2025 Mid-Year Compliance Update for MSPs with a Focus on CMMC Level 2

June 25, 2025 | 

CMMC Level 2 is now live—and many MSPs are getting burned by jumping in too fast. The mistake we’re seeing repeatedly: scoping too broadly, pulling the client’s entire environment into play, and driving up costs before requirements are clearly defined. Besides being expensive, it can damage trust and jeopardize the entire engagement.

We’re helping MSPs avoid that outcome.

The fix is a focused process: Scope → Gap → Roadmap.
It’s how our team is helping MSPs shrink project costs, simplify planning, and build confidence with Defense Industrial Base (DIB) clients.

Need help applying this approach to your CMMC strategy?
Schedule a 30-minute strategy call with Brian Blakley, Director of Compliance Services, to talk through your next steps. As we like to put it: Thinking CMMC? Think Compliance Scorecard.

What’s Now Enforced or Rapidly Approaching

These frameworks are already active or carry near-term deadlines. MSPs supporting regulated clients should be prioritizing them now.

CMMC 2.0: Level 2 Assessments Underway

The Department of Defense’s final rule is in effect, and certified third-party assessors (C3PAOs) have begun conducting Level 2 assessments.

What to know:

  • Applies to organizations handling Controlled Unclassified Information (CUI)
  • Requires implementation of all 110 NIST SP 800-171 controls
    Now: Voluntary assessments in progress
  • December 2025: Mandatory for new contracts with the CMMC clause
  • October 2026: Broad enforcement begins

Get the full picture: CMMC Compliance Guide: What MSPs Must Know in 2025

DORA: From Awareness to Implementation

The EU’s Digital Operational Resilience Act (DORA) took effect in January, and the regulatory focus has now shifted to daily execution. One area drawing particular attention is third-party ICT provider registers, which must be maintained at multiple organizational levels.

MSPs supporting financial clients in the EU should ensure visibility, documentation, and vendor controls are audit-ready.

Reading tip: DORA: What Every MSP Must Know About the Digital Operations Resilience Act

NIS2: Essential Entity Classifications Finalized

April marked a major milestone for the NIS2 Directive, as EU Member States submitted lists of organizations now subject to stricter cybersecurity standards. That includes many MSPs, cloud providers, and infrastructure operators.

Requirements now in effect include:

  • Documented risk assessments
  • Formal incident response plans
  • Clear oversight of third-party risks

Read more: NIS2: An Overview for MSPs and How to Prepare Clients

Cyber Essentials v3.2: New Rules for UK Certifications

As of April 28, 2025, Cyber Essentials v3.2 is now the required version for all certifications and renewals.

Key updates include:

  • Expanded scope (browser extensions and remote work considerations)
  • Revised assessment language
  • Clarified exclusions and IT boundary guidance

What’s Changing: Enforcement or Clarification Ahead

These frameworks are not yet fully enforced but are advancing quickly. MSPs should assess where clients stand now to avoid surprises later.

State Privacy Laws: More Enforcement, More Overlap

With 20+ state privacy laws now in effect, clients are facing increasing complexity—and higher expectations around transparency and consent.

Recent developments:

  • Several state laws enacted in January are now being enforced
  • Colorado expanded its definition of sensitive data to include precise geolocation, requiring explicit consent for its sale
  • Upcoming effective dates: Tennessee, Minnesota, Maryland

While federal privacy efforts remain stalled, state-level enforcement is accelerating.

EU AI Act: First Provisions Are Now Active

The AI Act entered partial enforcement in February, with a ban on high-risk and manipulative AI use cases. Full compliance requirements for high-risk AI systems begin August 1, 2026.

MSPs involved in AI service delivery or support in the EU should begin reviewing system documentation and risk practices now.

Read more about AI policy: Federal AI Policy Update: Executive Orders Reshape Government AI Approach

Frameworks Holding Steady—but Still Enforced

Some frameworks remain unchanged this quarter, but MSPs should continue supporting clients through compliance activities and audits.

  • HIPAA Security Rule: Proposed revisions still under review
  • CIS Controls v8.1: Governance updates unchanged since January
  • SOC 2: Still in demand, but no recent procedural changes
  • Essential Eight: No updates since October 2024
  • FTC Safeguards: Breach notification rules remain in effect

Tip: These frameworks are increasingly tied to cyber insurance evaluations. If your clients are being asked to prove compliance, we’ve outlined practical steps in our guide:
Making Clients Cyber Insurance Ready

Ready to Get Ahead of Compliance Deadlines?

Our platform supports every framework in this update—and our team works directly with MSPs to apply these updates across their client base.

Need help controlling CMMC costs or mapping your current client portfolio to new requirements? Book a 30-minute strategy call with Brian Blakley, Director of Compliance Services, and get expert support on your next move.

Posted in

Related Posts

Pentagon

CMMC Compliance Guide for MSPs: What You Need to Know in 2025

The Quick Guide to GRC for MSSPs

The Quick Guide to GRC for MSSPs

Why the CMMC Update Presents a Business Opportunity for MSPs

Why the CMMC Update Presents a Business Opportunity for MSPs