January 2025 - What should we consider for 2025 in terms of cybersecurity compliance in the EU and UK?

Firstly, let me get this out of the way and wish everyone a Happy New Year! and welcome to the first newsletter of 2025.

After having a chance conversation with the keynote speaker after an event last year in Scottsdale, Arizona, one of the key takeaways from our conversation was about the use of LinkedIn and its audience - mostly about being regular and talking about topics of interest. So, with that in mind, I'd like to thank everyone for subscribing to my newsletter and acknowledge that I'll attempt to commit to publishing a newsletter on a monthly basis as a minimum.

The main reason is that you've all been great, and I have, on many an occasion, had positive interactions with people both on LinkedIn and at events "in real life" (a new family saying from one of my kids referring to actually talking to someone face-to-face as opposed to online) about how they found the article useful. So thank you.

Just a note to explain the cover photo: it is from a recent trip to Duxford Airfield & Imperial War Museum in the UK. I thought it would make a change from the AI-generated ones and represent, from my viewpoint, the extent of regulation in our industry and that of aviation.

So, as I kick off this new year, I can't help but reflect on the journey from my early days with 英国电信集团 in the "PCI Team" to where I find myself now, focusing more on "Industry Security Standards & Certification." The progress we've made in the almost nine years I've been here has truly amazed me. Every day is a learning experience for me, and the most challenging aspect is keeping up with what we learn, as my memory can only hold so much new information as it used to be able to. Therefore, when Elon begins producing memory upgrades, I will be the first to receive them! I'm happy to be a test subject if required.

So, as I look into what the new year has in store for my team regarding the different compliance regimes we manage, I figured I’d share a quick summary of what I think might be helpful based on the planning and reading I’ve been doing.

I've looked at the impact of the following key EU legislative frameworks: 1) NIS 2 Directive, 2) Cyber Resilience Act (CRA), and 3) Digital Operational Resilience Act (DORA), which together harmonise cybersecurity standards across critical sectors such as infrastructure, digital products, and financial services. I'll also mention broader frameworks such as the AI Act, General Data Protection Regulation (GDPR), underlining the need for a coordinated regulatory approach.

Note, I haven't brought up PCI DSS in this article because it's something I'm already familiar with, and it's pretty well understood.

In 2024, European businesses saw overlapping new legal frameworks in cybersecurity. The EU passed numerous important laws to preserve its digital environment, requiring organisations from manufacturers to financial institutions to comply. Emphasis shifts from legislation to the implementation in 2025. EU, UK, and international enterprises wanting access to markets must improve cybersecurity.

Beyond technical resilience, compliance needs to reflect legislative intent, emphasising alignment, transparency, and trust in the digital economy. These measures address cross-border risks and attempt to create resilience against rising cyberthreats.

Here are some important legislative frameworks that I've come across in 2024, and they’re definitely priorities for doing business in 2025:

Key Legislative Instruments

• The NIS 2 Directive covers “essential” and “important” entities in energy, transport, banking, and healthcare. These entities must implement strong security measures and collaborate together to combat cyberattacks. Many Member States are behind in implementing the Directive, which was due on 17 October 2024.
• The Cyber Resilience Act (CRA) requires manufacturers, importers, and distributors to incorporate cybersecurity measures into product design, with full implementation by 2027. The act emphasises proactive risk management, aligning with the EU's goal of fostering resilience during product development.
• Resilience of Critical Entities Directive (CER) - Complementing NIS 2, the CER Directive covers online and offline risks to entities. To address interrelated cyber-physical hazards, infrastructure must improve operational and physical resilience.
• EU Cybersecurity Act - This law establishes basic, significant, and high cybersecurity certification levels for ICT products, services, and procedures across Member States. These certifications aim to increase cross-border trust in cloud and 5G networks. The EU Cybersecurity Certification Scheme on Common Criteria (EUCC) for ICT suppliers will be voluntary starting in February 2025.
• DORA aims to protect the financial sector from systemic cyber risks by aligning ICT risk management frameworks. From January 2025, financial institutions must comply with DORA to remain resilient to emerging risks.
• EU Cyber Solidarity Act is still awaiting ratification, aims to improve EU cyber response. A European Cybersecurity Alert System will coordinate responses and improve situational awareness across Member States.

