Compliance Changes in 2025: What You Need to Know

Last updated: January 24th, 2025

As cybersecurity threats continue to evolve, 2025 has brought critical updates to compliance frameworks and regulations. Organizations across industries are grappling with new standards, expanded requirements, and evolving frameworks. This article explores key compliance changes, their implications, and how businesses can adapt to the shifting landscape.

Table of contents

Major Framework Updates

NIST CSF 2.0: Promise and Challenges

The highly anticipated release of NIST CSF 2.0 has introduced a more governance-focused approach to cybersecurity. However, adoption has been slower than expected due to its complexity and unresolved issues, prompting many organizations to stick with version 1.1 for its simplicity and practicality. The lack of detailed use cases and implementation guidance in NIST CSF 2.0 remains a barrier to widespread adoption.

SB11 Framework (2025): A Game-Changer for SMBs

Designed for small and medium-sized businesses (SMBs), the new SB11 Framework emphasizes actionable safeguards and aligns closely with ISO 27001. This framework is particularly beneficial for managed service providers (MSPs), enabling them to demonstrate cybersecurity maturity without overextending resources. SB11 offers practical guidance tailored to SMBs, filling a long-standing gap in the cybersecurity landscape.

CIS Controls v8.1: Focused and Actionable

The latest updates to the CIS Controls (v8.1) have further cemented their role as an actionable framework. Enhancements include:

• Redefining "applications" as "software" to align with modern terminology
• Recognizing documentation as a critical asset class
• Improved mapping to other frameworks for seamless integration

CIS Controls remain a favorite for organizations seeking practical steps to mitigate over 80% of cyber risks.

International Compliance Trends

EU’s NIS2 Directive: Expanding the Scope

Enforcement of the EU’s NIS2 Directive, which began in 2023, continues to challenge organizations in 2025. While the directive broadens its scope to industries like digital services and food distribution, many EU member states are still finalizing legislation. Key requirements include mandatory risk assessments, incident reporting, and basic cyber hygiene practices, such as multi-factor authentication (MFA). The directive also introduces personal accountability for management failures, emphasizing the importance of due care.

Australia’s Essential 8

Australia’s Essential 8 framework continues to influence global standards. However, its limited guidance on implementation remains a challenge, particularly for organizations seeking alignment with international standards like ISO 27001. Despite this, its focus on essential cyber hygiene practices reinforces its value in a global context.

Sector-Specific Impacts

CMMC Compliance: Key Updates

The Cybersecurity Maturity Model Certification (CMMC) framework is reshaping compliance for U.S. Department of Defense (DoD) contractors. Major milestones include:

• 2025: Self-assessments for Levels 1 and 2 become mandatory.
• 2026: Level 2 certifications begin.
• 2027: Level 3 audits roll out.

CMMC’s emphasis on auditable criteria and strict evidence requirements marks a shift from past standards, such as NIST 800-171. Contractors must prepare for certification readiness by addressing gaps and planning resources.

Healthcare and Financial Services

The healthcare sector faces increased scrutiny, with proposed regulations demanding faster system restoration and stricter cyber hygiene standards. Similarly, financial institutions are adjusting to the FFIEC CAT phase-out, requiring a shift to comprehensive risk assessments. Updated GLBA rules now mandate annual risk assessments, cybersecurity programs, and CISO appointments, with regulators empowered to enforce punitive measures for non-compliance.

Challenges for MSPs and GRC Tools

MSPs and Theoretical Access

MSPs must now account for theoretical access to sensitive data, requiring the use of dedicated hardware or enclaves for systems managing Controlled Unclassified Information (CUI). This shift raises questions about whether MSPs need separate certifications for such setups, adding complexity to their compliance efforts.

Limitations of GRC Tools

Governance, Risk, and Compliance (GRC) tools alone are insufficient for achieving compliance. While they provide structure, true compliance demands a holistic approach, including independent audits and organizational buy-in. MSPs must be wary of "fast-track compliance" promises and focus on sustainable, standards-based practices.

Adapting to a Dynamic Landscape with Confidence

Compliance in 2025 is a multifaceted challenge requiring organizations to navigate evolving frameworks and regulatory requirements. From the complexities of NIST CSF 2.0 to the SMB-focused SB11 Framework and sector-specific regulations, the landscape is becoming both more demanding and more actionable.

Service providers must adopt consistent best practices, emphasize governance, and leverage automation to maintain compliance. Proactive planning, alignment with international standards, and investment in scalable solutions will be critical for success.

As the compliance landscape evolves, staying informed and adaptable is not just a best practice—it’s a business imperative.