Source URL: https://www.schellman.com/blog/cybersecurity/2025-cybersecurity-laws
Source: CSA
Title: 5 Big Cybersecurity Laws to Know About Ahead of 2025
Feedly Summary:
AI Summary and Description: Yes
Summary: The text outlines upcoming cybersecurity regulations set to take effect in 2025, emphasizing the need for organizations to prepare adequately to avoid non-compliance penalties. Key regulations include the NIS 2 Directive, DORA, the EU Cyber Resilience Act, the EU AI Act, and the Cyber Incident Reporting for Critical Infrastructure Act, among others. It underscores the increasing importance of regulatory compliance, particularly as organizations adapt to stricter mandates and reporting requirements, essential for professionals in cybersecurity and compliance sectors.
Detailed Description: The text emphasizes the critical changes in the regulatory landscape that organizations need to navigate as new cybersecurity laws come into effect, primarily in 2025. This will significantly impact compliance and operational strategies. Here are the major points highlighted:
– **NIS 2 Directive**:
– Effective from October 17, 2024.
– Broadens the scope to cover more EU organizations deemed essential.
– Key requirements include incident reporting, third-party risk management, access control, and staff training.
– **Digital Operational Resilience Act (DORA)**:
– Starts enforcement on January 17, 2025.
– Targets financial institutions and critical market infrastructures.
– Focuses on risk management, incident reporting, and resilience testing.
– **EU Cyber Resilience Act (CRA)**:
– Scope covers manufacturers and distributors of connected devices.
– Expected to enforce principles of cybersecurity-by-design, incident response, and transparency.
– Compliance implementation will take place gradually beginning 20 days post-publication in 2025.
– **EU AI Act**:
– Applicable to both public and private sector AI system providers.
– Effective enforcement phases commence in 2025.
– Measures include banning harmful AI systems and categorizing others by risk levels with associated security obligations.
– **Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)**:
– Targets U.S. critical infrastructure entities.
– Final rules to be established by CISA by March 2025.
– Mandates rapid reporting for cybersecurity incidents and ransomware payments.
– **Bonus Focus – NYDFS Cybersecurity Regulation**:
– Applies to New York financial institutions with amended requirements related to audits, access management, and incident response.
– **Notable State Data Privacy Laws**:
– Highlights various states like Delaware, Nebraska, and New Jersey, which are set to implement significant data privacy regulations by January 2025.
**Practical Implications**:
– Organizations must prioritize compliance efforts before the deadlines to mitigate risks of penalties.
– There is a pressing need for establishing governance structures for managing compliance across the various jurisdictions and sectors affected.
– Increased audits and security measures necessitate leveraging technology and fostering a culture of cybersecurity awareness among employees.
Overall, the text serves as a timely reminder for cybersecurity and compliance professionals to prepare comprehensively for the evolving regulatory landscape, ensuring their organizations are equipped to face these challenges head-on.