SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Cybersecurity Assessments

Generally, with new cybersecurity regulations, organizations affected are provided a “grace period” to make the necessary adjustments to achieve full compliance before enforcement begins. Looking toward the horizon and 2025, many new laws will be coming into full effect, which means organizations will now likely be subject to various penalties if they’re not ready and haven’t satisfied all relevant requirements.

So, are you ready?

As cybersecurity experts and long-time assessors against a myriad of frameworks, we know how difficult it is to pivot and accommodate new regulations. Cybersecurity is already a complicated balance, and these new laws are demanding in their mandates. So, having seen what happens to non-compliant organizations, we’re going to point you in some important directions.

In this article, we’ll overview five big cybersecurity regulations that are upping the ante as of 2025, along with several other, more niche laws that are becoming effective as well. Altogether, you should get a complete picture of the upcoming cybersecurity landscape that is set to change in 2025 with at least a few months left to prepare for those changes.

5 Cyber Regulations to Prepare for Ahead of 2025

 

The following important cybersecurity regulations set to take effect in 2025 are sourced from Europe and the U.S., and all aim at enhancing digital resilience and tightening cybersecurity.

1. NIS 2 Directive

Applicable to:

A much wider range of EU organizations (comparatively to the original NIS) classified as essential to the functioning of modern society, including both medium and large enterprises in critical public AND private sectors.

Enforcement Begins:

October 17, 2024

This one is technically already in effect, so if your organization hasn’t already implemented what it needs to for compliance, you’ll definitely need to make immediate moves.

As an update to the original NIS published back in 2016, the NIS 2 Directive aims to further enhance the cybersecurity resilience of critical infrastructure and key services across the EU through mandatory provisions around:

  • Incident reporting
  • Third-party risk management
  • Access control
  • Cybersecurity training

The NIS 2 also holds top management accountable for making the necessary implementations, as the Directive also contains details on potential fines and liabilities​ upon non-compliance.

2. The EU’s Digital Operational Resilience Act (DORA)

Applicable to:

Financial institutions, ICT (Information and Communication Technology) service providers, and others deemed part of critical financial market infrastructures—e.g., stock exchanges, central counterparties (CCPs), and central securities depositories—within the EU.

Enforcement Begins:

January 17, 2025

Aimed at improving the operational resilience of Europe’s critical sectors to better withstand and respond to cyber threats, some key provisions of DORA revolve around:

  • Improving risk management (including for third parties);
  • Specific incident reporting requirements; and
  • Mandated resilience testing.

Given its complexities and stringency, DORA represents a decisive step by the EU to support service continuity after cyberattacks or IT failures, and you must begin prepping now to ensure you cover all your bases. (If you’re feeling overwhelmed by DORA, Schellman can help.)

3. EU Cyber Resilience Act (CRA)

Applicable to:

Manufacturers, importers, and distributors of connected devices and software on the EU market

Enforcement Begins:

Sometime in 2025

Adopted on October 10, 2024, the EU CRA is expected to be signed and published soon. Enforcement will begin 20 days after publication, and its provisions will gradually apply until full compliance is expected 26 months after publication.

As such, organizations involved with "products with digital elements" will need to begin:

  • Adopting the now-required cybersecurity-by-design principles;
  • Elevating your incident response and vulnerability management programs up to standard;
  • Creating a Software Bill of Materials (SBOM)
  • Introducing measures to support the mandated transparency and lifecycle support; and
  • Planning for the independent assessments required for “high-risk” products.​

4. The EU AI Act

Applicable to:

Providers and users of AI systems in both the public and private sectors

Enforcement Begins:

Officially became effective on August 1, 2024, but enforcement will be phased with stage 1 in 2025

With its focus on safety, fundamental rights, and transparency, the EU AI Act aims to strengthen the responsible development and use of artificial intelligence within the EU by:

  • Banning dangerous AI systems outright (e.g., social scoring and real-time biometric surveillance);
  • Categorizing all other AI systems by risk; and
  • Introducing measures to satisfy the related security obligations based on your system’s category.

To achieve compliance with the new law, you’ll need to get started now with setting up an organizational governance structure, which should include robust AI risk management and quality control measures, as well as protocol regarding transparency around AI systems.

5. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

 

Applicable to:

Entities designated as part of America’s critical infrastructure (as defined in a 2013 presidential policy directive by President Obama)

Enforcement Begins:

The Cybersecurity and Infrastructure Security Agency (CISA) is under a March 2025 deadline to establish the final rules of the Act

Under the CIRCIA, entities in sectors such as healthcare, transportation, communications, and energy and water utilities, will be subject to the law’s requirements, including:

  • Stringent incident reporting deadlines for:
    • Cybersecurity incidents: Within 72 hours
    • Ransomware payments: Within 24 hours

More guidance on further security standards under CIRCIA is expected to be released by CISA at some point, but for now, organizations supporting American critical infrastructure will need to at least begin preparing to strengthen their procedures so that they’re able to meet those reporting requirements.

Bonus: The NYDFS Cybersecurity Regulation

Though the NYDFS Cybersecurity Regulation is a bit more niche than the ones we’ve mentioned prior—it applies to financial institutions licensed, registered, or authorized to operate in New York State—its amended requirements are definitely still of note.

They include provisions regarding:

  • Mandatory independent audits, privileged access management, and endpoint detection and response systems for “Class A” companies
  • Required annual penetration testing, vulnerability scans, and risk assessments
  • Signed annual compliance certifications from each organization’s chief information security officer (CISO) and the organization's highest-ranking executive
  • Stricter password policies, including multi-factor authentication (MFA) for remote access and access to non-public information, and restrictions on privileged accounts
  • Expanded reporting obligations
  • Annual tests of implemented business continuity and disaster recovery plans

Insofar as its goals to enhance the security and resilience of NY financial organizations better against cyber threats, this law is already effective to an extent, but enforcement against specific requirements regarding access control and MFA will become effective as of May 2025 and November 2025.

Other Notable Security and Privacy Regulations with 2025 Implications

 

Several state laws regarding data privacy will also become effective in 2025, including:

  • Delaware Personal Data Privacy Act (DPDPA): Considered one of the nation's most robust data privacy bills on paper, this is set to take effect on January 1, 2025 (though the law will allow businesses to implement universal opt-out mechanisms in 2026). 
  • Iowa Consumer Data Protection Act: Described as “business-friendly,” this bill becomes effective on January 1, 2025, with its provisions regarding protecting consumer rights and mandated transparency.
  • Maryland Online Data Privacy Act: “MODPA” grants Maryland consumers the ability to access, correct, or delete their data and opt out of targeted advertising or the sale of personal data, and it goes into effect on October 1, 2025.
  • Minnesota Consumer Data Privacy Act (MCDPA): With its new limits on what organizations can do with the personal data of Minnesotans, the MCDPA becomes enforceable on July 31, 2025.
  • Nebraska Data Privacy Act (NDPA): Set to take effect on January 1, 2025, the NDPA contains significant obligations businesses must meet, including documentation of a privacy policy and other robust protections against data misuse.
  • New Hampshire Privacy Act (NHPA): With aims to give consumers control over their personal data by laying down specific requirements for how organizations handle said data, this law is slated to take effect January 1, 2025.
  • New Jersey Data Privacy Act (NJDPA): Applicable to organizations that conduct business in the state or who produce products or services targeted to those who live in New Jersey, this regulation goes into effect on January 15, 2025.
  • Texas Data Privacy and Security Act (TDPSA): Though it truly became effective July 1, 2024, the “grace period” for organizations to fully comply—provided so as to allow consumers to make use of the built-in opt-out mechanisms—ends January 1, 2025.
  • Tennessee Information Protection Act (TIPA): Taking effect on July 1, 2025, this law applies to organizations that do business with Tennessee or its residents and either control or process the personal information of at least 175,000 consumers.

Preparing for 2025’s Cybersecurity Landscape

 

Securing your organization from cyber threats is difficult enough, and having to simultaneously navigate an increasingly complex regulatory landscape can make things seem much more daunting. As we’ve noted, 2025 will be significant in terms of enforcement of new laws, so organizations—if you’ve not already gotten started understanding your obligations—must jumpstart your compliance efforts now.

Gap assessments against each standard or framework your organization is subject to are a great start, and while you may have the resources to perform these internally, you may also feel better about where you stand and what you still need to do after getting an expert opinion, and Schellman may be the right partner for you.

We’ve familiarized ourselves with all the new regulations that could impact our clients and their ongoing compliance efforts, and we’ve already been hard at work performing readiness assessments to help them understand where each stands amidst all the incoming requirements. If you’re interested in learning more about what a partnership would look like—including achieving the peace of mind that comes with an independent opinion—contact us today.

About JORDAN HICKS

Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.