As the world continues to grapple with increasing cybersecurity threats and the rapid evolution of technology, regulatory landscapes are shifting dramatically.
The year 2025 is shaping up to be a pivotal year, with regions like the European Union (EU) leading the charge with comprehensive frameworks such as NIS2, DORA, the Cyber Resilience Act (CRA), and the Product Liability Directive (PLD). At the same time, the United States seems poised to take a contrasting approach, favoring deregulation to maintain competitive advantages.
From navigating conflicting compliance demands across regions to preparing for the increased scrutiny of software supply chains, businesses will need to adapt quickly to meet these challenges head-on. Let's dive into our experts' predictions.
Predictions
Evolving cyber regulations and global impact
"The gulf in regulatory demands in the US and the EU will widen in 2025. We're seeing the EU bring in strict regulatory controls in the form of the AI Act, NIS2, DORA, the CRA and the PLD. The US will in all likelihood push for further deregulation to maintain its edge against global competition. This could cause tension for global businesses, as board members will be asking their teams to balance vastly different compliance challenges across different regions. Expect businesses to prize flexibility and future-proofing as they look to solve compliance challenges in 2025." — Ilkka Turunen, Chief Field Technology Officer
EU regulations will influence US companies to change their cybersecurity practices
"As organizations operate on a global scale, the changing regulatory landscape will transform how they engage with open source next year. With EU policies driving an increased focus on software integrity and security, US businesses will need to ensure their open source components meet the new standards or risk facing significant financial penalties and reputational damage. Regardless of regulatory requirements in the United States, the stricter scrutiny and rising demand for greater transparency across the pond will force US organizations to adopt more detailed Software Bills of Materials (SBOMs) and clearer vulnerability reporting of their open source projects." — Brian Fox, Co-founder and CTO
The compliance push in software supply chains
"For the first time since GDPR, compliance will overtake innovation as the key driver of technological change in enterprises. The EU is bringing a whole host of developments, from the CRA, which mandates strict cybersecurity practices throughout a product's lifecycle, to the PLD, which holds software providers liable for product defects. Expect to see these steps mirrored in other regions to a greater or lesser extent. Savvy businesses will be on the front foot, proactively taking steps to meet these compliance challenges. Those that don't will have to spend even more resources to catch up. Whichever approach is taken, compliance will again be a chief concern — not just for specialists and product managers, but for the board as well." — Ilkka Turunen, Chief Field Technology Officer
Preparing for a new era of cyber regulations
The regulatory landscape in 2025 will redefine how businesses approach cybersecurity and software development. While the EU sets a high bar for compliance with sweeping reforms, US organizations operating globally will face mounting pressure to align with these standards.
Proactive companies will embrace this as an opportunity to enhance their practices, from adopting detailed SBOMs to implementing robust vulnerability management systems. Compliance will no longer be a back-office concern — it will become a boardroom priority.
The question for businesses is not whether to prepare for these shifts — it's whether they can afford not to. Stay tuned for the next post in our series, where we'll explore how evolving technologies are transforming software supply chains in 2025.
