Regulatory News Every MSP Should Pay Attention to in 2025

February 26, 2025 | 

Getting ahead of compliance requirements can give your business a real edge. Smart MSPs strategically use the lead time between announcement and audit dates. Build these requirements into your quarterly business reviews (QBRs) to develop a forward-looking strategy that spans 12-18 months.

Already a partner? Your Compliance Scorecard platform includes comprehensive, built-in support for all the frameworks covered below (and more). Talk to us about how to maximize your existing capabilities. New to Compliance Scorecard? Our proven 3-month Compliance Kickstart program gets you up and running quickly. Schedule a live demo to see how we help MSPs like you start generating revenue by simplifying compliance.

CMMC Reaches Beyond Defense Contractors to MSPs

Think you're not a target because you don't work directly with defense contracts? Think again. Any connection to the defense industrial base (DIB), no matter how small, puts you at risk.

The Cybersecurity Maturity Model Certification (CMMC) framework protects the Department of Defense (DoD) supply chain. Soon, it won't just affect prime contractors — if you're anywhere in the supply chain, including several tiers removed, your MSP may need to comply.

Key Deadlines:

  • Mid-2025: CMMC requirements begin appearing in new DoD contracts
  • Oct. 1, 2026: Full implementation required across all contracts, including MSPs, MSSPs, and supply chain partners

Reading tip: CMMC Compliance Guide for MSPs: What You Need to Know in 2025

DORA Mandates New Standards for EU Financial Firms

The Digital Operations Resilience Act (DORA) went into effect on Jan 17, 2025. Since that date, financial entities in the European Union (EU) must comply with this complex framework aimed at improving operational resilience.

Learn more: DORA: What MSPs Must Know About the Digital Operations Resilience Act

NIS2 Reshapes MSP Security Requirements

The Network and Information Systems Directive 2 (NIS2) is being fully implemented across the European Union in 2025. Organizations classified as “essential” or “important” under the directive must comply with stricter cybersecurity standards, including:

  • Robust risk management
  • Incident response plans
  • Enhanced security measures to protect critical infrastructure against cyber threats

The directive's enforcement began on Oct. 18, 2024, with compliance reporting deadlines set for April 2025.

Make sure to read: NIS2: An Overview of What’s Coming and How to Prepare Your Clients

CIS 8.1 Expands Security Controls with Governance Focus

The Center for Internet Security (CIS) has enhanced its Critical Security Controls framework for 2025. Version 8.1 builds on its predecessor by adding a crucial governance function and refining key elements to address today's cybersecurity challenges.

Key Updates in CIS v8.1:

  • Governance Focus: New safeguards help organizations better manage and oversee their cybersecurity practices
  • Updated Asset Classes: “Documentation” joins as a new asset type, covering essential plans, policies, and procedures
  • Enhanced Definitions: A clearer glossary better defines critical terms like “sensitive data” and “process”
  • NIST CSF Alignment: Seamless integration with the latest NIST Cybersecurity Framework makes it easier to work across standards

Get all the details: Updated CIS Controls Includes Governance

HIPAA Security Rule Set for Major Cybersecurity Update

The U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule on Dec. 27, 2024 — the first major revision since 2013. This update aims to strengthen cybersecurity protections for electronic protected health information (ePHI) in response to escalating threats to the healthcare sector.

The proposed changes align with broader federal cybersecurity initiatives, including the National Cybersecurity Strategy and HHS's Healthcare Sector Cybersecurity framework. They will affect both covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates, including MSPs.

Stay tuned for guidance on implementing these changes once they're finalized.

Cyber Essentials 3.2 Targets Modern Security Challenges

The UK's Cyber Essentials is rolling out version 3.2 in April 2025, bringing important updates that reflect today's evolving security landscape. For MSPs, maintaining this certification demonstrates your security expertise while opening doors to government contracts and building client trust.

