{"id":21663,"date":"2025-05-30T10:00:57","date_gmt":"2025-05-30T08:00:57","guid":{"rendered":"https:\/\/cyberinsights.iainfraser.net\/?p=21663"},"modified":"2026-06-10T15:06:57","modified_gmt":"2026-06-10T13:06:57","slug":"new-cyber-laws-2025","status":"publish","type":"post","link":"https:\/\/smecyberinsights.co.uk\/index.php\/2025\/05\/30\/new-cyber-laws-2025\/","title":{"rendered":"COMPLIANCE: New Cybersecurity Laws 2025: What UK SMEs Must Know About EU and UK Compliance"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\"Partners1_NordVPN\"<\/figure><\/div>
\"Partners3_R3\"<\/figure><\/div>
\"Partners2_Zoho\"<\/figure><\/div>
\"Partners4_Plesk\"<\/figure><\/div>
\"Red_Button_Slider\"<\/figure><\/div>
\"ogo2\"<\/figure><\/div>
\"Detection.<\/figure><\/div>\t\t\t<\/div>\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"Cyber\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
Image Credit: Freepik<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

Helping Keep Small Business CYBERSafe!
\n<\/strong>Gibraltar: Friday 30 May 2025 at 10:00 CET<\/p>\n

COMPLIANCE: New Cybersecurity Laws 2025: What UK SMEs Must Know About EU and UK Compliance
\n<\/strong>By:\u00a0Iain Fraser<\/a>\u00a0\u2013\u00a0Cybersecurity Journalist
\n<\/a>Published in Collaboration with:\u00a0Nord VPN
\n<\/a>SMECyberInsights.co.uk<\/a>\u00a0– First for SME Cybersecurity
\n<\/a>Google Indexed on 300525 at 11:47 CET
\n<\/a>#CyberInsights #CyberSecurity #CyberAwareness #CyberSafe #SME #SmallBusiness
\n<\/em><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

What’s happening?<\/strong> Small and medium enterprises<\/strong><\/a> (SMEs<\/strong><\/a>) face a wave of new cybersecurity legislation from both the EU and UK in 2025, requiring immediate preparation for Compliance<\/strong> with regulations that could significantly impact business operations and costs.<\/p>\n

Key Cybersecurity Laws SMEs Must Prepare For:<\/strong><\/p>\n

EU Regulations (Already Adopted):<\/strong><\/p>\n

\u2022 NIS2 Directive<\/strong> – Updated Network and Information Systems security requirements
\n\u2022 DORA<\/strong> – Digital Operational Resilience Act for financial services
\n\u2022 CRA<\/strong> – Cyber Resilience Act for connected products
\n\u2022 AI Act<\/strong> – Comprehensive artificial intelligence regulation<\/p>\n

UK Legislation (Upcoming):<\/strong><\/p>\n

\u2022 Cyber Security and Resilience Bill<\/strong> – UK’s response to NIS2
\n\u2022 AI Bill<\/strong> – Focus on frontier AI model regulation<\/p>\n

What Is the NIS2 Directive?<\/strong><\/p>\n

The Network and Information Systems Directive 2 (NIS2)<\/strong> is the EU’s updated cybersecurity framework requiring organizations to:<\/p>\n

\u2022 Implement robust cybersecurity risk management measures
\n\u2022 Report significant cyber incidents within 24 hours
\n\u2022\u00a0 Ensure supply chain security assessments
\n\u2022 Conduct regular security audits and vulnerability assessments
\n\u2022 Maintain business continuity and crisis management procedures<\/p>\n

Who must comply:<\/strong> Essential and important entities including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space sectors.<\/p>\n

How Will DORA Affect SMEs?<\/strong><\/p>\n

The Digital Operational Resilience Act (DORA)<\/strong> specifically targets financial services firms and their suppliers, requiring:<\/p>\n

