As cyber threats continue to evolve, this is a critical year for cybersecurity regulation, with new and expanded frameworks set to reshape compliance strategies across industries. The EU’s NIS2 Directive is now in effect, significantly broadening the scope of organisations required to meet strict cybersecurity standards and incident reporting obligations. Meanwhile, the Digital Operational Resilience […]
As cyber threats continue to evolve, this is a critical year for cybersecurity regulation, with new and expanded frameworks set to reshape compliance strategies across industries.
The EU’s NIS2 Directive is now in effect, significantly broadening the scope of organisations required to meet strict cybersecurity standards and incident reporting obligations.
Meanwhile, the Digital Operational Resilience Act (DORA) imposes stringent requirements on financial services, ensuring firms can withstand cyber disruptions. The EU AI Act also moves forward, setting a global benchmark for governing artificial intelligence risks.
While these regulations aim to strengthen cybersecurity, they introduce challenges for organisations navigating compliance, balancing security investments, and managing supply chain risks.
The demand for greater AI transparency, stronger supply chain oversight, and enhanced incident response capabilities is growing.
At the same time, and as we discuss in our general trends prediction article on cybersecurity, geopolitical tensions and rising cyber threats put additional pressure on businesses to prioritise resilience over-reactive security measures.
To explore what lies ahead, we’ve gathered expert insights from industry leaders who share their cybersecurity regulation predictions on key strategies, the evolving role of zero trust, cyber insurance, and governance frameworks, and what organisations must do to stay ahead in 2025.
The EU’s NIS2 and expanding cybersecurity legislation take centre stage
Luke Dash, CEO, ISMS.online
“In 2025, cyber resilience will emerge as a core business strategy, with companies shifting from merely defending against threats to ensuring continuity and swift recovery. Frameworks like ISO 27001 and regulations like NIS2 will push businesses toward proactive preparation and response strategies. Disaster recovery and operational continuity will become top priorities, particularly in critical infrastructure sectors.”
James Neilson, SVP International, OPSWAT
“NIS2 expands the scope of critical infrastructure sectors and introduces stricter penalties, making cybersecurity a legal imperative. However, the focus on compliance must not overshadow real-world cybersecurity controls and response capabilities. Organisations must strike a balance between regulatory adherence and operational security.”
Pierre Samson, co-founder and CRO, Hackuity
“Hitting deadlines for NIS2 and DORA required substantial budgets in 2024, and this focus will continue into 2025. The challenge will be maintaining a balance—ensuring compliance while addressing security gaps most relevant to each organization.”
Javvad Malik, lead security awareness advocate, KnowBe4
“Delayed implementation of NIS2 in Europe will slow progress in improving security postures, while the Cyber Resilience Act will drive compliance-focused innovation.”
Javvad Malik, security advocate, Knowbe4
Gil Vega, CISO & SVP, Veeam
“NIS2’s impact will extend beyond the EU, with similar cybersecurity mandates likely emerging in the U.S. over the next few years. US companies operating in Europe will need to refine their compliance strategies while also preparing for stricter domestic regulations.”
IT & OT security and the supply chain
John Kindervag, chief evangelist, Illumio
“We will see increased adoption of unified security frameworks merging IT and OT security efforts. This integration will enhance collaboration, improving threat detection and response.”
Dan Lattimer, area VP, Semperis
“Organisations now recognise supply chain vulnerabilities and will conduct greater due diligence. DORA’s implementation in January 2025 may introduce fines for non-compliance, ensuring suppliers tighten their defences.”
Jon France, CISSP, CISO, ISC2
“We can expect heightened legislative attention on digital supply chains. A major failure at a deep supply chain level (N+1 or beyond) is likely, exposing weaknesses in hyper-converged digital ecosystems.”
Jon France, CISSP, CISO, ISC2
AI, data sovereignty, and governance
Claus Jepsen, chief product & technology officer, Unit4
“New regulations like NIS2 and DORA will enforce stricter controls around data access and vendor management. Organisations will need to navigate growing data sovereignty concerns, potentially reconsidering market entry based on compliance costs.”
Luke Dash, CEO, ISMS.online
“AI governance will gain momentum as regulations like the EU AI Act and ISO 42001 set new standards. Organisations will be required to eliminate bias, ensure transparency, and manage AI risks to maintain public trust.”
Luke Dash, CEO, ISMS.online
Manuel Sanchez, information security & compliance specialist, iManage
“The surge in third-party-driven cyberattacks and breaches in 2024 has reinforced the importance of comprehensive data governance. Regulatory frameworks like NIST CSF 2.0 will emphasise risk management, and organisations will need robust strategies for handling personal data nd DSARs.”
Cyber insurance & compliance-driven innovation
Luke Dash, CEO, ISMS.online
“In 2025, obtaining cybersecurity insurance will become more difficult without proof of compliance with frameworks like ISO 27001. Companies lacking incident response plans or risk assessments may struggle to secure coverage.”
James Tucker, head of CISOs in residence, Zscaler
James Tucker, head of CISOs in residence, Zscaler
“As regulations like NIS2 and DORA take effect, organisations will move toward more robust compliance programmes, integrating legal expertise and technology solutions. Discussions around simplifying data protection laws and enabling seamless cross-border data flow (‘Digital Schengen’) will gain traction.”
CISO accountability & legal risks
Jon France, CISSP, CISO, ISC2
“The conviction of Joe Sullivan (Uber’s former CSO) and the SEC’s lawsuit against Tim Brown (SolarWinds’ CISO) highlight a growing trend: authorities are holding security leaders personally accountable. If a CISO is successfully prosecuted in 2025, it may drive board-level cybersecurity expertise requirements and shift the burden of responsibility across executive teams.”
Emerging cybersecurity trends
Manuel Sanchez, information security & compliance specialist, iManage
“Multi-factor authentication (MFA) adoption will accelerate in 2025, driven by cyber insurance requirements, regulatory mandates, and industry best practices. Microsoft’s enforcement of mandatory MFA for Azure sign-ins is just the beginning.”
