New Compliance Regulations Checklist
Written by: Danny Blakesley

As we look ahead to 2025, staying up-to-date with evolving compliance regulations is critical for organizations across all industries. New cybersecurity and data protection laws are reshaping how businesses operate, manage risks, and protect their data. In this blog, we outline key regulations coming into effect in 2025 and explore how they will impact your organization’s cybersecurity strategies.

EU’s NIS2 Directive Implementation Deadline
• Description: The Network and Information Security Directive 2 (NIS2), adopted by the European Union in November 2022, aims to enhance cybersecurity across member states. NIS2 expands the scope of the original directive to include more sectors and introduces stricter security and reporting requirements.
• Effective Date: EU member states are required to transpose NIS2 into national law by October 2024.
• Impact: Organizations operating in sectors like healthcare, energy, transportation, and digital services must comply with enhanced cybersecurity measures, conduct regular risk assessments, and report significant incidents within tight deadlines. Non-compliance can lead to substantial fines and increased regulatory scrutiny.

SEC’s Cybersecurity Disclosure Rule
• Description: In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules mandating publicly traded companies to disclose material cybersecurity incidents and provide annual disclosures about their cybersecurity risk management, strategy, and governance.
• Effective Date: The incident reporting requirements begin in December 2023, while the annual reporting obligations start with annual reports for fiscal years ending on or after December 15, 2024.
• Impact: Public companies must promptly disclose material cybersecurity incidents and provide detailed information on how they manage and govern cybersecurity risks. This requires enhancing incident response plans and ensuring robust cybersecurity governance structures are in place.

U.S. State Privacy Laws Coming into Effect
• Description: Several U.S. states have enacted new privacy laws that include cybersecurity provisions:
• Colorado Privacy Act (CPA)
• Effective Date: July 1, 2024
• Connecticut Data Privacy Act (CTDPA)
• Effective Date: July 1, 2023, with some provisions delayed until 2024
• Utah Consumer Privacy Act (UCPA)
• Effective Date: December 31, 2023
• Impact: Businesses operating in these states or processing personal data of residents must implement new data protection measures, including data security practices, consumer rights management, and, in some cases, data protection assessments.

ISO/IEC 27001:2022 Transition Period
• Description: The updated information security management standard ISO/IEC 27001:2022 was released in October 2022. Organizations certified under the previous version (ISO/IEC 27001:2013) have a transition period to update their certifications.
• Transition Deadline: Organizations must transition to the 2022 version by October 31, 2025, but many are planning updates during 2024 to stay ahead.
• Impact: Companies need to update their information security management systems (ISMS) to align with the new standard, which includes changes to security controls and emphasizes a risk-based approach to cybersecurity.

Digital Operational Resilience Act (DORA) Preparation
• Description: The EU’s Digital Operational Resilience Act (DORA) entered into force in January 2023, aiming to bolster the IT security of financial entities. While the regulation becomes applicable in January 2025, 2024 is a critical year for organizations to prepare for compliance.
• Impact: Financial institutions and ICT service providers must enhance their operational resilience by implementing stringent ICT risk management, incident reporting, and third-party risk monitoring practices. Preparations in 2024 are essential to meet the compliance deadline.

Remaining compliant with these new regulations is essential not only for avoiding penalties but also for building trust and safeguarding your organization from cyber threats. The 2025 compliance deadlines are fast approaching, and early preparation is crucial. By staying informed and adapting your security practices, you can help ensure that your organization is not only compliant but also resilient in the face of emerging risks.

For more insights on navigating these regulatory changes, contact The Beckage Firm to help ensure your organization is ready for 2025 and beyond.