Key Security Compliance Deadlines in Early 2025

Key Security Compliance Deadlines Occur in Early 2025

If you are a Chief Information Security Officer, Chief Information Officer, Chief Technology Officer, Director of Information Technology, or bear a similar title in your organization, your business calendar for the first quarter of 2025 is filling up fast. Among the important dates you should be monitoring are several key compliance deadlines for implementation of new security measures, including:

• Full compliance with the Digital Operational Resilience Act (DORA) becomes mandatory on January 17, 2025.
• Compliance with the newest Payment Card Industry Data Security Standard (PCI DSS 4.0.1) is required by March 31, 2025.
• Security mandates of the newest Cybersecurity Maturity Model Certification (CMMC 2.0) will be incorporated into Department of Defense contracts starting in the first quarter of 2025.

All three regulations include new, more rigorous requirements for supply chain security.

DORA Compliance

The Digital Operational Resilience Act (DORA), also known as EU 2022/2554, requires full mandatory compliance by January 17, 2025.

It is vital to understand that this regulation is not confined to Europe. It affects businesses beyond those in the European Union, including the U.S. and other countries. Specifically, DORA affects:

• Organizations who are based in the European Union and provide financial services in the EU.
• Organizations who are based in the U.S. or in other countries and provide financial services within the European Union.
• Organizations—regardless of where they are based—who provide third-party information technology and communication technology services to members of the EU financial industry.

All of these organizations are required to be able to demonstrate DORA compliance by the upcoming security compliance deadline. 

The Digital Operational Resilience Act is an integrated, comprehensive regulatory framework that was developed in response to the critical reliance on digital technology throughout the financial industry in the European Union. DORA took initial effect January 16, 2023, and allowed two years for implementation, with a final compliance deadline of January 17, 2025.

DORA is the first regulation of its kind to bring third-party providers of information technology and communication technology (ITC) services under direct financial supervision and regulation. This is mandatory to reduce supply chain vulnerabilities and strengthen supply chain security.

If your organization offers financial services in the European Union or provides third-party ICT services to financial entities in the EU, you are almost certainly subject to DORA requirements. The good news is that if you have already implemented the NIST Cybersecurity Framework or a similar security framework or standard, you are probably much closer to DORA compliance than you think. To ensure that your organization meets the DORA security compliance deadline, act now to conduct a risk assessment against DORA requirements and find out where you stand.

PCI DSS 4.0.1 Compliance

Version 4.0 of the Payment Card Industry Data Security Standard was published on March 31, 2022, replacing the previous version, PCI DSS 3.2.1. The newest version, 4.0.1, was published in June 2024 to address formatting and typographical errors discovered in v4.0 and provide additional implementation guidance for users. On December 31, 2024, v4.0 (with its typos and errors) was officially retired, and PCI DSS v4.0.1 is now the only active version of the standard. The complete v4.0.1 standard is available on the PCI Security Standards Council website.

Compliance with PCI DSS 4.0.1 is required by March 31, 2025. All organizations must implement the security requirements by this date and demonstrate compliance with those requirements in their next annual risk assessments. The following four activities are essential to implementing the standard and thereby improving the security of payment account data:

• Assess Security Risks. Identify locations of all payment account data within your organization. Take inventory of all information technology assets and business processes associated with payment processing. Analyze those processes and assets for vulnerabilities that could expose payment account data to hacking and other unauthorized access. Implement or update all necessary controls. And complete a formal risk assessment, required annually.
• Remediate Vulnerabilities. Identify and address gaps in your security controls. Resolve all vulnerabilities identified during the above assessment activity. Implement secure business processes. Securely remove any payment data being stored unnecessarily or beyond its use. With 64 new security requirements in the new standard, most organizations will discover additional vulnerabilities compared to previous assessments.
• Report Assessment Findings. Document your assessment and remediation details. Level 1 and 2 merchants must engage a Qualified Security Assessor (QSA) to conduct their annual assessments and produce the requisite Reports on Compliance (ROC). Level 3 merchants are generally eligible to conduct self-assessments using a formal Self-Assessment Questionnaire (SAQ). Finally, Attestations of Compliance (AOC) are required to testify to the results of all assessments.
  
