2025 Compliance Changes Review — What Organizations Must Know
The regulatory and compliance landscape evolved rapidly in 2025, with changes key changes affecting cybersecurity, privacy, and protective security. This review breaks down key compliance changes, offering insights into new requirements and how to ensure compliance in 2026.
1. U.S. Cybersecurity Maturity Model Certification – CMMC 2.0
CMMC 2.0 went into effect on November 10, 2025, with a phased rollout that will continue in 2026. Importantly, CMMC is now a contractual condition of award, not just a readiness exercise. Preparation and resource planning are essential to avoid losing eligibility for DoD contracts.
Here’s what you need to know about CMMC for 2026.
- CMMC clauses (e.g., DFARS 252.204-7025) can now appear in solicitations and awards, and contractors must demonstrate compliance before award. This means Defense contractors must meet the self-assessment requirements for either CMMC Level 1 or Level 2 when dealing with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Phase Two of CMMC begins November 10, 2026, with Level 2 Certification Assessments commencing and being added to applicable solicitations and contracts. Additionally, CMMC Level 3 certification assessment requirements may apply to any applicable solicitations and contracts.
For more in-depth information on these requirements, read our CMMC 2.0 blog.
2. U.S. Health Data Privacy & Security (HIPAA)
In 2025, the Department of Health and Human Services (HHS) proposed major revisions to the HIPAA Security Rule to modernize cybersecurity protections. Finalization is expected in 2026, so now is the time to start preparing for the changes. ‘HIPAA 2.0’ looks to make ‘addressable’ changes mandatory to improve security. Expected changes include:
- Mandatory ePHI encryption at rest and in transit
- Requiring Multi-factor authentication (MFA) to improve authentication
- Removing employee access within an hour of termination
- Asset inventory and network mapping to improve visibility and control over ePHI as it moves throughout electronic information systems.
- Formalizing Audit and Refresh frequency to ensure a proactive security posture
HIPAA 2.0 also looks to expand compliance requirements to include systems that don’t contain Electronic Protected Health Information (ePHI) but could impact its confidentiality, integrity, or availability. Learn more about what to expect in HIPAA 2.0.
While HIPAA 2.0 has not been finalized, there are imminent changes to the HIPAA Notice of Privacy Practices (NPP) in 2026. Any HIPAA-covered entities that create, maintain, receive or transmit any SUD treatment information should review and make appropriate updates to their NPP by February 16, 2026.
3. New US Data Privacy Laws
In 2025, the landscape of data privacy in the United States underwent a significant transformation as multiple state laws became enforceable, elevating corporate data governance standards and enhancing consumer rights.
- Notably, Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Maryland, and Tennessee each enacted comprehensive data privacy laws that set forth rigorous requirements for how businesses handle consumer information. These laws aim to empower individuals by granting them greater control over their personal data, including the right to access, correct, and delete it.
- Several new privacy regulations took effect on January 1, 2026, including Indiana, Kentucky, and Rhode Island’s new privacy laws, which were driven by growing public demand for transparency and accountability in data practices.
- Additionally, California has implemented critical updates to its data privacy framework, the California Consumer Privacy Act (CCPA), which took effect this month. The state phased in an expanded definition of sensitive data to include neural data, disclosure requirements for automated decision-making technology, consumer rights, and risk assessment and audit requirements.
The US’s evolving regulatory environment underscores the urgency for businesses to reassess and strengthen their data governance strategies to comply with current and forthcoming legal requirements.
4. UK Data Use and Access Act (DUAA) 2025
The UK’s Data Use and Access Act 2025 updated how data protection works alongside the UK GDPR and Data Protection Act, affecting data access, reuse, and regulatory guidance — particularly for government and public-sector data use. DUAA changes include new measures for international data transfers, automated decision-making, legitimate interest, cookies, and a new complaints procedure. This new UK law reshapes domestic data governance and affects firms handling personal or public data in the UK.
5. EU AI Act
The European Union AI Act, the world’s first comprehensive AI regulatory framework, started applying key compliance requirements in February 2025, including bans on certain high-risk and manipulative AI practices such as social scoring and emotion tracking. This is a landmark shift toward regulating AI fairness, transparency, and accountability across industries doing business in the EU. It impacts all AI developers, distributors, and users in or exporting to the EU.
Companies deploying AI must assess risk levels, maintain logs, and implement human oversight. Non-compliance carries significant repercussions, including fines of up to 7% of global revenue.
6. Australia’s Protective Security Policy Framework (PSPF)
In Australia, the PSPF Release 2025 reflects a new phase of protective security maturity. The PSPF 2025 release, effective as of 24 July 2025, updates core protective security requirements across six domains (e.g., governance, personnel, information security). Agencies must implement strengthened risk management, identity controls, and incident management obligations.
Australian government agencies and contracted entities must integrate PSPF 2025 into their security governance, risk management, and assurance cycles — tying protective security to national resilience and operational readiness.
7. Australia’s Privacy and Other Legislation Amendment Act (POLA)
Australia’s POLA reforms (Privacy Act amendments) under the Privacy Act Review are a broad modernization effort. The POLA amendments (which received Royal Assent in December 2024) begin to modernize Australia’s privacy regime to better align with global standards such as GDPR. Major reforms were introduced in June 2025, including stronger regulatory powers and compliance obligations. Businesses operating in or with Australia must track POLA compliance schedules and be proactive in privacy governance, especially where global data exchanges occur. Get in-depth insight into POLA requirements in this blog.
Embracing Proactive Governance for Enhanced Compliance and Risk Management
Staying on top of compliance shifts requires moving from reactive responses to proactive governance. Whether you’re in defense contracting, healthcare, government, or multinational operations, keeping pace with changes and planning for future regulatory updates will reduce risk, improve compliance, and position your organization for success in 2026 and beyond.
