for “Class A” companies
  • Required annual penetration testing, vulnerability scans, and risk assessments
  • Signed annual compliance certifications from each organization’s chief information security officer (CISO) and the organization's highest-ranking executive
  • Stricter password policies, including multi-factor authentication (MFA) for remote access and access to non-public information, and restrictions on privileged accounts
  • Expanded reporting obligations
  • Annual tests of implemented business continuity and disaster recovery plans

Insofar as its goals to better enhance the security and resilience of NY financial organizations against cyber threats, this law is already effective to an extent, but enforcement against specific requirements regarding access control and MFA will become effective as of May 2025 and November 2025.


Other Notable Security and Privacy Regulations with 2025 Implications

Several state laws regarding data privacy will also become effective in 2025, including:

  • Delaware Personal Data Privacy Act (DPDPA): Considered one of the nation's most robust data privacy bills on paper, this is set to take effect on January 1, 2025 (though the law will allow businesses to implement universal opt-out mechanisms in 2026).
  • Nebraska Data Privacy Act (NDPA): Set to take effect on January 1, 2025, the NDPA contains significant obligations businesses must meet, including documentation of a privacy policy and other robust protections against data misuse.
  • New Hampshire Privacy Act (NHPA): With aims to give consumers control over their personal data by laying down specific requirements for how organizations handle said data, this law is slated to take effect January 1, 2025.
  • New Jersey Data Privacy Act (NJDPA): Applicable to organizations that conduct business in the state or who produce products or services targeted to those who live in New Jersey, this regulation goes into effect on January 15, 2025.
  • Texas Data Privacy and Security Act (TDPSA): Though it truly became effective July 1, 2024, the “grace period” for organizations to fully comply—provided so as to allow consumers to make use of the built-in opt-out mechanisms—ends January 1, 2025.
  • Tennessee Information Protection Act (TIPA): Taking effect on July 1, 2025, this law applies to organizations that do business with Tennessee or its residents and either control or process the personal information of at least 175,000 consumers.
  • Iowa Consumer Data Protection Act: Described as “business-friendly,” this bill becomes effective on January 1, 2025, with its provisions regarding protecting consumer rights and mandated transparency.
  • Maryland Online Data Privacy Act: “MODPA” grants Maryland consumers the ability to access, correct, or delete their data and opt out of targeted advertising or the sale of personal data, and it goes into effect on October 1, 2025.
  • Minnesota Consumer Data Privacy Act (MCDPA): With its new limits on what organizations can do with the personal data of Minnesotans, the MCDPA becomes enforceable on July 31, 2025.


Preparing for 2025’s Cybersecurity Landscape

Securing your organization from cyber threats is difficult enough, and having to simultaneously navigate an increasingly complex regulatory landscape can make things seem much more daunting. As we’ve noted, 2025 will be significant in terms of enforcement of new laws, so organizations—if you’ve not already gotten started understanding your obligations—must jumpstart your compliance efforts now.

Artificial IntelligenceComplianceLegalPrivacyStandards

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
AI-Powered Cybersecurity: Safeguarding the Media Industry

Published: 11/20/2024

Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems

Published: 11/19/2024

9 Tips to Simplify and Improve Unstructured Data Security

Published: 11/18/2024

How AI Changes End-User Experience Optimization and Can Reinvent IT

Published: 11/15/2024