Data protection is now firmly established as one of the key pillars of the global policy landscape. 2024 brought the NIS2 Directive in Europe, new SEC disclosure rules in the US, and the UK Cyber Governance Code of Practice, among others.
As we approach the end of Q1 2025, the sands of cyber resilience are shifting once more. Around the world, governments and regulators are introducing and refining various pieces of legislation to enhance cyber security measures, protect consumer privacy, and address emerging technological challenges. This article provides a snapshot of the key initiatives and their potential impact.
United Kingdom: Cyber Security and Resilience Bill
Overview
In July 2024, Labour announced the Cyber Security and Resilience Bill during the State Opening of Parliament. This proposed legislation aims to update the existing Network and Information Security Regulations 2018 to bolster the UK’s cyber defences and protect critical infrastructure and digital services.
Key measures
- Expanded regulatory scope: The bill seeks to broaden the remit of current regulations, empowering regulators with enhanced authority to enforce cyber security standards across various sectors.
- Mandatory reporting requirements: Organisations will be obligated to report specific cyber incidents, including ransomware attacks, to authorities. This measure aims to improve threat intelligence and facilitate proactive responses to emerging cyber threats.
- Compliance and auditing: Businesses will need to demonstrate adherence to established cyber security standards through regular audits and reporting, ensuring the implementation of effective cyber safety measures.
Timeline
The bill is currently under parliamentary review, with discussions expected to continue through mid-2025 before potential enactment later in the year.
Predicted outcome
With strong cross-party support for cyber security enhancements, the bill is expected to pass. However, specific provisions may be adjusted during legislative debates. The bill will drive higher cyber security compliance standards, making it essential for businesses to strengthen their cyber defence strategies.
United States: Enhanced HIPAA Security Rule
Overview
In January 2025, the US Department of Health and Human Services proposed updates to the HIPAA Security Rule to strengthen protections for electronic protected health information (ePHI).
Key Measures
- Annual technical inventories: Entities must maintain up-to-date cyber security inventories.
- Mandatory multi-factor authentication: Strengthened authentication for access to ePHI.
- Encryption standards: Stricter encryption requirements to protect sensitive health data.
Timeline
The public comment period ended in March 2025, with final regulations expected by late 2025.
Expected Outcome
Healthcare organisations must invest in robust cyber security measures to meet compliance requirements and protect sensitive patient data.
European Union: Implementation of the Digital Operational Resilience Act
Overview
The Digital Operational Resilience Act (DORA) became effective on 17 January 2025, establishing a cyber security framework for financial entities within the EU.
Key Measures
- Regular risk assessments: Financial institutions must conduct ongoing assessments of their ICT risks.
- Comprehensive cyber security measures: Stricter security controls to prevent financial cyber fraud.
- Third-party risk management: Oversight of ICT service providers to mitigate supply chain risks.
Timeline
Financial entities are expected to comply by mid-2025.
Expected Outcome
DORA is expected to increase cyber security resilience in the financial sector, preventing large-scale disruptions from cyber incidents.
South Africa: Cybercrimes Act enforcement
Overview
South Africa continues to strengthen its cyber security landscape through the enforcement of the Cybercrimes Act (2020). Thus far, only certain sections of the Act have become operational. In 2025, additional provisions are expected to come into full effect, requiring organisations to enhance data protection measures and report cybercrimes more proactively.
Key measures
- Mandatory cyber incident reporting: Businesses and government institutions must report cyber security breaches to the South African Police Service and relevant regulators.
- Increased penalties for cybercrime: Stronger enforcement actions against cybercriminals, particularly for ransomware, financial fraud, and data breaches.
- Collaboration with global regulators: South Africa is strengthening its participation in Interpol-led cyber security operations.
Timeline
The Act is being enforced in phases throughout 2025, with final compliance deadlines for businesses expected by the end of the year.
Expected Outcome
To avoid regulatory penalties, organisations will be required to improve their cyber security incident response capabilities and mitigate cyber threats effectively.
India: Implementation of the Digital Personal Data Protection Act
Overview
India’s Digital Personal Data Protection Act (2023) is set to be fully enforced in 2025, marking a significant shift in the country’s data privacy and cyber security landscape. The law introduces stringent data protection obligations for organisations handling personal data, aligning India more closely with global data protection frameworks like the EU GDPR.
Key Measures
- Data localisation: Certain categories of sensitive personal data must be stored and processed within India, impacting multinational companies and cloud service providers.
- Consent-based processing: Organisations must obtain explicit user consent for data collection, with clear provisions for withdrawal.
- Severe penalties for non-compliance: Failure to comply could result in fines of up to ₹250 crore ($30 million) for data breaches or violations.
- Obligations for data fiduciaries: Companies processing significant volumes of user data will be subject to stricter security controls and mandatory data audits.
Timeline
DPDPA’s provisions will be phased in throughout 2025, with key compliance deadlines expected in the second half of the year.
Expected outcome
Businesses operating in India must enhance their data protection strategies, invest in stronger encryption and cyber security frameworks, and ensure compliance with India’s evolving digital regulations to avoid hefty fines.
How to respond
2025 is set to be another key year in the cyber resilience landscape. These updates reflect a global commitment to protecting digital assets, preventing cyber incidents, and ensuring business continuity.
To adapt to these regulations, businesses must invest in cutting-edge solutions to remain compliant and resilient with regulations globally. Redstor’s data backup and recovery solutions guarantee full data recovery and compliance across borders.
Get in touch today to learn how Redstor can protect your data.