Cyber threats have continued to evolve rapidly: from ransomware hitting supply chains, to AI-powered attacks, to critical-infrastructure disruptions. As per the WEF’s Global Cybersecurity Outlook 2025 companies are dealing with increasing supply chain vulnerabilities with increasing inter-dependencies as well as geopolitical risks.
Regulators all over the world are tightening their screws by imposing higher standards on incidents, risk reporting to third parties product security, third-party risk governance. Marco
This is for businesses, which means that incompetence is not an excuse. Failure to comply with the law can result in fines but also reputational damage legal action, and an increase in operational risk.
If your business operates (or selling to) several jurisdictions, or work using critical infrastructure third-party vendors or devices that contain digital elements it is important to be aware of the rules below.
The most important cybersecurity laws and regulations to keep an eye on in 2025.
Here are some significant regulatory changes and regimes to be aware of. This list isn’t comprehensive but provides the most significant or most significant ones.
European Union & Product/Infrastructure-Focused Laws
-
NIS 2. Directive This revision to the initial NIS (Network and Information Security) directive extends the reach of organizations that must be in compliance (both private and public sectors that are deemed to be vital). It requires incident reporting and risk management for third parties and puts the responsibility of senior management to the table.
-
Cyber Resilience Act (CRA) – The EU regulation that places horizontal cybersecurity standards for products that contain digital elements (hardware and software) which are entering onto the EU market. Key elements: security-by-default, automatic security updates, lifecycle obligations, 24-hour incident notification (for some categories) and mainly applicable to manufacturers/suppliers.
-
Cyber Solidarity Act A different EU regulation aimed at the building of readiness, detection and response across the Union for major cyber-attacks (including the infrastructure).
United States / State + Federal Developments
-
The U.S. has multiple layers including federal laws executive orders and state laws, and executive orders. For instance:
-
Frameworks and guidance from the federal government of NIST. National Institute of Standards and Technology (NIST) concerning IoT security for devices and security, as well as a revision of standards for incident response.
-
Legislation at the state level on cybersecurity is continuing progress (states are enacting cyber-incident-response laws and cybersecurity training requirements the modernization and modernization of government agencies).
-
-
Be aware that the regulations of cybersecurity and data privacy are becoming more convergent. For instance the privacy laws of states often contain obligations for data security.
Sector / Supply-Chain / Emerging Technology Focus
-
A number of regulations (globally) currently specifically focused on the supply chain or third parties risk (because most breaches start through service providers or vendors). The WEF report reveals that for large organizations challenges in the supply chain are the biggest obstacle to cyber security.
-
The integration of AI, IoT, and “digital products” means the regulatory lens is shifting: looking not just at data breaches, but product-vulnerabilities, algorithms, device lifecycles.
What are the implications of these laws for companies
Below are a few practical considerations that you need to think about:
-
Incident-reporting & governance
If you’re in scope (for example, essential services, critical infrastructure, or provide digital products), you’ll likely face mandatory breach/incident-reporting (sometimes very quick: 24 hrs or similar) and need to show governance structures (e.g., management accountability). -
Third-party/supply-chain scrutiny
Legal requirements are more lenient about the risk of suppliers. This includes being aware of your suppliers, making sure they adhere to security standards, as well as auditing and verifying their security measures. -
Product lifecycle responsibilities
Especially in jurisdictions like the EU with CRA: Manufacturers/suppliers of hardware/software must embed security by design, provide updates, manage end-of-life, and maintain documentation. -
Data privacy and HTML0.
Privacy and security are currently tightly tied. If you collect/store/process personal data, you’ll need to satisfy both privacy and cybersecurity obligations. -
Trans-border implications
When you are a business that operates across several jurisdictions (or sell to them) you should be aware of the extraterritorial implications (e.g., EU rules applied to non-EU companies that provide services to EU marketplaces) and ensure compliance. -
Budget and shift in resource
Since compliance is no longer an option and businesses are investing more in cybersecurity, not just to protect themselves as well as to meet the requirements of regulatory agencies.
