Cybersecurity Laws and Regulations to Know About (2025)

2025 will see dramatic advancements in technologies like artificial intelligence (AI), cloud computing, quantum computing, machine learning (ML), internet-of-things (IoT), and edge computing. While these radical technologies can help businesses in many ways, they also create a few complications when it comes to cybersecurity laws and regulations. 

This is because new technologies bring with them new cybersecurity risks. Nowadays, the costs of cybersecurity risks are incredibly high. According to IBM, data breaches cost enterprises an average of $4.88 million in 2024. 

In addition to a rise in advanced cybercrime and attacks such as malware, ransomware, phishing, and identity theft, new cyber threats have serious compliance implications. Organizations, both in the public and private sectors, are under more and more pressure from regulatory bodies and must rapidly navigate new cybersecurity regulations. This labyrinth of regulations is a mix of federal laws, state laws, and other data privacy laws that are specific to regions and industries.  

In this blog post, we’ll focus on the laws and regulations that businesses must pay close attention to in 2025. But before we explore new cybersecurity laws, let’s revisit some well-known and crucial compliance regulations. 

Global Cybersecurity Laws and Regulations

To kick things off, let’s explore a few important international cybersecurity requirements that are particularly pertinent in 2025. 

General Data Protection Regulation (GDPR)

Honing in on data security and privacy, GDPR is considered by many as one of the most stringent cybersecurity regulations. While GDPR is often thought of as a European Union (EU) law, it applies to businesses all around the world that work with the data of EU-based individuals. 

GDPR focuses on many aspects of data security: how businesses process data, whether the owners of that data consent to how their data is used, and information privacy rights that EU individuals hold. GDPR data security failures can be devastating for businesses because some fines go as high as tens of millions.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is similar to GDPR except that it concerns the security and privacy of sensitive data in Canada. This regulation applies to private organizations and focuses on how customer data is collected, processed, and leveraged. 

PIPEDA has 10 guiding principles including but not limited to consent, accountability, accuracy, and safeguards. As with any cybersecurity standard, noncompliance with PIPEDA can have negative consequences including reputational damage and heavy penalties. 

India’s Digital Personal Data Protection Act

The objective of the Digital Personal Data Protection Act is to ensure that Indian citizens have transparency and control over how their sensitive information is used. At the same time, it acknowledges that there are important contexts for organizations to use that information for legal purposes. This regulation applies to organizations based in India and enterprises that operate overseas but manage and process digital information of Indians.

During cybersecurity incidents that involve the sensitive data of Indians, overseers of the Digital Personal Data Protection Act take into consideration a range of factors before deciding on a penalty. These factors may include the size of the cyber incident, the amount of money lost, the nature of the data, and the efficiency of the victim’s incident reporting and incident response plans. 

United States Cybersecurity Laws and Regulations

Now that we’ve seen some examples of global cybersecurity laws, let’s take a look at some US-specific regulations. We’ll use state laws from California, New York, Nevada, and Washington as examples. However, it’s important to remember that every state in the US will have a web of cybersecurity laws and regulations that businesses have to track and follow. 

California Consumer Privacy Act (CCPA)

Any enterprise that sells products and services to Californians and earns more than $25 million a year has to abide by CCPA. To explain CCPA in a nutshell, it empowers residents of California, at any given point, to find out from an organization or their third-party providers how their data is being used and for what reasons. Remember that CCPA applies to even non-American businesses. 

The kind of sensitive information that falls under CCPA includes names, addresses, social security numbers, biometrics, and other forms of multimedia data. For California residents to successfully inquire about how their data is used, there must be strict frameworks, procedures, and security measures in place. 

New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act

The New York SHIELD Act, much like CCPA, applies to any organization that stores, manages, or uses sensitive data of individuals. In this case, the regulation focuses on the sensitive data of New York residents. The SHIELD Act includes various mandates for organizations working with New York resident data such as employee training programs, strong cybersecurity policies, and breach notification protocols. 

Unlike some other cybersecurity regulations that are more lenient in their language, the SHIELD Act is quite unforgiving about what it considers a data breach. While many regulations define a data breach as the exfiltration of sensitive information, the SHIELD Act views any unauthorized access to sensitive data as a data breach. 

Nevada’s Privacy Law

The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) oversees how various websites gather, process, and use sensitive customer data. It covers data such as names, addresses, email IDs, and social security numbers. The law applies to any commercial website that collects data from Nevada residents or sells products to Nevada residents. 

An important measure that NPICICA introduces is the option for Nevada residents to opt out of having their information sold by organizations. Noncompliance fines for NPICICA can go up to $5000 per failure so it’s important for Nevada-serving businesses and websites of all sizes to pay close attention to this regulation.  

