The 2025 cybersecurity landscape faces sweeping regulatory changes impacting cloud, artificial intelligence, identity and foundational tech such as domain name systems.
Experts told SC Media they predict a year marked by evolving geopolitical pressures, stricter data protection mandates, and groundbreaking security frameworks around AI. What follows attempts to answer the question: How will cybersecurity regulations change in 2025?
(Editor's Note: See also: 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes)
We heard from industry leaders from a wide range of globally respected experts who are shaping the conversation. Yogesh Badwe, chief security officer at Druva, a leader in data resilience, predicts that federal regulations will codify security standards, aligning them with financial frameworks like Generally Accepted Accounting Principles (GAAP). Sezaneh Seymour, Coalition’s head of regulatory risk and policy, emphasizes the growing urgency of securing the cyber supply chain, particularly in critical sectors such as healthcare and telecom. Meanwhile, Steve Tait, CTO of Skyhigh Security, highlights the importance of compliance in protecting critical infrastructure.
Key developments shaping the conversation include the European Union’s Digital Operational Resilience Act (DORA), effective January 2025, and potential deregulation shifts in the U.S. as federal standards like PCI DSS 4.0 and NIST 800-171 tighten. The EU AI Act is poised to create global ripple effects, reshaping AI governance and data privacy regulations. Critical industries, including finance and healthcare, must prepare for increased scrutiny as the global regulatory landscape evolves.
This deep dive into 2025 cybersecurity regulations aims to help you stay ahead of the regulatory arc. Whether you’re a security professional or a business leader, understanding these trends is essential to navigating the year ahead.
Government regulations and standards
Regulation will be priority No. 1 for most CISOs, says Robert Haist, TeamViewer CISO:
2025 will be a year of tremendous regulatory change that will require the utmost attention of CISOs navigating in an ever-evolving geo-political environment.
In the U.S., a potential focus on de-regulation by the incoming administration will be something that impacts businesses globally, especially regarding standards setting from organizations like the National Institute for Standards and Technology (NIST), which issued NIST 2.0 in 2024, guidelines for managing risks in all industries of any size, including government and academia. CISOs will also get more protective about how they see cybersecurity in regard to national security, especially as we see China ramping up their regulatory frameworks, making it more difficult for western companies to comply.
In Europe, CISOs will also be focused on the Digital Operational Resilience Act (DORA), which banks, credit institutions, investment firms and other financial entities must comply with, beginning Jan. 17, 2025, as well as the broader Network and Information Security Directive (NIS-2), which impacts a wide range of EU businesses.
Advice: CISOs are wise to think globally when it comes to cyber regulations, and this is a must for enterprises with customers located around the world. By dedicating resources to stay abreast of the latest regulatory changes — which could be plentiful in 2025 — CISOs will be able to anticipate changes to their organization’s security policy before it becomes a concern with a customer or prospect.
The need for accountability will lead to codified security standards, says Yogesh Badwe, Druva’s chief security officer:
For better or worse, federal regulations will codify security standards — just as generally accepted accounting principals (GAAP) was established for financial standards. The volume of ransomware attacks and data breaches have continually shifted blame back and forth from companies to CISOs as we try to mitigate breaches and assign accountability. However, what’s truly needed are consistent security standards to agree as an industry on what constitutes appropriate security standards. The president-elect has several Silicon Valley advisors that will finally help institute the appropriate security measures, and we’ll see GAAP-like security standards emerge in the coming years. That should be viewed as a positive step forward for security, but the real work and debate will comprise what enters into the to-be-created standard.
Regulations to target critical infrastructure, says Steve Tait, Skyhigh Security CTO:
January 2025 marks the launch of the EU DORA regulations within the financial sector, adding to the burden of stricter cybersecurity regulations worldwide, especially targeting critical infrastructure and industries such as healthcare and financial services. Protecting these vital services continues to increase in complexity as we saw everything from energy grids to hospitals facing high-profile data breaches and ransomware attacks this year, which will prompt policymakers to enforce further compliance standards like breach notification timelines, cyber hygiene practices, and penalties for non-compliance. At the same time, we will continue to see the post-pandemic working patterns continue to stabilize with increased in-office work once again prevalent in many sectors. This will necessitate a focus from cybersecurity vendors on hybrid solutions, combining on-premise protection with full remote cloud protection.
