Regulatory and Compliance Landscape of 2025: AI, Privacy, and Regulatory Updates

Looking ahead into 2025, CISOs and security leaders expect a significant transformation of the regulatory and compliance landscape. The critical regulatory trends will focus on unified U.S. privacy laws, AI regulations, enhanced cybersecurity standards, and regulatory updates. These changes are driven by the ever-evolving cybersecurity landscape worldwide and the increasing frequency and sophistication of cyber threats.  

Moving toward 2025, organizations need to adopt proactive compliance strategies, leverage advanced technologies, and prioritize risk management to maintain resilience and competitive advantage.  

This blog explores the 2025 regulatory and compliance landscape and provides actionable insights to help organizations effectively navigate these challenges.

All PCI DSS 4.0. Requirements will Come into Effect

March 2024 marked the first major update of PCI DSS in over a decade, while 2025 is the year when all new requirements of PCI DSS v. 4.0 will come into effect. The initial phase of PCI DSS 4.0 set the agenda for 2024 and entailed 13 new requirements, including planning, defining the PCI assessment scope, assigning responsibilities, conducting assessments, and identifying and remediating the gaps.  

In 2025, organizations must ensure compliance with PCI technical requirements that place significant emphasis on managing non-human identities (NHIs). PCI DSS 4.0 requirements, such as restricting access based on business needs and least privilege (requirement 7) and managing accounts with interactive login capabilities (requirement 8), highlight the need for comprehensive identity management strategies. Among the other important PCI DSS 4.0. requirements are:

• stringent password requirements with a focus on MFA;
• more in-depth security risk assessments;
• expanded encryption requirements that include magnetic stripe data, chip data, card verification codes, and PINs;
• robust requirements for API security;
• new ownership and role requirements.
   

Read PCI DSS 4.0 Updates: All you Need to Know to refresh your knowledge of PCI DSS 4.0 requirements.  Organizations must begin addressing these challenges now, especially with mandatory PCI DSS 4.0 compliance requirements coming into effect in March of 2025.

CMMC Level 1 & 2 Self-Assessments Required for Contracts in 2025

In 2025, all companies working with the Department of Defense (DoD) will need to work towards compliance with CMMC 2.0 - the latest version of the Cybersecurity Maturity Model Certification. This certification is critical for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on Defense Industrial Base (DIB) networks. The CMMC 2.0. Final Rule came into effect on December 16, 2024. From that time, the CMMC program required one of three levels of cybersecurity requirements for defense contracts, depending on the sensitivity of the information the contractors were handling.  

CMMC Level 1 and Level 2 self-assessments

For DoD contractors, 2025 will mark the requirements to achieve CMMC Level 1 or CMMC Level 2 self-assessments as a condition for contract awards. These self-assessed statuses will then be prerequisites for CMMC Level 2 third-party assessments (performed by C3PAO).  

For CMMC Level 1, every organization with the FAR 52.204-21 requirements in their contracts has to:

• Be evaluated against the corresponding NIST SP 800-171A assessment objectives per Table 1 in §170.15(c)(1)(ii).
• Conduct a CMMC Level 1 self-assessment to determine their conformity.
• Submit an annual self-affirmation of the organization’s 100% (!) compliance to FAR 52.204-21 security requirements to DoD’s Supplier Performance Risk System (SPRS) (c.f., §170.22, Affirmation ).

For CMMC Level 2, every organization with DFARS Clause 252.204-7021 requirements in their contracts is obligated to:

• Conduct an annual CMMC Level 2 Self-Assessment to determine their conformity to protect CUI.
• Submit an annual self-affirmation of the organization’s compliance with the NIST SP 800-171 security requirements to SPRS (as per CMMC §170.22, Affirmation ).
   

Failure to meet CMMC Level 1 and Level 2 compliance in 2025 will mean contractual penalties for an organization. Additionally, the organization will not be eligible for new contracts requiring CMMC Level 1 or higher until they successfully complete a valid self-assessment.  

Complicated CMMC requirements often appear to be an unbearable burden for organizations, especially for small and medium-sized businesses. This complexity pushes more and more SMBs to transition from legacy systems to cloud-based solutions for a more straightforward, more cost-effective path to CMMC compliance. Most cloud-based solutions combine built-in security controls that simplify the process of CMMC compliance, helping SMBs in the defense industrial base dramatically reduce both the complexity and cost of achieving and maintaining CMMC certification.

2025 is the Transition Year to ISO 27001:2022

If your business is ISO 27001 certified or considering certification, you need to be aware of the critical updates introduced in the new version of the standard set back in 2021. The International Organization for Standardization (ISO) has set a deadline: businesses must transition to ISO 27001:2022 by October 2025.  To achieve ISO 27001 certification within the established deadline, one must understand the standard’s requirements and implement them effectively. In short, the ISO 27001 certification requirements include:

• understanding the risks the information assets face;
• taking steps to protect the information assets;
• having a plan of action in case a security breach happens, and
• identifying individuals responsible for each step of the information security process.
   

Failing to transition to ISO 27001:2022 by October 2025 means your current certification will expire. This could have far-reaching consequences for your business:

• Loss of customer trust and damage to reputation.
• Increased vulnerability and inability to protect your business from new and emerging risks.
• An expired certification could put your business at risk of non-compliance, leading to fines and legal action.
   

