For the next part of our look at the predictions that were amassed in the SC UK inbox, it’s the more general subject of regulation.

I’ve long made the argument that it is the combination of governance, risk and compliance that drives businesses forward and keeps on the tracks of security. If you know what you have, what is at risk and you’re remaining within the boundaries of compliance, then you’re probably ok.

Yes I realise there is more to GRC than that, but with frameworks like ISO 27001, GDPR, PCI DSS, and now NIS2 and DORA managing the way businesses work, then it’s expected that this would be a major trend.

Busiest Year

Looking at the predictions we received, comments from Beyond Blue claimed that “2025 will be the busiest year on record for a growing number of regulated firms.” That’s probably true, considering the recent introduction of European frameworks, and David Ferbrache, managing director at Beyond Blue, said this is leading “many critical infrastructure providers to review their security and resilience posture in 2025 as national regulations become clearer.”

On top of NIS2 and DORA, Ferbrache also pointed out that the EU Cyber Resilience regulation came into force on the 23rd October 2024, while the first set of EU AI regulations will come into force in February 2025, prohibiting use of AI systems which pose unacceptable risks.

There is also the UK government’s Cyber Security and Resilience bill, which will be tabled in Parliament in the midst of a climate of growing concern over a state cyber attack, while we also wait to see the final form of the Digital Information and Smart Data bill, with the promised modernisation and strengthening of the Information Commissioner’s Office.

“Globally it seems to be open season on cyber regulation with nations worldwide strengthening their critical infrastructure protection, developing their concept of national sovereignty in cyberspace and worrying about protection of their information space and the hearts and minds of their citizens,” Ferbrache said.

They also pointed out that global companies will face the “daunting task of adopting cyber security policies that can cater to the diverse requirements in varying regions, such as the EU, US, Asia, and the Far East.”

First Penalty?

Andre Troskie, EMEA field CISO at Veeam also believes that security leaders will continue to wrestle with regulation in 2025, but he believes the first major NIS2 penalty will be the biggest story.

After national regulators give organisations time to become compliant, we can expect to see the first big statement fine for noncompliance towards the end of next year.

“We saw this with Google in 2019, a year after the GDPR came into effect,” Troskie said. “National regulators will want to set a precedent and show they mean business. They’ve got the regulation in place, so they will want to show they’re not afraid to swing the hammer for noncompliance.”

In other regulations, Dr. Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, believes that regulatory pressures will intensify, with potential software bans on the horizon.

He said this will require both organisations and their suppliers to follow enhanced safety standards. “Some software, including open-source programs with known security flaws, may face outright bans,” he said.

“These regulations will make organisations responsible for thoroughly evaluating their software selections and supplier partnerships as governments take steps to protect critical infrastructure and reduce system vulnerabilities.”

So is the level of compliance enough to keep businesses on the straight and narrow? Grant Bourzikas, chief security officer at Cloudflare took an opposing view, claiming that much of today’s regulatory efforts are “ineffective and not focused on the most critical aspects of security controls.”

He claimed that regulators still fail to recognise what will make the biggest difference in moving the needle towards immutable infrastructure.

Undoubtedly some will say that regulation is too harsh and impossible for businesses to meet, while others will say that the rules do not go far enough. As each organisation is different, the regulations are harder or easier to meet.

As I’ve been told many times, if you’re doing the best you can and an auditor agrees and approves you, you’re probably in good stead - until the next regulation comes along.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.