There will be an increased global focus on supply chain cybersecurity, says Sezaneh Seymour, Coalition, Inc. VP and head of regulatory risk and policy:
Due to escalating attacks on critical sectors like healthcare and telecoms, there will be increased global attention on cyber supply chain risks. Europe will require more businesses to secure digital operations and evaluate vendor-related cybersecurity and associated risks.
In the U.S., there will be increased federal attention to risks associated with insecure edge devices, as well as stricter controls on global access to sensitive technologies and the use of untrustworthy vendors linked to adversarial governments. Readiness will remain a worldwide priority. Critical organizations must ensure they can perform essential tasks during digital outages by reverting to analog operations. There will also be increased attention to businesses’ ability to recover financially from widespread digital disruptions.
EU’s DORA framework will start a trend toward regulations focusing on business resilience, says Jeffrey Wheatman, Black Kite SVP and cyber risk strategist:
The financial industry is a prime target for cyberattacks because of the substantial capital and sensitive data it holds. DORA, a compliance framework out of the European Union (EU), which will go into effect on Jan. 7, 2025, addresses risk by building on existing laws, such as the Network and Information Security (NIS) Directive and GDPR, to close gaps in digital and third-party risk management. It’s a great first step in the financial sector that will start a trend across industries. It will be the first in a series of globally focused regulations that move upstream from cyber and focus more on business and organizational resilience as the primary objective.
Compliance requirements will drive non-human identity management in highly regulated industries, says Danny Brickman, Oasis Security CEO:
While every organization requires a solution to manage and secure its non-human identities (NHIs), in highly regulated industries, the need for a dedicated NHI management solution is paramount. Financial institutions, for example, have access to vast amounts of sensitive data, and as such are highly regulated and frequently audited.
Payment Card Industry Data Security Standard (PCI DSS) 4.0 is rapidly approaching, and the revised guidelines place significant emphasis on managing NHIs, particularly system and application accounts with elevated privileges. With this, financial institutions will face increased scrutiny from auditors regarding the robustness of their NHI management practices. PCI DSS 4.0 requirements such as Requirement 7 (restricting access based on business needs and least privilege) and Requirement 8.6 (managing accounts with interactive login capabilities) highlight the need for comprehensive strategies to manage NHIs effectively.
As NHIs proliferate, financial institutions risk security breaches and regulatory penalties if they fail to adopt a robust strategy for NHI management. Organizations must begin addressing these challenges now, especially with mandatory PCI DSS 4.0 compliance coming in 2025, to ensure they meet evolving compliance standards and enhance their security posture.
Regulatory crackdown on cloud security compliance, says Gil Geron, Orca Security CEO:
In response to the growing number of high-profile cloud-based data breaches, 2025 will see a major regulatory push for stricter cloud security compliance. Governments worldwide will introduce new legislation similar to the UK's Cyber Security and Resilience Bill, expanding the scope of regulations and imposing more stringent reporting requirements. This shift will force organizations to adopt comprehensive cloud security platforms that can provide full visibility and compliance across multi-cloud environments, putting pressure on companies to consolidate their security tools and processes.
Balancing the cost of cybersecurity compliance a big challenge, says Pierre Samson, Hackuity chief risk officer:
Hitting the big cyber security compliance deadlines — NIS2 and DORA — was top of the agenda for many organizations in 2024 (and still will be in 2025). This meant devoting significant budgets where it was most needed to meet the requirements.
One of the biggest challenges for next year will be balancing cybersecurity spend: ticking the boxes on compliance while addressing the security gaps that matter most for each individual organization. Compliance demands, whilst absolutely necessary, shouldn’t distract security leaders from focussing on these more strategic issues.
