Compliance Briefing — December 15, 2025

Executive briefing: As 2025 concludes, compliance professionals can assess progress on major regulatory initiatives while planning for obligations taking effect in 2026. This year-end review synthesizes key compliance developments across financial services, data protection, cybersecurity, and emerging technology domains, providing actionable guidance for organizations navigating an increasingly complex regulatory landscape.

2025 Compliance Milestones Achieved

Several significant regulatory deadlines passed during 2025:

SEC Cybersecurity Disclosure: Public companies completed their first full year of compliance with SEC cybersecurity disclosure requirements. Form 10-K annual reports addressed board oversight, risk management processes, and cybersecurity strategy. Companies refined materiality assessment frameworks for incident disclosure under Item 1.05 of Form 8-K, with practice patterns emerging around disclosure timing and content.

NIS2 Directive Transposition: EU member states transposed the NIS2 Directive into national law by the October 2024 deadline, with implementing measures taking effect throughout 2025. Essential and important entities implemented risk management measures, incident reporting procedures, and management body oversight requirements. Cross-border organizations navigated variation in national implementations.

DORA Compliance Preparation: Financial entities subject to the Digital Operational Resilience Act (DORA) advanced implementation programs ahead of the January 2025 application date. ICT risk management frameworks, incident classification schemas, digital operational resilience testing programs, and third-party risk management processes matured throughout the year.

PCI DSS 4.0 Transition Progress: Organizations progressed toward PCI DSS 4.0 compliance ahead of the March 2025 deadline for requirements previously categorized as best practices. Payment card industry participants addressed enhanced authentication requirements, script integrity monitoring, and targeted risk analysis obligations.

State Privacy Law Expansions: Additional US state privacy laws took effect during 2025, including provisions in Delaware, Iowa, New Hampshire, and New Jersey. Organizations refined privacy program implementations to address varying consent, disclosure, and consumer rights requirements across jurisdictions.

Key Regulatory Developments

Important regulatory developments during 2025 included:

EU AI Act Implementation: The EU AI Act entered into force in August 2024, with prohibited practice provisions becoming applicable in February 2025 and general-purpose AI transparency obligations following in August 2025. High-risk AI system requirements will apply from August 2026. Organizations conducted AI system inventories, risk classifications, and compliance gap assessments throughout 2025.

CSRD Reporting Commencement: Large EU companies and listed entities began preparing Corporate Sustainability Reporting Directive (CSRD) disclosures using European Sustainability Reporting Standards (ESRS). First reports under CSRD will be published in 2025 covering fiscal year 2024. Organizations established sustainability data collection processes and governance structures.

SEC Climate Disclosure Stay: The SEC's climate disclosure rule remained subject to legal challenges throughout 2025, with implementation stayed pending judicial review. Organizations continued voluntary climate disclosure and prepared for eventual compliance while monitoring litigation developments.

UK Data Protection Bill: The UK's Data Protection and Digital Information Bill progressed through Parliament, proposing modifications to UK GDPR requirements. Organizations monitored developments while maintaining existing compliance programs pending legislative finalization.

Colorado AI Act: Colorado's SB24-205 governing high-risk AI systems in consequential decisions created state-level AI governance obligations. Organizations assessed AI system deployments against Colorado's requirements and implemented risk management and disclosure measures.

2026 Compliance Calendar Preview

Organizations should prepare for the following major compliance milestones in 2026:

Q1 2026:

• PCI DSS 4.0 full compliance deadline (March 31) – all requirements fully applicable
• DORA regulatory technical standards finalization and ongoing compliance verification
• CSRD first reports published for large companies covering FY 2024
• FedRAMP Rev 5 transition deadline for federal cloud services

Q2 2026:

• EU AI Act high-risk system requirements application (August 2) – Annex III systems
• EU Data Act full application for connected product data sharing and cloud switching
• NIST SP 800-171 Rev 3 transition for defense industrial base contractors
• State privacy law enforcement commencements in additional jurisdictions

Q3-Q4 2026:

• CSRD scope expansion to additional company categories
• EU AI Act high-risk requirements for Annex I systems (August 2027 deadline approach)
• Potential SEC climate disclosure implementation (litigation-dependent)
• Additional state AI governance requirements taking effect

PCI DSS 4.0 Compliance Priorities

Organizations accepting payment cards should prioritize the following for full PCI DSS 4.0 compliance:

Requirement 3.4.2: Technical controls preventing copy or relocation of primary account numbers (PAN) when using remote-access technologies. Implement data loss prevention or access controls restricting PAN movement.

