Developing technologies, the rapid adoption of AI, and a heightened focus on supply chain resilience are driving significant changes to regulatory frameworks in 2025. In the UK, we're seeing a spotlight on critical national infrastructure and data interoperability while the EU is steering efforts toward consumer protection and harmonised cybersecurity requirements.

These shifts present opportunities to enhance security, efficiency, and trust. However, they also bring new challenges, particularly for organisations grappling with fragmented systems, regulatory ambiguities, and complex supply chains. 

Let's explore the key regulations and standards set to shape compliance in 2025, what they mean for organisations, and how businesses can prepare.

Data (Use and Access) Bill

The Data (Use and Access) Bill is set to revolutionise how data is shared and used across sectors, particularly healthcare and public services. The Bill aims to unlock economic growth, save time for frontline workers, and improve decision-making across the NHS by tackling the challenges of fragmented systems and inconsistent data-sharing standards.

What is it?

• The Bill introduces Smart Data schemes, enabling consumers and businesses to share their data with authorised third parties securely. It will also mandate interoperability standards for IT providers in healthcare, ensuring patient data flows seamlessly across systems.

Why is it important?

• Currently, the NHS struggles with data spread across siloed systems, slowing care delivery and increasing errors. By standardising data-sharing practices, the Bill is expected to save 140,000 NHS staff hours annually, improve clinical outcomes, and reduce duplication of tests and procedures.

Who will it affect?

• Public sector organisations like the NHS and Police, IT providers in health and social care, and digital verification services. Businesses engaging with these entities will be required to align with the new interoperability standards.

When is it happening?

• The Bill is expected to move through Parliament in 2025, with implementation timelines to follow.

‍

UK Cyber Security and Resilience Bill

With recent cyberattacks targeting critical sectors like healthcare and defence, this year, the UK government announced the Cyber Security and Resilience Bill, set to strengthen the UK's defences by modernising outdated regulations and expanding cybersecurity requirements.

What is it?

This Bill updates the NIS Regulations, expanding their scope to include more digital services and supply chains. It introduces stricter incident reporting requirements and empowers regulators to proactively investigate vulnerabilities.

Why is it important?

Cyberattacks like this summer's Synnovis incident, which resulted in significant disruption across London and the Southeast East, underscore the devastating impact of supply chain attacks. Delayed surgeries, compromised patient data, and financial losses are just a few of the consequences. The Bill seeks to prevent such incidents by mandating robust cybersecurity measures across critical sectors.

Who will it affect?

Organisations in transport, energy, healthcare, and digital infrastructure, as well as their supply chains, must adhere to these enhanced requirements. IT providers serving these sectors will also need to comply.

When is it happening?

The Bill will be introduced in 2025, with further consultations to refine its scope.

Cyber Essentials Updates ('Willow' Release)

What is it?

The Cyber Essentials scheme will introduce several updates in April 2025 to address the evolving threat landscape. Key changes include:

• Supporting passwordless logins, such as biometric authentication.
• Expanding vulnerability management to include non-patch fixes like configuration changes.
• Clarifying definitions to improve consistency in compliance.

Who Will It Affect?

Organisations seeking Cyber Essentials certification, particularly those working with the NHS or other public sector bodies, will need to adopt these updates.

When Will It Apply?

The updates come into effect in April 2025.

As always, if you're a Naq customer, we'll ensure you stay ahead of these changes. We'll proactively notify you of any new security controls required to maintain your Cyber Essentials and Cyber Essentials Plus certifications in the year ahead.

European Cyber Resilience Act

The Cyber Resilience Act (CRA) sets new cybersecurity standards for all digital products sold in the EU, addressing vulnerabilities that could compromise entire supply chains.

What is it?

• The CRA requires manufacturers to integrate security measures throughout a product's lifecycle, provide regular updates, and ensure transparency about vulnerabilities. Products must meet these standards to achieve CE marking for EU distribution.

Why is it important?

• Incidents like the WannaCry ransomware attack and the Kaseya VSA supply chain breach highlight the risks posed by unsecured devices. The CRA aims to prevent such attacks by ensuring every connected device, whether a smartphone or industrial control system, meets stringent security requirements.

Who will it affect?

• Manufacturers, importers, and distributors of digital products in the EU market and businesses exporting to the EU will need to comply.

When is it happening?

• While the Act came into force in late 2024, most requirements will apply by 2027, with some earlier provisions taking effect by 2025.

EU AI Act

The EU AI Act (AIA) introduces a risk-based framework for AI systems, imposing obligations based on their potential impact. It targets issues like bias, transparency, and accountability.

What is it?

The AIA classifies AI systems into risk levels:

• Prohibited systems (e.g., social scoring, manipulative AI).
• High-risk systems (e.g., recruitment, critical infrastructure).
• Low-risk systems with limited transparency obligations.
• High-risk AI providers must implement robust risk management, maintain logs, and ensure human oversight.

Why is it important?

• As AI increasingly influences decisions in sensitive areas like employment and healthcare, the Act addresses concerns about fairness and safety. Non-compliance could result in fines of up to €35 million or 7% of global turnover.

Who will it affect?

AI developers, distributors, and users operating in or exporting to the EU.

When is it happening?

The first provisions, including bans on certain AI systems, take effect in February 2025. Full implementation is expected by 2026.

Staying Ahead of the Compliance Curve

The overarching trend in 2025 is a shift towards continuous compliance. Organisations are no longer expected to merely tick boxes once a year; instead, they must embed cybersecurity and data privacy into their daily operations. This focus on continuous compliance will become even more critical as the UK prepares for two major legislative updates: the Data Use and Access Bill and the Cyber Security and Resilience Bill. While both are still awaiting consultation and final publication, they will likely introduce enhanced security requirements, especially for organisations working with critical national infrastructure or engaging in public sector contracts.

For those in specific sectors like healthcare, reviews of frameworks such as DCB 0129 in the UK highlight an increasing focus on sector-specific safety standards. In finance, heightened resilience requirements for critical third-party vendors are also coming into force.

At Naq, we understand how overwhelming keeping on top of ever-changing requirements can feel. Our compliance platform goes beyond box-ticking, equipping your organisation to stay continuously compliant with the frameworks necessary to operate securely and confidently.

From automated compliance tracking and real-time non-compliance alerts to risk management tools, training, and more, Naq makes it simple to implement, scale, and maintain your compliance obligations.

Join hundreds of businesses that have already transformed their compliance processes with Naq. Speak to our team today and see how we can help you navigate 2025's regulatory updates.