The steps to start today
In light of the risks and speed of change, here’s a list that you (or your company) could go through:
-
You can map your exposure to regulatory requirements What jurisdictions apply for you (based on the place you operate or sell, supply or work in your industry)?
-
Identify whether you are deemed a “critical service”, “essential provider”, or manufacturer/supplier of digital products — these definitions often trigger mandatory obligations.
-
Check Your supply chain and third-party relationships Do your suppliers adhere to the security standards required by law? Are you legally protected?
-
Check your process for reporting and responding to incidents Are you able to identify or respond to incidents and then submit your reports within the timeframes specified by law? Are your senior managers aware and involved?
-
For companies that manufacture products: design or assess your security procedures for the lifecycle of your product (secure-by-design update/patch strategy, documentation and end-of-life-handling and documentation).
-
Check your accountability and governance Are top management accountable and conscious? Are you keeping track of the latest regulatory developments?
-
Training your employees Human error remains one of the major causes of breaches. ensure that your employees (especially the most important ones) are properly trained.
-
Get help from experts in cyber and legal the law is complicated and changes quickly, it is advisable to consult with advisors within the jurisdictions you operate in.
-
Monitor regulations and standards Standards from NIST and revisions to frameworks, or guidance from regulators — all of these are important.
-
Document everything You have documents such as assessments and policy documents, vendor audits and policies incidents logs, minutes of meetings on governancekeep them up-to-date. Regulators frequently require proof that you have done your due diligence.
Small and medium-sized companies (SMBs) should be concerned
It’s tempting to believe that “these massive regulations are only applicable to big companies” But that’s not the case. A few reasons that small businesses need to be aware:
-
A lot of large corporations require vendors and suppliers (including SMBs) to comply with the regulations (so when you provide them, you are required to pass the responsibility down).
-
Even if you’re not big the smallest of breaches can lead to the possibility of liability, regulatory enforcement or even reputation damage.
-
Regulations don’t always scale in terms of size. However, if you’re in certain industries or provide specific services, you could be “in range”.
-
A good security plan now is less expensive than addressing compliance issues or a breach after actual.
The future is in the air: What do you need to be watching for?
-
The regulatory focus is on AI as well as cybersecurity There are numerous sources that say that as AI uses increase regulators will broaden cybersecurity laws to include AI-specific threats (algorithmic integrity as well as exploitation).
-
Harmonisation across the globe (or divergence) Expect more regulatory influence from across the border (e.g. the “Brussels impact”) as well as differences in local laws -therefore, multi-jurisdictional vigilance is essential.
-
The regulation of products is centered around the user. with connected technology, the Internet of Things and embedded software all over the place Regulations like the CRA increase accountability for manufacturers. This then flows to components, suppliers and service providers.
-
The degree of enforcement will increase as the frameworks develop regulators will shift from establishing rules to actively enforcement — which means sanctions, fines, and reputational penalties will be more common.
-
Risks in the supply chain and dependency Recognizing that a lot of major incidents stem from third-party sources and that risk management is evolving to the level of an ecosystem rather than a single entity.
Final thoughts
In simple terms: the time of “we’ll continue to do business and hope that we do not get hackerized” is now over. Cybersecurity regulations in 2025 aren’t just about avoiding fines – they’re about the operational reliability, trustworthiness and being able to operate in a world that is connected.
If your company is involved in digital services, offers products that have embedded software, depends on vendors, works outside of borders or manages sensitive data, it is important to consider cybersecurity and regulatory compliance as two aspects of the same coin.
For your company (given your SEO/website experience and the likelihood of exposure to suppliers, data as well as digital processes) it might be worthwhile conducting an Compliance audit for which laws could you be already subject to as well as what are the areas where you have inconsistencies, and where you focus your efforts.