\u2022 ICT risk management frameworks
\n<\/strong>\u2022 Incident reporting<\/strong> within strict timeframes
\n\u2022 Operational resilience testing<\/strong> including threat-led penetration testing
\n\u2022 Third-party risk management<\/strong> for all ICT service providers
\n\u2022 Information sharing<\/strong> arrangements for cyber threat intelligence<\/p>\n

SME impact:<\/strong> Any SME<\/strong><\/a> providing services to financial institutions must comply with DORA requirements.<\/p>\n

What Is the Cyber Resilience Act (CRA)?<\/strong><\/p>\n

The Cyber Resilience Act (CRA)<\/strong> introduces cybersecurity requirements for products with digital elements:<\/p>\n

\u2022 Mandatory security standards<\/strong> for connected devices
\n\u2022 Vulnerability disclosure processes
\n<\/strong>\u2022 Security updates<\/strong> throughout product lifecycle
\n\u2022 CE marking requirements<\/strong> with cybersecurity declarations
\n\u2022 Market surveillance<\/strong> and compliance monitoring<\/p>\n

Who’s affected:<\/strong> SMEs<\/strong><\/a> manufacturing or importing IoT devices, smart appliances, industrial equipment, or software products sold in the EU.<\/p>\n

What Will the UK’s Cyber Security and Resilience Bill Include?<\/strong><\/p>\n

The UK’s Cyber Security and Resilience Bill<\/strong> represents Britain’s response to the EU’s NIS2 directive. While full details remain limited, expected provisions include:<\/p>\n

\u2022 Equivalent security requirements<\/strong> to NIS2 for critical sectors
\n\u2022 Incident reporting obligations<\/strong> for cyber attacks
\n\u2022 Supply chain security mandates
\n<\/strong>\u2022 Regular security assessments<\/strong> and audits
\n\u2022 Penalties for non-compliance<\/strong><\/p>\n

Timeline:<\/strong> Specific implementation dates not yet announced by UK government.<\/p>\n

How Will the UK AI Bill Differ from EU AI Act?<\/strong><\/p>\n

EU AI Act focus:<\/strong><\/p>\n

\u2022 Comprehensive regulation across all AI applications
\n\u2022 Risk-based approach with prohibited and high-risk categories
\n\u2022 Compliance requirements for AI system providers and deployers<\/p>\n

UK AI Bill (expected focus):<\/strong><\/p>\n

\u2022 Frontier AI models<\/strong> – Advanced AI systems with significant capabilities
\n\u2022 Safety and security standards<\/strong> for cutting-edge AI development
\n\u2022 Innovation-friendly approach<\/strong> balancing regulation with growth
\n\u2022 International cooperation<\/strong> on AI governance<\/p>\n

What Should SMEs Do Now?<\/strong><\/p>\n

Immediate compliance steps:<\/strong><\/p>\n

1. Assess current exposure<\/strong> – Determine which regulations apply to your business<\/p>\n

2. Conduct security gap analysis<\/strong> – Identify areas requiring improvement<\/p>\n

3. Implement incident response procedures<\/strong> – Prepare for mandatory reporting requirements<\/p>\n

4. Review third-party contracts<\/strong> – Ensure suppliers meet new security standards<\/p>\n

5. Budget for compliance costs<\/strong> – Factor in audit, training, and system upgrade expenses<\/p>\n

Which SMEs Are Most at Risk?<\/strong><\/p>\n

High-priority sectors for immediate action:<\/strong><\/p>\n

\u2022 Financial services providers and their suppliers (DORA)
\n\u2022 Technology manufacturers and importers (CRA)
\n\u2022 Critical infrastructure suppliers (NIS2\/UK Bill)
\n\u2022 AI system developers and deployers (AI Act\/UK AI Bill)
\n\u2022 Cross-border service providers (multiple jurisdictions)<\/p>\n