Expect stricter DNS security regulations, says Ihab Shraim, CSC chief technology officer:
Governments worldwide are expected to introduce stricter regulations regarding DNS security, requiring stronger measures to ensure the resilience and privacy of DNS infrastructure. These regulations may include mandatory encryption and monitoring to prevent cyberattacks. Global privacy laws and frameworks like the EU Cyber Resilience Act will push to adopt stricter cybersecurity and data protection measures, with strong penalties for non-compliance.
SMBs will embrace modern cloud solutions to simplify CMMC compliance, says Sanjeev Verma, PreVeil co-founder:
As Cybersecurity Maturity Model Certification (CMMC) requirements enter contracts in mid-2025, small and medium-sized businesses will transition from legacy systems to cloud-based solutions for a simpler, more cost-effective path to CMMC compliance. These modern solutions, combining built-in security controls with detailed compliance documentation, will help SMBs in the defense industrial base dramatically reduce both the complexity and cost of achieving and maintaining CMMC certification.
NIST 800-171 controls expand beyond the Department of Defense: Following the DoD's lead with CMMC, other federal agencies like the Department of Education will begin requiring NIST 800-171 compliance to protect sensitive data. This expansion will create a more standardized federal cybersecurity landscape.
Consumers will be better protected on their personal devices, says Jeff Krull, Baker Tilly principal and practice leader:
In 2025, consumers will enjoy stronger protections for their personal devices, thanks to advancements in security technology and evolving regulations. Major tech companies are embedding robust security features into their products by default. End-to-end encryption, biometric authentication and multi-factor authentication are becoming standard features on personal devices, providing users with better protection against cyber threats.
Government and corporate initiatives will also help strengthen consumer cybersecurity. More stringent privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are pushing companies to better secure consumer data. Alongside this, awareness campaigns aimed at educating consumers on the dangers of phishing, malware and other common threats will help people make smarter decisions online. With these combined efforts, consumer devices are becoming more resilient to attacks than ever before.
One important shift will be the move toward “cybersecurity by design,” where manufacturers bake security into devices from the start. While this is a step in the right direction, it's critical that consumers continue to receive training on how to protect their devices. Despite improved technology, the human element remains the weakest link in cybersecurity. Consumers need to understand the importance of their digital actions to maintain the integrity of these new protections.
After all, the journey toward enhanced consumer protection remains a work in progress. We see positive steps being taken in 2025, but at this point we continue to view it as more of an evolution than a revolution.
The top cybersecurity frameworks and security regulations and government agencies will increase their pressure for organizations to adopt microsegmentation, says Piotr Kupisiewicz, Elisity CTO:
Several prominent cybersecurity frameworks, regulations, and government agencies recommend microsegmentation or network segmentation as critical security measures. These include the NIST Cybersecurity Framework, ISO 27001, HIPAA, PCI DSS, CMMC 2.0, IEC 62443, HHS 405(d), and the EU's GDPR. The NSA and CISA in the United States strongly advocate for these practices, particularly in the context of zero-trust architecture. The Purdue Model, while not a regulation, is widely used in industrial control systems for segmentation. Additionally, the Federal Zero Trust Strategy mandates network segmentation for U.S. government agencies. These frameworks and agencies recognize the importance of segmentation in limiting lateral movement during cyberattacks and enhancing overall network security posture.
Regulators will aim for the clouds, says Chen Burshan, CEO of Skyhawk Security
Regulators worldwide will acknowledge the widespread adoption of cloud services and the growing threats by hackers. Some high-profile cloud hacks have demonstrated that too many organizations (both private and public) have very weak cloud security posture. They suffer from poor cloud hygiene and insufficient security mechanisms — especially real-time detection of sophisticated cloud attacks. Therefore, regulators will impose more stringent requirements, force organizations to quickly improve their security posture and better safeguard user’s and clients’ data.
Growing patchwork of U.S. data privacy laws will create new compliance burdens, says Maurice Uenuma, Blancco VP and general manager, Americas, and security strategist:
The growing patchwork of data privacy regulations across the U.S., many of which are similar and overlap, will continue to increase compliance burdens on organizations that create, process, store, and transmit sensitive data in 2025. Since California’s passage of California Consumer Protection Act, later superseded by the California Privacy Rights Act, over 20 states have passed comprehensive privacy laws. Many of these have already been passed into law but will be taking effect on a rolling basis through 2026 and beyond. To overcome compliance paralysis, organizations will need to be highly organized and efficient. Mature governance (from the board on down), repeatable processes, and tools – including Governance, Risk & Compliance platforms – will be critical to minimize compliance-related risks.