Navigating the Interplay of NIS2, DORA, and CRA

New regulations like NIS2, DORA, and the Cyber Resilience Act (CRA) offer organisations a chance to improve their security and resilience against cyber threats. These frameworks guide enterprises of all sizes to improve operational defences, safeguard essential systems, and establish customer and partner confidence. By taking these steps, companies assure compliance and establish themselves as cybersecurity leaders, proving their dedication to data security and trustworthy services. This proactive strategy shows a corporation as forward-thinking and resilient in a digital era, giving it an edge.

Multinational companies navigating the complexities of NIS2, DORA, and the Cyber Resilience Act (CRA) should adopt a unified compliance framework by leveraging recognised standards such as ISO/IEC 27001, the NIST Cybersecurity Framework, or ETSI EN 303 645 to align with multiple regulations. Creating a compliance matrix to map overlapping requirements can reduce duplication of efforts, while cross-border governance requires designating regional compliance officers to manage jurisdiction-specific needs under centralised oversight.

Small businesses, though more resource-constrained, can achieve compliance by focusing on scalable and cost-effective strategies. Adopting cybersecurity best practices aligned with industry standards, even without full certification, is a practical starting point. Managed security service providers (MSSPs) can help with ICT risks and compliance requirements. They can also make sure that cyber incidents are reported and fixed quickly with clear, custom incident response plans.

External consultants or legal advisors can offer vital guidance on implementing regulatory requirements, and fostering a cybersecurity-aware culture through training can further reduce vulnerabilities. By proactively addressing these challenges, small businesses can strengthen their security posture and build trust with customers and partners.

As small and multinational businesses adopt reliance on partnering organisations to supply services, it is important that we strengthen supply chains and vendor management, including evaluating third-party providers for compliance and embedding cybersecurity obligations in contracts. Multinationals must also enhance incident response frameworks to meet reporting timelines and address specific vulnerabilities while ensuring legal and technical experts collaborate to interpret regulatory interactions and operationalise compliance effectively.

Broader Legislative Landscape

The broader legislative landscape highlights that cybersecurity compliance is not confined to sector-specific regulations like NIS2, DORA, or the Cyber Resilience Act (CRA). Instead, it operates within a larger framework of interconnected EU initiatives, reflecting a multidisciplinary approach to building a secure and resilient digital ecosystem.

These measures intersect with other key frameworks, such as:

• AI Act: This imposes cybersecurity requirements for high-risk AI systems, ensuring accountability and systemic safety
• Data Act: emphasises secure data sharing, particularly for cloud service providers, reinforcing the need for robust safeguards around sensitive information and ensuring data sovereignty
• Established Regulations: GDPR, the ePrivacy Directive, and sector-specific rules remain critical for safeguarding data integrity and user privacy

This interconnected approach underscores the importance of comprehensive strategies that not only meet specific regulatory demands but also align with the broader goals of digital trust, transparency, and resilience across sectors and technologies.

Preparing for the Future: The 2025 Work Plan

As the regulatory landscape evolves, organisations must navigate an increasingly complex web of cybersecurity, data protection, and AI governance requirements. The interplay between frameworks like the AI Act, Data Act, GDPR, and sector-specific regulations underscores the need for a holistic compliance strategy.

By understanding overlaps and aligning efforts to meet multiple obligations efficiently, businesses can streamline processes, reduce risks, and ensure operational resilience. Proactively addressing these considerations not only helps organisations stay compliant but also positions them as trusted leaders in cybersecurity and data management, fosters stronger relationships with stakeholders, and enhances their competitive edge.

What Organisations Should Look Out For

Interplay Between Regulations:

• Understand how different frameworks overlap and ensure compliance efforts align to meet multiple requirements efficiently.
• Develop a compliance matrix to map obligations across cybersecurity, data protection, and AI-specific requirements.

AI and High-Risk Systems:

• For organisations deploying AI, focus on ensuring systemic safety and compliance with cybersecurity requirements outlined in the AI Act.
• Implement regular risk assessments and audits for high-risk AI systems.

Cloud and Data Governance:

• Pay close attention to the obligations for cloud service providers under the Data Act, ensuring robust contracts and technical safeguards for secure data sharing.
• Monitor cross-border data transfers to ensure they comply with GDPR and related frameworks.

