← Back to all briefings
Compliance 7 min read Published Updated Credibility 93/100

Compliance — Regulatory compliance

It is year-end, which means it is time to take stock of what compliance teams got done in 2025 and what is coming down the pike. PCI DSS 4.0 full compliance hits in March, DORA is now in effect for financial services, and the EU AI Act's high-risk requirements kick in next August. If you have not started on any of these, now's the time to panic—or at least make some phone calls.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

As 2025 concludes, compliance professionals can assess progress on major regulatory initiatives while planning for obligations taking effect in 2026. This year-end review synthesizes key compliance developments across financial services, data protection, cybersecurity, and emerging technology domains, providing actionable guidance for organizations handling an more complex regulatory environment.

2025 Compliance Milestones Achieved

Several significant regulatory deadlines passed during 2025:

SEC Cybersecurity Disclosure: Public companies completed their first full year of compliance with SEC cybersecurity disclosure requirements. Form 10-K annual reports addressed board oversight, risk management processes, and cybersecurity strategy. Companies refined materiality assessment frameworks for incident disclosure under Item 1.05 of Form 8-K, with practice patterns emerging around disclosure timing and content.

NIS2 Directive Transposition: EU member states transposed the NIS2 Directive into national law by the October 2024 deadline, with implementing measures taking effect throughout 2025. Essential and important entities implemented risk management measures, incident reporting procedures, and management body oversight requirements. Cross-border organizations navigated variation in national setups.

DORA Compliance Preparation: Financial entities subject to the Digital Operational Resilience Act (DORA) advanced setup programs ahead of the January 2025 application date. ICT risk management frameworks, incident classification schemas, digital operational resilience testing programs, and third-party risk management processes matured throughout the year.

PCI DSS 4.0 Transition Progress: Organizations progressed toward PCI DSS 4.0 compliance ahead of the March 2025 deadline for requirements previously categorized as good practices. Payment card industry participants addressed improved authentication requirements, script integrity monitoring, and targeted risk analysis obligations.

State Privacy Law Expansions: Additional US state privacy laws took effect during 2025, including provisions in Delaware, Iowa, New Hampshire, and New Jersey. Organizations refined privacy program setups to address varying consent, disclosure, and consumer rights requirements across jurisdictions.

Key Regulatory Developments

Important regulatory developments during 2025 included:

EU AI Act Implementation: The EU AI Act entered into force in August 2024, with prohibited practice provisions becoming applicable in February 2025 and general-purpose AI transparency obligations following in August 2025. High-risk AI system requirements will apply from August 2026. Organizations conducted AI system inventories, risk classifications, and compliance gap assessments throughout 2025.

CSRD Reporting Commencement: Large EU companies and listed entities began preparing Corporate Sustainability Reporting Directive (CSRD) disclosures using European Sustainability Reporting Standards (ESRS). First reports under CSRD will be published in 2025 covering fiscal year 2024. Organizations established sustainability data collection processes and governance structures.

SEC Climate Disclosure Stay: The SEC's climate disclosure rule remained subject to legal challenges throughout 2025, with setup stayed pending judicial review. Organizations continued voluntary climate disclosure and prepared for eventual compliance while monitoring litigation developments.

UK Data Protection Bill: The UK's Data Protection and Digital Information Bill progressed through Parliament, proposing modifications to UK GDPR requirements. Organizations monitored developments while maintaining existing compliance programs pending legislative finalization.

Colorado AI Act: Colorado's SB24-205 governing high-risk AI systems in consequential decisions created state-level AI governance obligations. Organizations assessed AI system deployments against Colorado's requirements and implemented risk management and disclosure measures.

2026 Compliance Calendar Preview

If you are affected, prepare for the following major compliance milestones in 2026:

Q1 2026:

  • PCI DSS 4.0 full compliance deadline (March 31) – all requirements fully applicable
  • DORA regulatory technical standards finalization and ongoing compliance verification
  • CSRD first reports published for large companies covering FY 2024
  • FedRAMP Rev 5 transition deadline for federal cloud services

Q2 2026:

  • EU AI Act high-risk system requirements application (August 2) – Annex III systems
  • EU Data Act full application for connected product data sharing and cloud switching
  • NIST SP 800-171 Rev 3 transition for defense industrial base contractors
  • State privacy law enforcement startments in additional jurisdictions

Q3-Q4 2026:

  • CSRD scope expansion to additional company categories
  • EU AI Act high-risk requirements for Annex I systems (August 2027 deadline approach)
  • Potential SEC climate disclosure setup (litigation-dependent)
  • Additional state AI governance requirements taking effect

PCI DSS 4.0 Compliance Priorities

Organizations accepting payment cards should focus on the following for full PCI DSS 4.0 compliance:

Requirement 3.4.2: Technical controls preventing copy or relocation of primary account numbers (PAN) when using remote-access technologies. Implement data loss prevention or access controls restricting PAN movement.

Requirement 6.4.3: Script integrity monitoring for payment page scripts, ensuring authorized scripts are not modified and unauthorized scripts are detected. Deploy script monitoring solutions with alerting capabilities.

Requirement 8.3.6: Multi-factor authentication for all access into the cardholder data environment, not just remote access. Extend MFA coverage to all CDE access points including on-premise.

