Five Cybersecurity and Compliance Trends to Watch in 2025

The past 12 months have once again taught us that while technology continues to advance at sometimes blinding speed, many of the macro trends in security and compliance remain unchanged. So it is likely to be over the coming year. While AI and deepfake innovations will continue to upskill and provide new opportunities for threat actors, the democratisation of cybercrime, the growing threat posed by state actors, and increased pressure on critical infrastructure (CNI) providers will remain undimmed.

We’ll see new laws start to hit home for boards, and others begin to take shape, especially in the UK. And we’ll see network defenders turn to zero trust in greater numbers as supply chain risk spirals. Here’s our pick for five key trends to look out for in 2025.

1. AI And Deepfake Threats Loom Large

The National Cyber Security Centre (NCSC) warned earlier this year that AI would “almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years”. And there’s little reason to doubt that assessment. Generative AI (GenAI), in particular, will lower the barrier to entry for budding phishing actors and speed up attacks by making it quicker and easier to identify high-value assets and vulnerable devices for exploitation.

GenAI will also supercharge the deepfake threat, which in an enterprise context could mean trouble for Know Your Customer checks that rely on biometrics (face, voice), which can now be spoofed with a high degree of accuracy. We may also see more BEC-style attempts to trick staff into making big-money corporate transfers, using voice or video purporting to impersonate the CEO or similar.

Threat actors will look to abuse legitimate services like ChatGPT to bypass built-in security guardrails and potentially sell such access as a service. The relatively small number of LLM developers could encourage more cybercriminals to probe for vulnerabilities like these and others.

However, AI will also help the cybersecurity community, with security operations (SecOps) analysts able to work faster and more productively thanks to GenAI assistants. GenAI’s ability to create synthetic content will help teams train their security tools and users more effectively, while its talent for trawling large datasets for unusual patterns will continue to help in threat detection and response. In fact, 61% of global organisations now believe AI to be essential to effective, proactive threat response.

2. CNI Under Growing Pressure

CNI providers have always been popular targets for attack. But emboldened state actors, well-resourced cybercriminals, and an increasingly fractious geopolitical environment are particular causes for concern as we head into 2025. Organisations that have failed to implement the best practices mandated by NIS 2 and its UK equivalent could be at great risk.

Expect to see more multi-year, highly sophisticated campaigns such as Volt Typhoon and opportunistic attacks by ransomware and hacktivist groups looking to make money and/or a name for themselves. Historic underinvestment in the UK has led to some shocking revelations about poor security posture at the likes of Sellafield and Thames Water. These will surely not be the last.

3. The UK Plays Catch-Up With Cybersecurity Laws

There’s plenty set to happen in the UK from a regulatory compliance perspective in 2025, as two major pieces of legislation near the statute books. The Cyber Security and Resilience Bill will update the Network and Information Systems Regulations 2018 (NIS Regulations). Although it’s less ambitious than the EU’s efforts to do so, NIS 2 should introduce much-needed provisions. These include expanding the scope of the law to more sectors, enhancing supply chain security, and mandating incident reporting, especially for ransomware. The government also wants to strengthen regulatory powers, including the ability to proactively investigate vulnerabilities and collect fees from regulated organisations.

Meanwhile, the Digital Information and Smart Data Bill is effectively an update of the previous government’s Data Protection and Digital Information (DPDI) Bill and promises a refresh of the GDPR. It hopes to reduce compliance costs for businesses, streamline data sharing and accelerate innovation in digital identity. As per the other proposed law, it will strengthen the powers of the Information Commissioner’s Office (ICO), which in turn could put greater pressure on compliance staff.

4. The C-suite Takes Control Of Cyber

This has been a long time coming. However, the new requirements in the SEC’s cybersecurity disclosure rules and in NIS 2 will place greater responsibility on boards to understand cyber risk. In the case of the EU directive, senior management must sign off on cyber risk-management measures, oversee their implementation and participate in specialised security training. They will also be held personally liable by regulators in cases of gross negligence and wilful neglect. The SEC, meanwhile, now demands listed companies make annual disclosures about their cyber-risk management strategy and governance, as well as describe the board’s oversight of cyber risk stemming from threats.

Similar measures to enhance accountability and transparency at a senior management level will make their way into an increasing number of new laws in 2025, including the EU’s Digital Operational Resilience Act (DORA). It mandates that boards “define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework.” These moves may put greater scrutiny on the role of the CISO but should at least make it easier to gain the ear of the board when discussing matters of cyber risk.

5. Nation-State And Cybercrime Lines Continue To Blur

Against the backdrop of surging geopolitical risk, one long-running trend we’ll see become more pronounced in 2025 is the crossover between nation-state and cybercrime activity. Microsoft called this out in its annual Digital Defense Report recently, warning that not only are state actors (i.e. Iran and North Korea) increasingly financially motivated, but that some (e.g. Russia) are using cybercrime TTPs and even outsourcing some operations to criminal gangs. We may also see hacktivist groups continue to shift beyond DDoS attacks to take potshots at perceived enemy ‘targets’ in the West with ransomware, data extortion and destructive attacks, as the NCSC has already warned.

CNI firms could be first in the firing line, given that a disruptive attack would have an outsized impact on the populace. As mentioned, they’re also often some of the least well-protected targets, with a low tolerance for outages, making them an ideal candidate for ransomware.

All of which means cybersecurity and compliance professionals will be busier than ever in 2025. Fortunately, best practice standards like ISO 27001 will continue to help provide a solid foundation to cope with these and many other challenges set to emerge in 2025. But it could be a bumpy ride.