What Are the Penalties for Non-Compliance?<\/strong><\/p>\n

EU regulation penalties:<\/strong><\/p>\n

\u2022 NIS2:<\/strong> Up to \u20ac10 million or 2% of annual worldwide turnover
\n\u2022 DORA:<\/strong> Up to \u20ac1 million or 1% of annual net turnover for smaller firms
\n\u2022 CRA:<\/strong> Up to \u20ac15 million or 2.5% of annual worldwide turnover
\n\u2022 AI Act:<\/strong> Up to \u20ac35 million or 7% of annual worldwide turnover<\/p>\n

UK penalties:<\/strong> Expected to mirror EU levels but specific amounts not yet confirmed.<\/p>\n

When Do These Laws Take Effect?<\/strong><\/p>\n

Implementation timeline:<\/strong><\/p>\n

\u2022 NIS2:<\/strong> EU member states must transpose by October 2024 (enforcement beginning)
\n\u2022 DORA:<\/strong> January 17, 2025 (full application)
\n\u2022 CRA:<\/strong> Phased implementation from 2025-2027
\n\u2022 AI Act:<\/strong> Phased implementation 2025-2027
\n\u2022 UK Bills:<\/strong> Timeline to be announced<\/p>\n

How Can SMEs Prepare for Multiple Jurisdictions?<\/strong><\/p>\n

Best practice approach:<\/strong><\/p>\n

1. Map regulatory overlap<\/strong> – Identify common requirements across jurisdictions<\/p>\n

2. Implement highest standards<\/strong> – Meet most stringent requirements to ensure broad compliance<\/p>\n

3. Seek professional guidance<\/strong> – Engage cybersecurity and legal experts<\/p>\n

4. Join industry associations<\/strong> – Access sector-specific compliance guidance<\/p>\n

5. Monitor regulatory updates<\/strong> – Stay informed of implementation details<\/p>\n

What Support Is Available?<\/strong><\/p>\n

Resources for SMEs:<\/strong><\/p>\n

\u2022 Government guidance<\/strong> – Watch for official implementation guidance
\n\u2022 Industry bodies<\/strong> – Sector-specific compliance support
\n\u2022 Cybersecurity frameworks<\/strong> – ISO 27001, NIST, and other established standards
\n\u2022 Professional services<\/strong> – Legal and cybersecurity consultancies
\n\u2022 Peer networks<\/strong> – Industry forums and compliance communities<\/p>\n

Why This Matters for UK SMEs<\/strong><\/p>\n

The convergence of EU and UK cybersecurity legislation creates a complex compliance landscape. SMEs<\/strong><\/a> operating across borders or serving regulated sectors face particular challenges, as they must navigate multiple regulatory requirements simultaneously.<\/p>\n

However, early preparation and strategic compliance planning can turn regulatory burden into competitive advantage, demonstrating to customers and partners that your business takes cybersecurity seriously in an increasingly digital economy.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tJoin SME Cyber Now! \/...<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"CYBERInsights\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
Image Credit: IfOnlyCommunications<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

UK Small Business Owner? Join SMECyber Free Now! & Access the SME Cyber Forum – Read, Learn, Engage, Share …<\/h4>\n

The Latest SME<\/strong> Cybersecurity News, Threat Intelligence & Analysis, Timely Scam Alerts, Best-practice Compliance, Mitigation & Resources specifically curated for UK Based SMEs<\/strong> in a Single Weekly Email direct to your Inbox or Smart Device together with Unrestricted Free Access to our entire SME<\/strong> Cyber Knowledge & Tutorial Library.<\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tLearn More \/...<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\"Nord_logo_1.png\"\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t
<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t

What is a VPN & Does my SME Need one?<\/strong> A VPN<\/strong><\/a> is a Virtual Private Network a method of securing your communications credentials. When it comes to Small and Medium-sized enterprises (SMEs<\/strong><\/a>), the choice of VPNs<\/strong><\/a> can significantly impact the security and efficiency of their operations.<\/p>\n