Artificial intelligence to spur new regulations
Regulatory pressure from incoming U.S. presidential administration seen as positive, says Igor Baikalov, Semperis chief scientist:
A significant increase in AI regulatory pressure under the new administration should have an additional effect of fragmenting the AI market into more manageable and better understood pieces. The rising volume of copyright litigations chasing GenAI, disinformation produced by numerous LLM hallucinations, and leaks of sensitive information through Retrieval-Augmented Generation (RAG) systems — these are all legitimate targets of regulatory wrath.
And whether you work on improving human-machine interfaces using advances in LLMs or developing self-defending networks using Agentic AI, you might want to better define what is it that you're doing to both differentiate and distance yourself from the generic "AI" label that is likely to be the bullseye of the regulations. Enterprises will turn to proprietary, business-specific models trained on vetted data, complemented with secure RAG and tailored to their needs. Vendors will be more honest about their product capabilities and technologies used and stop stamping "AI" on otherwise perfectly good machine learning.
Federal inaction will compel U.S. states to lead the charge on AI regulation, says Gabrielle Hempel, Exabeam customer solutions engineer:
The absence of a comprehensive federal AI and data privacy law will lead states to take matters into their own hands. California, Colorado and other states will continue introducing AI regulations, forcing companies to navigate a complex patchwork of legal standards. As AI becomes more ingrained in business operations, the lack of a national framework will create compliance challenges across industries. Without swift federal action, expect more states to legislate AI usage, and companies to be caught in an increasingly fragmented regulatory landscape.
Who is responsible for when an AI agent makes a mistake, asks Efrain Ruh, Digitate field CTO of Europe:
I see similarities between the auto industry struggle to provide a full-autonomous driving experience, and IT Ops trying to deploy a fully autonomous solution for Operations. It is not that the technology is not available, it has to do more with the liability, what happens when an AI Agent makes a mistake with catastrophic results? Who do we blame? The vendor of that software or the company that implemented the solution? Transparency and accountability will play a fundamental role in the deutilization of these new technologies in the future, this will not drastically change in 2025.
Deepfakes, deception will lead to digital content transparency and provenance adoption, says Andy Parsons, Adobe senior director of the content authenticity initiative:
We’re currently navigating a new digital frontier where generative AI offers new possibilities, but also brings uncertainty and challenges with deepfakes and deceptive content. As a result, we’ve seen a strain on public trust and civil discourse. In 2025, we'll see an unprecedented push for transparency in digital content as the private and public sectors recognize the critical need for an industry-wide content provenance standard. Content Credentials will play a pivotal role in this shift, acting as a "nutrition label" for digital content that allow brands and creators to gain attribution and protect their work, while providing consumers a renewed sense of clarity and safety online. And as Content Credentials achieve broader adoption, their impact will extend across every stage of the content ecosystem. This shift represents more than just technological progress — it's a reimagining of how we establish and sustain trust in the digital ecosystem.
Expect a mad scramble for AI guidelines and frameworks, says Michael Adjei, Illumio director, systems engineering
With GenAI tools now ubiquitous, 2025 will see a frantic scramble to rein in AI — just as we saw with social media. The focus will not only be on protecting users but also on having frameworks to safeguard AI from other AI.
Frameworks and guidelines will be pushed at three levels: international (e.g. the EU), regional (e.g. NCSC), and organizational. The organizational level will likely be most effective due to clear guidelines on acceptable use and security, while higher levels become less effective. International regulations often allow room for interpretation, enabling businesses to circumvent them.