Failing to obtain ISO 27001 certification by 2025 could have serious consequences for an organization. Many clients and partners expect this certification as proof of strong data security practices, so missing it might result in lost contracts and reduced trust. Additionally, the organization could be more vulnerable to cyber threats, regulatory fines, and reputational damage. In the long run, the lack of certification could lead to higher long-term costs and increased business risks.  

See how Planet 9 can help you achieve your ISO 27001 certification.

Parade of U.S. State Privacy Laws and ADPPA Uncertainties

2025 regulatory and compliance landscape opens with a parade of U.S. State Privacy laws, with five new laws taking effect early in the year. Delaware, Iowa, Nebraska, and New Hampshire will enforce their privacy laws starting January 1, 2025, followed by New Jersey on January 15. These regulations add to an already complex data privacy and security landscape shaped by California’s pioneering data privacy law and similar regulations in Connecticut, Colorado, Utah, Indiana, Tennessee, Oregon, Montana, Texas, and Florida. Seven other states, including Maine, Michigan, and New York, have enacted narrower privacy laws, while legislation is pending in several others.  

The fragmented approach to data privacy creates compliance challenges for businesses operating across multiple states. That is why a bipartisan draft bill titled the American Data Privacy and Protection Act (ADPPA) was released on June 3, 2022. ADPPA is expected to standardize data protection regulations across the U.S., addressing inconsistencies between state-level privacy laws. The ADPPA will protect sensitive personal information, including financial data, health records, biometrics, geolocation, and social security numbers. It will also introduce specific protections for children and minors. Additionally, it seeks to align U.S. data security practices with global standards like GDPR and PIPEDA.  

As of now, ADPPA has not been enacted, and no official effective date has been announced. The legislative process has experienced delays. If the bill passes the House and Senate, the U.S. could have a federal data privacy law in 2025. Thus, organizations should stay informed about both federal and state-level developments to ensure compliance with applicable data privacy regulations in the near future.  

‍Read more about ADPPA - the draft federal privacy law.  

AI Use and Accountability in 2025 Regulatory and Compliance Landscape

Currently, there is no comprehensive U.S. federal legislation specifically regulating artificial intelligence (AI) and Generative AI. This delay contrasts with more stringent regulatory frameworks like the European Union's AI Act due to concerns that overly prescriptive AI regulations could hinder innovation and global harmonization efforts. However, significant steps have already been taken to address AI's development and deployment through executive actions and state-level initiatives:

• Executive Order on 'Safe, Secure, and Trustworthy Development and Use of AI,' issued on October 30, 2023. The order emphasizes the safe, secure, and trustworthy development of AI. This directive outlines principles to guide AI's responsible use, including safety, security, and transparency measures.
• Blueprint for an AI Bill of Rights framework to protect individuals from potential harms associated with AI technologies, focusing on principles like data privacy, algorithmic discrimination protections, and user rights.
• Federal AI Risk Management Act of 2023 directs federal agencies to adopt the Artificial Intelligence Risk Management Framework developed by the National Institute of Standards and Technology (NIST) to ensure consistent AI risk management practices across federal entities.
• Several leading AI companies – including Adobe, Amazon, Anthropic, Cohere, Google, IBM, Inflection, Meta, Microsoft, Nvidia, Open AI, Palantir, Salesforce, and Scale AI – have voluntarily committed to "help move toward safe, secure, and transparent development of AI technology." These companies are committed to security testing of AI systems before release and sharing information on managing AI risks.
• Colorado's Comprehensive AI Legislation requires developers and deployers of high-risk AI systems to exercise reasonable care to prevent algorithmic discrimination and mandate disclosures to consumers.
         

Ethical considerations

While comprehensive federal AI legislation remains pending, the combination of executive actions, state laws, and ongoing legislative efforts indicates a growing commitment to establishing a cohesive AI governance framework in the U.S. Organizations should monitor both federal and state developments to navigate the evolving AI regulatory landscape in 2025. At the same time, organizations should define internal ethical principles for AI and GenAI usage:

• adhere to established security protocols, including robust data encryption, stringent access controls, and regular security audits;
• ensure GenAI tools comply with relevant regulations such as GDPR, HIPAA, intellectual property laws, and industry-specific standards;
• evaluate AI tools for potential vulnerabilities and ensure they integrate securely with existing systems, protecting data integrity and privacy.
• comply with any use restrictions imposed by the GenAI tool being used (e.g., OpenAI’s Usage Policies, StabilityAI’s Prohibited Uses, etc.);
• focus on data privacy and security, ensuring that user data and sensitive information are handled responsibly and securely.
   

Wrapping Up

The regulatory updates are essential to resist the ever-evolving cybersecurity threats and innovations. However, navigating these changes requires expertise, resources, and a clear understanding of the evolving regulatory landscape. For SMBs, collaborating with third-party security and compliance services, such as Planet 9, can be the key to addressing these challenges efficiently and effectively.  

Don’t let the intricate demands of the 2025 regulatory and compliance landscape negatively impact your organization. Book a free consultation or contact the Planet 9 team for help to achieve your security and compliance goals in 2025. We’ll be happy to assist!