As digital threats evolve, governments worldwide are implementing new cybersecurity laws to enhance resilience against attacks and protect sensitive data. In 2025, several key regulations are coming into effect, each with significant implications for businesses, critical infrastructure, and digital product manufacturers. Here’s a breakdown of the major cybersecurity laws to watch this year.
1. Digital Operational Resilience Act (DORA) – European Union
Effective Date: January 17, 2025
Overview: DORA establishes a robust regulatory framework to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. It emphasizes the importance of operational resilience in the financial sector.
Key Requirements:
Conduct regular risk assessments.
Implement comprehensive cybersecurity measures.
Maintain third-party risk management frameworks.
Impact: Financial institutions operating in the EU must invest in robust ICT systems and adhere to strict reporting and resilience requirements.
2. Cyber Resilience Act (CRA) – European Union
Effective Date: Preparations in 2025; full enforcement by December 2027
Overview: The CRA focuses on products with digital elements, such as software and hardware, ensuring they are secure by design and remain secure throughout their lifecycle.
Key Requirements:
Manufacturers must provide security updates and address vulnerabilities.
Develop products that meet standardized cybersecurity requirements.
Exemptions for non-commercial open-source software developers.
Impact: This law mandates a shift toward proactive cybersecurity, placing greater responsibility on manufacturers to secure digital products before they reach consumers.
3. Cyber Security and Resilience Bill – United Kingdom
Proposed Implementation: Ongoing updates starting in 2025
Overview: This bill seeks to enhance the UK’s cybersecurity posture by modernizing existing regulations and addressing emerging threats.
Key Objectives:
Strengthen protections for critical infrastructure.
Expand reporting obligations for cyber incidents.
Empower regulators to mitigate vulnerabilities proactively.
Impact: Organizations in critical sectors will face stricter compliance obligations, requiring significant investments in cybersecurity capabilities.
4. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) – United States
Implementation Timeline: Key provisions to be enforced by 2025
Overview: CIRCIA mandates that critical infrastructure entities report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
Key Requirements:
Report substantial cyber incidents within 72 hours.
Provide follow-up reports detailing mitigation efforts.
Participate in federal efforts to enhance cyber resilience.
Impact: This law will improve visibility into nationwide cyber threats but requires critical infrastructure entities to enhance their incident response capabilities.
5. Myanmar Cybersecurity Law – Myanmar
Effective Date: January 2025
Overview: Myanmar's new cybersecurity law increases government control over internet usage and information flow. It targets communication methods like VPNs and requires digital platform providers to comply with strict content and data controls to prevent the spread of "disinformation" and "rumors."
Key Requirements:
Prohibition of unauthorized VPN usage.
Compliance with content regulations for digital platforms.
Severe penalties for non-compliance, including fines, suspensions, and blacklisting.
Impact: Businesses and individuals face stringent restrictions on internet usage, potentially limiting operational flexibility and privacy.
6. Personal Data Protection Law (PDPL) – Vietnam
Effective Date: January 1, 2026 (anticipated)
Overview: Vietnam's PDPL establishes a unified and enhanced framework for personal data protection, consolidating existing rules to improve compliance and data handling standards.
Key Requirements:
Comprehensive personal data processing rules.
Stricter requirements for obtaining and managing consent.
Enhanced data security and breach reporting mechanisms.
Impact: Companies operating in Vietnam must reassess and update their data protection strategies to ensure compliance by 2026.
7. Cloud Systems Cybersecurity Standards – Thailand
Effective Date: September 2026
Overview: Thailand’s National Cybersecurity Agency has mandated new standards for cloud systems, focusing on data localization and security measures for high-impact data.
Key Requirements:
Primary data centers for high-impact data must be located in Thailand.
Backup data centers must be in Thailand, Southeast Asia, or Hong Kong.
Compliance with enhanced cybersecurity standards for cloud systems.
Impact: Companies utilizing cloud services in Thailand must adjust their data storage and security practices to meet localization and regulatory requirements.