Washington: Washington Privacy Act (WPA)

The aim of the WPA is to protect the data of Washington residents. Any business that processes data of more than 100,000 customers falls under the scope of WPA. Additionally, any business that makes more than half its revenue from selling data or processing data of more than 25000 Washington-based customers has to follow WPA’s rules. 

The WPA law states that businesses must provide transparency about what kinds of sensitive information they collect, how that information will be managed, what customers’ data privacy rights are, the extent of third-party data sharing practices, and whether data is used in advertising contexts. WPA’s most unique requirement is for businesses that use any kind of facial recognition technology: they have to let customers know about it. 

Industry-Specific Cybersecurity Laws and Regulations

In 2025, businesses have to be aware of specific cybersecurity and compliance vulnerabilities that their industry faces. To mitigate these risks and ensure responsible cybersecurity practices, they must stay on top of laws and regulations that are specific to their sectors. Let’s take a look at some of the most important sector-specific regulations. 

Health Insurance Portability and Accountability Act (HIPAA)

The healthcare sector faces an immense volume of cyberattacks. Given the sensitive nature of customer health data in this sector, maintaining compliance is a must. HIPAA is a regulation that focuses on security practices to safeguard health information. According to HIPAA, there must be robust cybersecurity measures in place to protect any exchange of health information. 

HIPAA noncompliance failures can cost businesses up to $250,000 and can also result in imprisonment in extreme cases. In 2025, businesses in the healthcare industry need to pay extremely close attention to HIPAA’s requirements. This is especially important because there may be new HIPAA regulations in 2025, starting with an updated HIPAA Privacy Rule. 

Federal Information Security Management Act (FISMA)

Enacted in 2002 by the 107th United States Congress, FISMA tackles data security in the federal government’s domains. It focuses on information security and risk management within federal agencies and their third-party service providers. 

By fortifying information systems and information sharing protocols across government agencies and their supply chains, FISMA aims to prevent cyber incidents and data breaches. Some critical aspects of FISMA-based security programs include robust risk assessments, incident response playbooks, strong cybersecurity measures, breach notification and reporting procedures, and training and awareness initiatives.  

North American Electric Reliability Corp. (NERC) CIP Standards

Designed to maintain the strength and resilience of America's bulk electric systems, the NERC standards also address cyber threats that can potentially compromise critical infrastructure. There are 14 different NERC standards, but when it comes to cybersecurity risks, CIP (Cybersecurity Infrastructure Protection) standards are what businesses need.

There are 10 primary controls under CIP including cyber system categorization, security management controls, electronic security perimeters, systems security management, and information protection. 

General Cybersecurity Laws and Regulations

Now that we’ve covered global, state, and industry-specific cybersecurity laws, let’s focus on the most important general cybersecurity laws and regulations. While many businesses may already know about these, it’s crucial to improve compliance posture against these laws and frameworks in 2025. 

Payment Card Industry Data Security Standard (PCI DSS)

A well-known standard overseen by the Payment Card Industry Security Standards Council, PCI DSS applies to any organization that collects credit card information. Under PCI DSS, there are 12 rules to protect cardholder data, which range from introducing firewall configurations and encrypting transmissions to monitoring network resources and frequently testing security protocols.  

Non-compliance with PCI DSS can result in between $5000-$10000 per month, but these figures significantly increase for extended periods of noncompliance. 

Cybersecurity Information Sharing Act (CISA)

Threat intelligence is a vital tool to deal with 2025’s complex and churning threat landscape. A federal law initiated in 2015, the aim of CISA is to optimize threat intelligence sharing practices and protocols between private enterprises and government institutions. 

By creating vibrant threat intelligence ecosystems, laws like CISA strictly follow a “strength in numbers” methodology. It focuses on collective and collaborative cybersecurity instead of leaving organizations to fend for themselves. By having up-to-date and accurate data on potent cyber threats, businesses can implement better defenses. 

Note: This CISA, the Cybersecurity Information Sharing Act, is not the same as another CISA, an acronym for the Cybersecurity and Infrastructure Security Agency.

Children’s Online Privacy Protection Act (COPPA)

In 2025, businesses must take the privacy and security of children’s data more seriously than ever before. Cyber incidents involving the data of children can lead to colossal penalties that are difficult to recover from.

COPPA zeros in on security protocols surrounding the data of individuals under the age of 13. Basically, under COPPA, any digital service or website aimed at a younger demographic must obtain the permission of parents to collect, manage, or leverage the data of children. In other words, it helps parents understand when, how, and why their children’s data is used. 

The Sarbanes-Oxley Act (SOX)

A federal law enacted by the 107th US Congress and overseen by the Securities and Exchange Commission (SEC), SOX zeros in on audit obligations and financial records management to protect shareholders and the larger public.