Compliance and security will define AI success, says Carmelo McCutcheon, VAST Data Federal's public sector CTO:
As the AI landscape continues to evolve in 2025, one thing will be clear — compliance and security measures are non-negotiable. With the rise of global regulations like the EU AI Act, businesses will face immense pressure to ensure their AI systems are transparent, accountable, and aligned with stringent privacy standards. As data becomes an even more valuable asset, protecting it from potential threats will be a top priority. Organizations will need to implement stronger security measures that safeguard data both at rest and in transit, while also meeting regulatory requirements. The balance between compliance and security will be crucial for organizations to maintain trust and protect valuable assets.
The EU AI Act will have a global ripple effect on compliance, says Veronica Torres, Jumio worldwide privacy and regulatory counsel:
The EU’s AI Act will have profound implications on how enterprises worldwide implement identity verification technologies. Heavily regulated sectors like banking and government will treat new and existing AI tools as "high-risk," requiring strict compliance and security insurances.
The compliance burden will be significant across the ecosystem. Vendors, enterprises and users will all share responsibility. As of right now, the one liable for the misuse of AI is the one with the biggest wallet. In 2025, we’ll see the blame shift greatly to AI vendors and enterprises deploying these vendors. The need for compliance will drive innovation in privacy and security as companies prioritize adherence to regulatory standards and foster trust with global customers.
Regulatory changes impacting software supply chain security in 2025, says Steve Wilson, Exabeam CPO:
In 2025, AI regulation will be driven by three interconnected factors: data, jobs, and safety. Each of these areas plays a critical role in shaping policy as governments worldwide work to address the complex challenges AI brings to society. Data concerns, in particular, are poised to have a profound impact on software supply chain security through the evolution of ML-BOMs (Machine Learning Bill of Materials). As more AI and ML systems come under regulatory scrutiny, questions around data — such as its ownership, acquisition, and security — will become central to maintaining supply chain integrity.
Organizations will need to disclose what data their models are trained on, ensuring transparency about its sources and safety. Regulations are likely to demand that companies prove they legally own and have responsibly acquired training data to mitigate risks of unauthorized or low-quality sources. This shift could lead to an expanded ML-BOM framework that not only lists components but also provides comprehensive documentation about the provenance, quality, and compliance of each data source used in AI models. In this way, data-focused regulations will become a foundational aspect of supply chain security, requiring organizations to rigorously manage and validate data inputs as they would any other critical software component.
By 2025, AI-driven compliance tools will be widely adopted to manage the growing complexity of cybersecurity regulations and threats, says Dale Hoak, RegScale director of information security:
As frameworks like FedRAMP and GDPR grow more stringent, manual GRC tools and processes will become too slow to keep up with regulatory changes. In response, organizations will increasingly use AI to automate real-time checks, monitor violations, and streamline audits. These AI-powered solutions — and the corresponding rise of compliance as code — will help companies proactively identify risks and cut costs.
World governments will continue to collaborate on takedowns and regulate AI and cyber issues, says Grayson Milbourne, OpenText Cybersecurity security intelligence director:
Multinational efforts to disrupt cybercriminal operations will intensify in 2025, with increased collaborative actions targeting sophisticated threat networks. Governments will continue developing regulatory frameworks to address emerging technological challenges, particularly in AI security and software supply chain protection. The geopolitical landscape will increasingly recognize the internet as a critical domain of conflict, with nations investing heavily in both offensive and defensive cyber capabilities.
AI regulations split in United States versus Europe, says Itamar Golan, CEO of Prompt Security:
The regulatory landscape for AI is developing along divergent paths globally. The European Union is taking a risk-based approach about AI through the EU AI Act, implementing comprehensive regulatory frameworks. In contrast, I expect the United States to adopt a more permissive approach under potential libertarian economic policies, allowing for greater flexibility in AI development and deployment, emphasizing national security and economic competition with China.
AI governance will emerge as a sprawling security challenge, says Sohail Iqbal, Veracode CISO:
With different regions enforcing cybersecurity regulations at varying speeds, such a complex global landscape will force software providers to invest heavily in compliance efforts. Existing AI regulations focus predominantly on ethical guidelines, bias, safety, and disinformation, rather than security. In the coming year, AI governance will become a critical concern for both cybersecurity professionals and regulators, particularly as U.S.-based software regulators grapple with drafting standards for this ever-evolving technology.