Summary
Law / Regulation | Region | Effective Date | Overview | Key Req's | Impact |
Digital Operational Resilience Act (DORA) | EU | Jan. 17, 2025 | Ensures financial entities withstand, respond to, and recover from ICT-related disruptions and threats, emphasizing operational resilience. | Conduct risk assessments; implement cybersecurity measures; maintain third-party risk management frameworks. | Financial institutions must invest in robust ICT systems and adhere to strict reporting and resilience requirements. |
Cyber Resilience Act (CRA) | EU | Preparations in 2025; enforcement by 2027 | Focuses on ensuring software and hardware security by design and throughout the lifecycle. | Manufacturers must provide updates, address vulnerabilities, and meet standardized requirements; exemptions for non-commercial open-source developers. | Proactive cybersecurity measures required, increasing manufacturers’ responsibility for secure products before consumer use. |
Cyber Security and Resilience Bill | UK | Ongoing updates starting in 2025 | Modernizes existing regulations to address emerging cybersecurity threats. | Strengthen critical infrastructure protections; expand cyber incident reporting; empower regulators to mitigate vulnerabilities. | Organizations in critical sectors must meet stricter compliance obligations, requiring significant investments in cybersecurity. |
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) | US | Key provisions by 2025 | Requires critical infrastructure entities to report significant cyber incidents to CISA. | Report incidents within 72 hours; follow up with mitigation reports; participate in federal cyber resilience efforts. | Improves visibility into nationwide cyber threats but requires enhanced incident response capabilities for critical infrastructure entities. |
Myanmar Cybersecurity Law | Myanmar | Jan. 2025 | Increases government control over internet usage, targeting VPNs and mandating compliance with content regulations to curb disinformation. | Prohibition of unauthorized VPN use; content regulation compliance; severe penalties for non-compliance. | Restricts internet use, limiting operational flexibility and privacy for businesses and individuals. |
Personal Data Protection Law (PDPL) | Vietnam | Jan. 1, 2026 (exp.) | Establishes a unified framework for personal data protection, consolidating existing rules for improved compliance and data handling. | Enforce personal data processing rules; stricter consent management; enhanced data security and breach reporting. | Companies must update data protection strategies to meet compliance standards by 2026. |
Cloud Systems Cybersecurity Standards | Thailand | Sept. 2026 | Mandates data localization and enhanced security for high-impact data in cloud systems. | Primary data centers must be in Thailand; backups allowed in Thailand, SE Asia, or Hong Kong; comply with new standards. | Companies using cloud services in Thailand must adjust data storage and security to meet localization and regulatory requirements. |
What These Laws Mean for Businesses
As cybersecurity regulations tighten globally, businesses must:
Evaluate Compliance: Identify which laws apply based on operational regions and sectors.
Enhance Cybersecurity Measures: Implement comprehensive security protocols and conduct regular risk assessments.
Invest in Training: Educate employees on cybersecurity best practices and compliance obligations.
Strengthen Incident Response Plans: Ensure readiness to report and mitigate cyber incidents effectively.
What These Laws Mean for Consumers
For individuals, these regulations aim to:
Enhance the security of digital products and services.
Reduce vulnerabilities in critical infrastructure.
Improve transparency around cyber incidents and the measures taken to address them.
Conclusion
The cybersecurity landscape in 2025 is defined by increased regulation and accountability. Businesses must act proactively to ensure compliance, while consumers can look forward to a safer digital environment. By aligning with these new laws, organizations not only protect themselves from regulatory penalties but also build trust with customers and stakeholders.
As the global focus on cybersecurity intensifies, staying informed and prepared is more critical than ever.
Disclosures
The content provided in this article is intended for informational purposes only and should not be construed as legal advice or a substitute for consulting with a licensed attorney. While we strive to provide accurate and current information, laws and regulations are subject to change, and there is no guarantee that the information contained herein is up to date or applicable to your specific situation. We recommend seeking professional legal counsel for any legal matters. This article does not create an attorney-client relationship between the reader and the law firm. For personalized advice, please contact our office directly: info@omnianlegal.com