The primary responsibility of a public enterprise under SOX compliance involves implementing strong internal security controls, maintaining comprehensive records and reports of financial information, and conducting regular audits. Remember that inaccurate financial reports for SOX can lead to fines of up to $1 million.

The Gramm-Leach-Bliley Act of 1999 (GLBA)

Initially known as the Financial Modernization Act of 1999, GLBA focuses on the security and privacy of sensitive financial information of customers. The GLBA law applies to any financial institution or organization that offers financial services. 

Under GLBA, there are 3 main data privacy laws and rules: a Financial Privacy Rule, a Safeguards Rule, and pretexting protection. Pretexting protection, in particular, is very important in 2025 because it addresses the mitigation of social engineering attacks like phishing. In 2025, businesses are likely to face a surge in ultra-realistic social engineering scams due to the malicious adoption of AI technologies. 

New Cybersecurity Laws and Regulations in 2025

So far, we have covered cybersecurity and regulations that are important for 2025 but not entirely new. Now let’s shift our focus to 5 laws and regulations that are either going to be introduced, updated, or especially relevant in 2025. Understanding these new laws is vital because noncompliance in 2025 will be more problematic than in the past. 

Cyber Incident Reporting Critical Infrastructure Act (CIRCIA)

Aimed at organizations in critical infrastructure sectors like energy, chemical, critical manufacturing, food and agriculture, information technology, and water and wastewater systems, CIRCIA focuses on the optimization of incident reporting.

Some important CIRCIA compliance requirements include inventorying information systems, identifying and categorizing cyber risks, recontextualizing cyber risks based on NIST’s Risk Management Framework (RMF), introducing robust security measures, and assessing cybersecurity posture at least once a year.

Keep in mind that the final rules of CIRCIA are likely to be established in 2025. 

Digital Operational Resilience Act (DORA)

While DORA was introduced to the public in 2023, it will begin to apply in 2025. DORA is an EU regulation that focuses on reinforcing the security of information security of financial institutions like banks and investment/insurance organizations. 

To understand why DORA is critical in 2025, businesses must remember that the finance sector embraces all kinds of new technologies. While these technologies bring numerous benefits, they also introduce new risks. Key elements of DORA include information and communications technology (ICT) risk management, supply chain security, testing, data sharing, and incident reporting.

NIS2 Directive

The NIS2 Directive was officially introduced in October of 2024, which makes 2025 a pivotal year for NIS2 compliance. NIS2 is an update on an older regulation that focuses on improving the cybersecurity posture of EU-based and EU-serving enterprises. The scope of the updated regulation is larger and extends into sectors like digital providers, waste management, courier services, and research. 

In 2025 and beyond, the EU can be a lucrative market for many enterprises. However, to successfully and responsibly operate in the EU or serve EU customers, businesses must follow NIS2. Remember that NIS2 is a directive and not a checklist, which means there’s no single way of achieving NIS2 compliance. 

Cyber Resilience Act (CRA)

More and more products in 2025 will include a digital component. These products include different kinds of smart devices that decorate or serve homes, offices, and industries. But as smart devices become more mainstream in 2025, there must be safeguards to deal with their cybersecurity risks. 

CRA aims to protect customers who buy any kind of software or hardware that includes a digital element. Under CRA, there are compulsory cybersecurity frameworks and obligations for manufacturers of digital products and services. It also includes product lifecycle security and external security audits by an authorized third party.  

The EU AI Act

In recent years, AI has become increasingly omnipresent in our lives and industries. 2025 is likely to see dramatic advancements in AI technologies across sectors. The EU AI Act, the first regulation on AI, is designed to address growing concerns about AI-related security. 

The first phase of the EU AI Act will begin sometime in 2025 so businesses need to stay alert. The primary goals of the EU AI Act are to decommission any AI systems that are deemed unsafe, categorize AI systems based on different risk levels, and implement security controls to meet AI security obligations. 

In 2025, there’s no doubt that AI will once again dominate the headlines. Businesses should protect themselves by abiding by the EU AI Act. 

Conclusion

The technology landscape, the threat landscape, and the cybersecurity landscape are closely interlinked, each heavily influencing the other. In 2025, there will be dramatic changes across every one of these landscapes, which will make security and compliance more complex for businesses to navigate. In this blog post, we explored the most important cybersecurity laws and regulations for 2025, including 5 new regulations. 

It may not be easy for businesses to know which of these regulations apply to them and how to address compliance requirements. For many businesses, leveraging the services of a managed security services provider (MSSP) is a strong option to achieve compliance against these frameworks.  

While cybersecurity laws and regulations may seem like roadblocks, they are actually the opposite. By following these regulations and laws, businesses are setting themselves up for success in a technology-driven world that’s rife with cyber risks. Maintaining a strong cybersecurity and compliance posture should be priority number one.