Requirement 11.6.1: Change and tamper detection mechanisms for payment pages to detect unauthorized modifications. Implement file integrity monitoring or equivalent detection capabilities.

Requirement 12.3.1: Targeted risk analysis for each PCI DSS requirement allowing flexibility in control setup frequency. Document risk analyzes justifying control frequencies where applicable.

DORA Operational Resilience Requirements

Financial entities should ensure ongoing DORA compliance across key domains:

ICT Risk Management: Maintain full ICT risk management frameworks addressing asset identification, threat analysis, vulnerability management, and control effectiveness. Document risk appetite and tolerances approved by management bodies.

Incident Management: Operate incident classification, response, and reporting processes meeting DORA requirements. Report major ICT-related incidents to competent authorities within prescribed timeframes using standardized formats.

Digital Operational Resilience Testing: Execute testing programs including vulnerability assessments, scenario-based testing, and for in-scope entities, threat-led penetration testing (TLPT). Maintain testing schedules aligned with regulatory technical standards.

Third-Party Risk Management: Implement strong ICT third-party risk management covering due diligence, contractual arrangements, ongoing monitoring, and exit planning. Maintain registers of ICT service arrangements for regulatory reporting.

Information Sharing: Participate in permitted threat intelligence sharing arrangements while maintaining appropriate confidentiality controls. Establish processes for receiving and acting on shared threat information.

AI Governance Compliance

Organizations deploying AI systems should address emerging compliance requirements:

EU AI Act Preparation: Complete AI system inventories and risk classification against EU AI Act categories. For high-risk systems, initiate compliance programs addressing conformity assessment, technical documentation, and post-market monitoring requirements applicable from August 2026.

State AI Laws: Assess AI deployments against state-level requirements including Colorado SB24-205 for consequential decision systems. Implement risk management, impact assessments, and consumer disclosure measures where applicable.

Sector-Specific Guidance: Financial services AI deployments should address emerging supervisory guidance on model risk management, algorithmic decision-making fairness, and explainability requirements. Healthcare AI should comply with FDA guidance and HIPAA considerations.

Voluntary Frameworks: Consider alignment with NIST AI Risk Management Framework and ISO/IEC 42001 AI management system standards to show responsible AI practices and prepare for eventual mandatory requirements.

Data Protection and Privacy

Privacy compliance remains dynamic across jurisdictions:

US State Privacy: Monitor compliance across operational jurisdictions as additional state privacy laws take effect. Maintain flexible privacy frameworks accommodating varying consent, disclosure, and consumer rights requirements.

International Data Transfers: Ensure data transfer mechanisms remain valid following EU-US Data Privacy Framework establishment and monitor for potential challenges. Maintain standard contractual clauses as alternative transfer mechanisms.

Children's Privacy: Address improved requirements for children's data processing under various jurisdictions including COPPA updates, UK Age Appropriate Design Code, and EU Digital Services Act provisions for minors.

Privacy Program Operations: Maintain privacy impact assessment processes, data subject request handling, and breach notification procedures. Ensure privacy programs address AI-specific considerations including automated decision-making transparency.

Immediate (0-30 days): Complete year-end compliance attestations and reporting requirements. Assess progress against 2025 compliance objectives and identify carryover items for 2026 planning.

Near-term (Q1 2026): Finalize PCI DSS 4.0 compliance preparations before March 31 deadline. Verify DORA compliance status and address any gaps identified during regulatory engagement.

Medium-term (Q2 2026): Advance EU AI Act compliance programs ahead of August high-risk system deadline. Prepare CSRD reporting capabilities for applicable entities.

Ongoing: Maintain regulatory monitoring for new requirements and enforcement developments. Update compliance programs based on regulatory guidance and enforcement trends. Ensure board and management reporting addresses evolving regulatory environment.

Key takeaways

The compliance environment continues expanding in scope and complexity, with regulatory initiatives spanning cybersecurity, operational resilience, sustainability, and emerging technology governance. Organizations that invest in integrated compliance frameworks, automated control monitoring, and preventive regulatory engagement will manage obligations more efficiently while reducing compliance risk.

The convergence of requirements across jurisdictions creates opportunities for unified compliance approaches, but setup details often vary, requiring careful attention to specific obligations. Compliance professionals should focus on understanding regulatory intent alongside technical requirements to build programs that satisfy both the letter and spirit of applicable rules.

This continues monitoring regulatory developments and providing compliance guidance as obligations evolve throughout 2026.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
93/100 — high confidence
Topics
Regulatory compliance · PCI DSS 4.0 · DORA · EU AI Act · Data protection
Sources cited
3 sources (pcisecuritystandards.org, eur-lex.europa.eu)
Reading time
7 min

References

  1. PCI DSS v4.0 Requirements and Testing Procedures — pcisecuritystandards.org
  2. EU Digital Operational Resilience Act (DORA) Official Text — eur-lex.europa.eu
  3. EU Artificial Intelligence Act Official Journal Publication — eur-lex.europa.eu
  • Regulatory compliance
  • PCI DSS 4.0
  • DORA
  • EU AI Act
  • Data protection
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.