Cross-Functional Collaboration:

• Foster collaboration between IT, legal, compliance, and operational teams to address overlapping responsibilities and streamline efforts.
• Engage third-party consultants or legal advisors to interpret complex regulatory landscapes and ensure proper implementation.

Continuous Monitoring:

• Stay informed about updates to these frameworks, as regulations like the Data Act and AI Act are still evolving.
• Invest in tools and systems to monitor compliance in real time and flag potential risks.

So, where should I begin?

These days, organisations of all sizes are navigating a fast-changing regulatory environment. It's a real challenge to keep up with compliance while also making sure their operations stay strong and secure. To tackle gaps in compliance and risk management, it's important to have a structured approach that can adapt, work efficiently, and grow as needed.

• This method starts by mapping out obligations. Businesses take a look at the laws and regulations that impact their services and products, which helps them build a strong foundation for their compliance strategies.
• Next up, organisations can take a look at gap analyses to see where there are differences between what they’re doing now and what the regulations require. This helps them figure out what to focus on and come up with practical plans to get things done.
• Setting up governance is really important for making sure everyone knows their roles and responsibilities, helping things run smoothly, and using resources wisely.
• When businesses embed cybersecurity by design, they can proactively weave security measures into their products and services right from the start, making sure they meet regulatory requirements.
• So, when it comes to building operational resilience, having strong risk management frameworks and doing regular testing really helps organisations stay ready for changing threats and keep things running smoothly.

This approach gives a clear path for spotting, tackling, and fixing compliance gaps, helping organisations handle complexity with confidence.

Compliance isn’t just something you have to do; it’s actually a chance to strengthen your business and make it more powerful. When organisations take the initiative to align with frameworks like NIS2, DORA, and the Cyber Resilience Act, they can reduce risks, build trust with clients and partners, and really stand out in the competitive landscape.

Showing that you're compliant really highlights your dedication to cybersecurity and keeping data safe. It boosts customer trust and helps your business stand out as a reliable leader in the market. Plus, compliance really boosts operational resilience, helping to protect against cyber threats and keeping things running smoothly during any disruptions.

For bigger organisations, taking the lead on compliance can really shape future regulations and boost their global reputation. On the flip side, not following the rules can lead to hefty penalties and harm your reputation, which might shake trust and slow down growth.

When businesses of all sizes make compliance a key part of their strategic priorities, they can really stand out. It helps them attract partners, put stakeholders at ease, and build a reputation as innovative and secure organisations.

Key Takeaways:

1. Unified Compliance and Collaboration The interplay between legislative frameworks like NIS 2, DORA, and the Cyber Resilience Act (CRA) requires organisations to adopt a coordinated approach. This includes developing compliance matrices to map overlapping obligations and fostering cross-functional collaboration among IT, legal, compliance, and operational teams.
2. Strategic and Proactive Approach to Compliance Compliance should not be viewed as a burden but as an opportunity to strengthen security, build trust, and enhance competitive positioning. Organisations that proactively address compliance requirements gain operational resilience, mitigate cyber risks, and establish themselves as leaders in the digital economy.
3. Adaptation for Business Scale Multinational organisations should establish regional compliance oversight for jurisdiction-specific needs while streamlining efforts through central frameworks like ISO/IEC 27001. Small businesses can focus on scalable best practices and engage managed service providers to navigate compliance efficiently.

Questions for Reflection:

1. How are these frameworks impacting your organisation? Are you encountering challenges with compliance alignment, operational adjustments, or resource allocation as you integrate new legislative requirements?
2. How far along are you in reviewing these regulations? Have you developed strategies or implemented tools to ensure readiness for upcoming compliance deadlines in 2025? What progress have you made toward establishing resilience across your operations and supply chain?

#CyberSecurity #DigitalResilience #NIS2Directive #CyberResilienceAct #DORACompliance #DataGovernance #AIAct #RegulatoryCompliance #CyberThreats

Disclaimer:

The views and opinions expressed in this LinkedIn article are solely my own and do not necessarily reflect the views, opinions, or policies of my current or any previous employer, organisation, or any other entity I may be associated with.