Key Updates in Version 3.2:

  • Enhanced Remote Work Security: New standards address security beyond home offices, including public networks at cafes and hotels
  • Modern Authentication: Official support for passwordless authentication methods, including biometrics, security keys, and push notifications
  • Broader Security Coverage: “Vulnerability fixes” replaces “patches and updates” to include all types of security remediations
  • Refined Assessment Process: Clearer guidelines for certification scope and documentation requirements

Organizations starting their assessment before April 2025 will continue under version 3.1 standards. Plan your certification or renewal timeline accordingly to align with these new requirements.

Australian Essential Eight: Building Your Security Foundation

While the Essential Eight framework isn't deadline-driven, it's becoming the de facto security standard for Australian organizations. The Australian Cyber Security Centre (ACSC) actively promotes these security controls as fundamental protection against cyber threats.

The framework's value extends beyond Australian compliance — implementing Essential Eight controls creates a strong foundation that aligns with many other security frameworks. This makes it an efficient starting point for building a comprehensive security program.

Read more: Monetizing Essential Eight: How MSPs Can Boost Revenue with Compliance Services

SOC 2: Proving Your Security Promise

SOC 2 attestation shows clients you take security seriously. Through independent audits, it verifies your security controls are well-designed, operational, and effective — essential proof for clients trusting you with their sensitive data.

This attestation delivers real business value:

  • Many potential clients now require SOC 2 compliance before considering an MSP partnership
  • A SOC 2 Type 2 attestation gives you a competitive edge in the market
  • Certain regulated industries specifically mandate working with SOC 2 attested providers

Earning a SOC 2 Type 2 Attestation may seem daunting, but having clear documentation and processes in place makes the journey easier.

New State Privacy Laws Add to Compliance Demands

Privacy regulations continue to evolve rapidly at the state level in 2025. Twenty states now have comprehensive privacy laws, with several recently enacted:

  • Delaware, Iowa, Nebraska, and New Hampshire: Effective since Jan. 1
  • New Jersey's Data Privacy Act: In effect as of Jan. 15
  • Florida's Digital Bill of Rights introduces a notable $1 billion revenue threshold
  • Tennessee, Minnesota, and Maryland laws will roll out later this year

Meanwhile, California continues to lead with new privacy regulations under review. Companies must stay current with privacy notice requirements across multiple jurisdictions.

At the federal level, comprehensive privacy legislation remains stalled, and FTC rulemaking on commercial surveillance and data security is expected to slow under the new administration.

Don’t miss: New State Privacy Laws Raise Stakes for MSPs

Europe's AI Act Sets New Technology Standards

The European Union's AI Act, in force since Aug. 1, 2024, introduces a risk-based framework for artificial intelligence regulation. The requirements will phase in gradually based on application type, giving organizations time to adapt their AI systems to meet compliance standards.

This regulation affects organizations using or developing AI systems that operate in or impact the European market. Start assessing your AI implementations now to ensure compliance as requirements take effect.

FTC Safeguards Rule Expands Breach Reporting

As of May 2024, the FTC Safeguards Rule requires financial institutions to report significant data breaches. The 30-day reporting requirement applies when:

  • 500 or more customers are affected
  • Data is accessed without authorization, regardless of encryption status
  • Reports must detail the number of affected customers and types of compromised data

All reports must be submitted through the FTC's online portal. Maintain clear documentation and reporting procedures to ensure compliance with these requirements.

Transform Requirements into Revenue

These frameworks represent real opportunities for MSPs who can help clients navigate them effectively. Compliance Scorecard gives you the tools and guidance to do exactly that — turning complex requirements into profitable services that set you apart.

Ready to take action? Current partners, reach out if you want our help to maximize your existing capabilities. New to Compliance Scorecard? Make sure to schedule a live demo and learn how we're helping hundreds of MSPs just like yours build stronger, more profitable businesses.

Posted in

Related Posts

DORA

DORA: What MSPs Must Know About the Digital Operations Resilience Act

Fed Contractor’s Fate Determined by OASIS+

Federal Contractor’s Fate Determined by OASIS+ Cybersecurity Requirements

Woman working in front of laptop

Ontario Introduces Cybersecurity Act to Protect People Online