• Monitor and Maintain. This ongoing activity includes constant monitoring of security controls and
  safeguards put in place to secure payment account data in your organization, and maintaining those controls on an active and current basis.

These steps must be repeated annually by merchants and other payment card industry members. In addition, all merchants are required to submit quarterly vulnerability scans. Regular internal and external scans are invaluable in creating a secure perimeter and effectively safeguarding cardholder data.

The PCI Data Security Standard was developed to reduce vulnerabilities, strengthen security, and avoid costly data breaches within the payment card industry. Compliance is mandatory. With March 31, 2025, less than three months away, there’s not a moment to waste in meeting this key security compliance deadline.

CMMC 2.0 Compliance

At present, DoD contractors, subs, and suppliers must comply with the original Cybersecurity Maturity Model Certification 1.0, which allows an honor system for verifying compliance. An important goal of the new CMMC 2.0 is to further strengthen cybersecurity throughout the supply chain by making compliance more consistent and “enforcing the protection of sensitive unclassified information,” according to the DoD website. At Levels 2 and 3, objective third-party verification of compliance will now be required.

CMMC 2.0 took effect 60 days after publication in the Federal Register, or as of December 24, 2024. It is incorporated into the Code of Federal Regulations (32 CFR 170), enabling CMMC 2.0 requirements to begin appearing in DoD contracts as early as the first quarter of 2025. A three-year phased approach allows implementation from 2025 through 2027, with a final security compliance deadline of 2028. Until then, organizations must ensure they are in full compliance with NIST SP 800-171, which constitutes the core of CMMC 2.0 at Levels 2 and 3.

Be Sure You Allow Plenty of Time! Don’t let the extended 2.0 timeline fool you into postponing any of the required activities. Simply preparing for your official assessment can take six months to a year-and-a-half depending on your level. Scheduling your official CMMC 2.0 assessment may require a lengthy wait due to high demand for a relatively low supply of authorized assessors. Additionally, Level 3 contractors are responsible for ensuring their suppliers and subs are compliant with CMMC 2.0, adding to their timelines.

The following activities are required for full compliance with CMMC 2.0:

• Determine Compliance Level. This decision will identify which level of assessment and certification you require based on the type of information you handle. Level 1 (Foundational) handles Federal Contract Information (FCI), Level 2 (Advanced) handles Controlled Unclassified Information (CUI), and Level 3 (Expert) handles CUI for high-priority DoD projects.
• Identify and Remediate Security Gaps. Conduct a preparatory assessment to identify current gaps in your security program that would prevent compliance with CMMC 2.0 requirements at your level. Prepare and execute a remediation plan to address gaps, which may include conducting vulnerability assessments and penetration testing, developing compliant policies and procedures, and similar activities. Expert assistance is available from Registered Provider Organizations.
• Officially Assess Compliance. You are now prepared to undergo an official assessment for CMMC 2.0 certification. Level 2 contractors must hire a Certified Third-Party Assessment Organization (C3PAO), while Level 3 will work with the Defense Industrial Base Cybersecurity Assessment Center. Having solidly prepared for this step, your certification process should be successful. Once certified, your organization will be able to continue bidding on and performing contract work for the DoD.
• Maintain Compliant Security. CMMC 2.0 compliance is about strengthening DoD supply chain security by continuing to protect the FCI and CUI in your care. Between assessments, ongoing compliance requires you to continue monitoring your systems, networks, and security safeguards to maintain robust security.

Summary

Several security compliance deadlines occur in the first quarter of 2025 that affect CISOs and other security executives in many organizations. The Digital Operational Resilience Act (DORA), with its global reach, becomes mandatory on January 17, 2025. Compliance with the newest Payment Card Industry Data Security Standard 4.0.1 is required by March 31, 2025, affecting merchants and payment processors who accept American Express, MasterCard, Visa, and other cards. And organizations in the DoD supply chain will begin to see new security requirements and third-party assessments incorporated into their contracts to comply with Cybersecurity Maturity Model Certification 2.0.

Responsibility to your stakeholders dictates that you understand the impact these new laws may have on your organization and take appropriate and timely actions to comply.

Reminder! Sponsored by the National Cybersecurity Alliance, Data Privacy Week 2025 runs from January 27 to January 31. This year’s theme is Take Control of Your Data, and you can learn more at StaySafeOnline.