Regulatory News Q3: Here’s What MSPs Should Prioritize

September 23, 2025 | 

Q3 of 2025 proves it yet again: Compliance requirements are tightening, and MSPs are in the middle of the action. We’ve distilled the latest regulatory developments into quick reads with practical steps so you can decide what matters, what’s urgent, and what to prioritize first.

CALIFORNIA — Risk Assessments, Audits, and the (Not-So) Invisible Hand of Automation

What’s new: On July 24, 2025, California’s Privacy Protection Agency approved a sweeping new rules package under the CCPA. It covers three big areas: mandatory risk assessments, transparency requirements for automated decision-making technology (ADMT), and annual cybersecurity audits for larger businesses.

Why it matters: The rules never say “AI,” but they might as well. Any use of automation in significant decisions — lending, hiring, healthcare access, etc. — is now in scope. Even routine practices like targeted advertising may trigger new risk assessment requirements. For MSPs, that means clients across industries (not just finance and healthcare) will be asking for structure, documentation, and repeatable compliance processes.

Deadlines:

  • Risk assessments: Effective Jan 1, 2026, with a grace period until Dec 31, 2027, for existing activities.
  • ADMT rules: Effective Jan 1, 2027.
  • Cybersecurity audits: First reports due starting Apr 1, 2028 (later for smaller businesses).

Reality check: Forget promises of good behavior, California regulators are asking for receipts. Programs must be documented, implemented, and maintained as daily operations, not binder-on-the-shelf policies.

MSP action items:

  • Identify clients likely to cross revenue/data thresholds.
  • Build playbooks for risk assessments and audit prep.
  • Position yourself now, before the 2027–28 crunch hits.

Insight: California often sets the tone nationally. Expect other states (and maybe Congress) to follow this “prove it or lose it” model.

CMMC 2.0 — It’s Real This Time (Seriously)

What’s new: After years of drafts and delays, the 48 CFR CMMC final rule officially landed in the Federal Register on Sept. 10, 2025. It takes effect on November 10, 2025. That date launches Phase 1 of the CMMC rollout, which means all new DoD solicitations and contracts will include some level of CMMC requirement.

Why it matters: CMMC is no longer “coming soon.” From November forward, contracting officers are required to bake it into solicitations. And it won’t always be the easy path of Level 1 self-attestation, as many contracts will expect Level 2 certification through a Certified Third-Party Assessment Organization (C3PAO). For MSPs supporting defense contractors, this is the line in the sand.

Timeline:

  • Sep 10, 2025: Rule published in the Federal Register.
  • Nov 10, 2025: Rule becomes effective; Phase 1 rollout begins.
  • All new DoD contracts will include CMMC requirements (Level 1 self-assessment or Level 2 self-/third-party assessment).

Reality check: November might feel “a couple of months away,” but certification prep takes much longer. If your clients are waiting until the ink is dry on a contract, they’re already behind.

MSP action items:

  • Audit readiness now against NIST SP 800-171 requirements.
  • Map client exposure to Federal Contract Information (FCI)  and Controlled Unclassified Information (CUI).
  • Start third-party assessment prep early as scheduling C3PAOs gets harder once demand spikes this fall.

Insight: November marks the moment CMMC becomes a gatekeeper. For MSPs, preparation turns compliance into both protection and opportunity.

TEXAS — Cyber Safe Harbor or Cyber Mirage? SB 2610 Explained

What’s new: Effective September 1, 2025, Texas SB 2610 gives small businesses a safe harbor: if they follow specific cybersecurity frameworks, they can avoid punitive damages in data breach lawsuits.

The fine print:

  • 20–99 employees → Must align with CIS Controls IG1.
  • 100–249 employees → Must align with the NIST Cybersecurity Framework 2.0.
  • Other regulatory frameworks (HIPAA, PCI DSS) help, but mapping is still required.

Why it matters: This is one of the first state laws to turn frameworks into a legal shield. For MSPs with Texas clients, Texas SB 2610 ties safe harbor to courtroom-defensible evidence that frameworks are in place and working.

Reality check: “Safe harbor” sounds cozy, but Texas requires proof the ship can actually sail. Programs must be documented, implemented, and actively maintained — no paper policies collecting dust.

MSP action items:

  • Run framework gap checks for Texas clients in the 20–249 employee range.
  • Document, document, document (SSPs, asset inventories, logs, patching).
  • Verify daily operations align with chosen frameworks.

Insight: If this works in Texas, expect copycat bills. Compliance may soon come with a carrot (legal protection) as well as a stick.

CANADA — CAN/CIOSC 104 Gets an Upgrade

What’s new: Canada’s baseline cybersecurity standard for SMEs, CAN/CIOSC 104, rolled out a revised edition in December 2024 and put it into force in June 2025. From here on, every CyberSecure Canada certification will be measured against this update, which spells out up to 55 essential controls.

Why it matters: Certification under CyberSecure Canada is becoming a badge of credibility. Clients that don’t keep pace with the new controls risk stumbling in audits and eroding customer trust. For MSPs, it’s another reason to keep clients’ programs tuned up and audit-ready.

Timeline: The revision is already in effect. Any new certifications or recertifications are using the updated controls.

Reality check: The refresh tightened Level 2 requirements in places like training, incident response, backups, and cloud security. That means last year’s “good enough” playbook may already be out of date.

MSP action items:

  • Cross-check client controls against the revised CAN/CIOSC 104.
  • Tune up incident response and cloud oversight processes.
  • Keep documentation sharp — CyberSecure Canada auditors will ask to see it.

Insight: Think of CAN/CIOSC 104 as Canada’s way of saying “prove it.” MSPs who help clients show their work strengthen both certification outcomes and customer trust.

Wrapping It Up

California is raising the bar on privacy and audits. The DoD is finally enforcing CMMC. Texas is experimenting with safe harbors.

A common thread? Compliance is turning into a show-me game. Regulators want evidence, not intentions, and the organizations that can produce it will keep contracts, avoid penalties, and build trust.

Compliance Scorecard gives MSPs the tools to collect, organize, and present that evidence, whether you’re preparing for audits, serving regulated clients, or scaling your compliance services.

See how Compliance Scorecard can help you deliver compliance at scale. Book a live demo today.

Posted in

Related Posts

FedRAMP

FedRAMP 20x: How Federal Cloud Security Changes Impact MSPs

Regulations

Regulatory News Every MSP Should Pay Attention to in 2025

DORA

DORA: What MSPs Must Know About the Digital Operations Resilience Act