The\u00a0NordVPN<\/b> service allows you to connect to 5600+ servers in 60+ countries. It secures your Internet data with military-grade encryption, ensures your web activity remains private and helps bypass geographic content restrictions online. \u00a0Join\u00a0NordVPN\u00a0Today and\u00a0Save\u00a0up to\u00a073%\u00a0and Get 3 months\u00a0Extra Free<\/a> – Rude Not to \u2026!<\/strong><\/p>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\tLearn More \/...<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\"CI_Feature-AI-3.jpg\"<\/figure><\/div>
\"CI_Feature-Cloud-Security-1-1.jpg\"<\/figure><\/div>
\"CI_Feature-GDPR-1-1.jpg\"<\/figure><\/div>
\"CI_Feature-Identity-Theft-2.jpg\"<\/figure><\/div>
\"CI_Feature-Attack-Mitigation-6.jpg\"<\/figure><\/div>
\"CI_Feature-Phishing-3.jpg\"<\/figure><\/div>
\"CI_Feature-Blockchain-5.jpg\"<\/figure><\/div>
\"CI_Feature-MFA-2.jpg\"<\/figure><\/div>
\"CI_Feature-Cyber-ISO-27001-2.jpg\"<\/figure><\/div>
\"CI_Feature-Cyber-EU-CRA-2.jpg\"<\/figure><\/div>
\"CI_Report-Cybercrime-3.jpg\"<\/figure><\/div>
\"CI_Feature-Cyber-Compliance-3.jpg\"<\/figure><\/div>
\"CI_Feature-Cyber-NIS2-2.jpg\"<\/figure><\/div>
\"CI_Feature-MSPs-2.jpg\"<\/figure><\/div>
\"CI_Feature-SaaS-2.jpg\"<\/figure><\/div>
\"CI_Feature-Email-Security-1.jpg\"<\/figure><\/div>\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t<\/path><\/svg>\t\t\t\t\t<\/div>\n\t\t\t\t\t
\n\t\t\t\t\t\t<\/path><\/svg>\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t
<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Image Credit: Freepik Join SME Cyber Now! \/… Image Credit: IfOnlyCommunications Learn More \/… Learn…<\/p>\n","protected":false},"author":1,"featured_media":21665,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"cybocfi_hide_featured_image":"yes","footnotes":""},"categories":[560],"tags":[517],"ppma_author":[505],"class_list":["post-21663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance","tag-cyberawareness"],"featured_image_urls":{"full":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik.jpg",1430,952,false],"thumbnail":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik-150x150.jpg",150,150,true],"medium":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik-300x200.jpg",300,200,true],"medium_large":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik-768x511.jpg",640,426,true],"large":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik-1024x682.jpg",640,426,true],"1536x1536":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik.jpg",1430,952,false],"2048x2048":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik.jpg",1430,952,false],"covernews-featured":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik-1024x682.jpg",1024,682,true],"covernews-medium":["https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2025\/05\/Cyber-Laws-2025-Freepik-540x340.jpg",540,340,true]},"author_info":{"display_name":"Cybersecurity Journalist Iain Fraser","author_link":false},"category_info":"COMPLIANCE<\/a>","tag_info":"COMPLIANCE","comment_count":"0","authors":[{"term_id":505,"user_id":1,"is_guest":0,"slug":"admin_yjdstq4n","display_name":"Cybersecurity Journalist Iain Fraser","avatar_url":{"url":"https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/10\/index_image440-removebg-preview.png","url2x":"https:\/\/smecyberinsights.co.uk\/wp-content\/uploads\/2024\/10\/index_image440-removebg-preview.png"},"author_category":"1","user_url":"http:\/\/smecyberinsights.co.uk","last_name":"Cybersecurity Journalist","first_name":"Iain Fraser","job_title":"","description":""}],"_links":{"self":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/21663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=21663"}],"version-history":[{"count":20,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/21663\/revisions"}],"predecessor-version":[{"id":29103,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/21663\/revisions\/29103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/media\/21665"}],"wp:attachment":[{"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=21663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=21663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=21663"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/smecyberinsights.co.uk\/index.php\/wp-json\/wp\/v2\/ppma_author?post=21663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}