Requirement 6.4.3: Script integrity monitoring for payment page scripts, ensuring authorized scripts are not modified and unauthorized scripts are detected. Deploy script monitoring solutions with alerting capabilities.

Requirement 8.3.6: Multi-factor authentication for all access into the cardholder data environment, not just remote access. Extend MFA coverage to all CDE access points including on-premise.

Requirement 11.6.1: Change and tamper detection mechanisms for payment pages to detect unauthorized modifications. Implement file integrity monitoring or equivalent detection capabilities.

Requirement 12.3.1: Targeted risk analysis for each PCI DSS requirement allowing flexibility in control implementation frequency. Document risk analyses justifying control frequencies where applicable.

DORA Operational Resilience Requirements

Financial entities should ensure ongoing DORA compliance across key domains:

ICT Risk Management: Maintain comprehensive ICT risk management frameworks addressing asset identification, threat analysis, vulnerability management, and control effectiveness. Document risk appetite and tolerances approved by management bodies.

Incident Management: Operate incident classification, response, and reporting processes meeting DORA requirements. Report major ICT-related incidents to competent authorities within prescribed timeframes using standardized formats.

Digital Operational Resilience Testing: Execute testing programs including vulnerability assessments, scenario-based testing, and for in-scope entities, threat-led penetration testing (TLPT). Maintain testing schedules aligned with regulatory technical standards.

Third-Party Risk Management: Implement robust ICT third-party risk management covering due diligence, contractual arrangements, ongoing monitoring, and exit planning. Maintain registers of ICT service arrangements for regulatory reporting.

Information Sharing: Participate in permitted threat intelligence sharing arrangements while maintaining appropriate confidentiality controls. Establish processes for receiving and acting on shared threat information.

AI Governance Compliance

Organizations deploying AI systems should address emerging compliance requirements:

EU AI Act Preparation: Complete AI system inventories and risk classification against EU AI Act categories. For high-risk systems, initiate compliance programs addressing conformity assessment, technical documentation, and post-market monitoring requirements applicable from August 2026.

State AI Laws: Assess AI deployments against state-level requirements including Colorado SB24-205 for consequential decision systems. Implement risk management, impact assessments, and consumer disclosure measures where applicable.

Sector-Specific Guidance: Financial services AI deployments should address emerging supervisory guidance on model risk management, algorithmic decision-making fairness, and explainability requirements. Healthcare AI should comply with FDA guidance and HIPAA considerations.

Voluntary Frameworks: Consider alignment with NIST AI Risk Management Framework and ISO/IEC 42001 AI management system standards to demonstrate responsible AI practices and prepare for eventual mandatory requirements.

Data Protection and Privacy

Privacy compliance remains dynamic across jurisdictions:

US State Privacy: Monitor compliance across operational jurisdictions as additional state privacy laws take effect. Maintain flexible privacy frameworks accommodating varying consent, disclosure, and consumer rights requirements.

International Data Transfers: Ensure data transfer mechanisms remain valid following EU-US Data Privacy Framework establishment and monitor for potential challenges. Maintain standard contractual clauses as alternative transfer mechanisms.

Children's Privacy: Address enhanced requirements for children's data processing under various jurisdictions including COPPA updates, UK Age Appropriate Design Code, and EU Digital Services Act provisions for minors.

Privacy Program Operations: Maintain privacy impact assessment processes, data subject request handling, and breach notification procedures. Ensure privacy programs address AI-specific considerations including automated decision-making transparency.

Recommended Actions

Immediate (0-30 days): Complete year-end compliance attestations and reporting requirements. Assess progress against 2025 compliance objectives and identify carryover items for 2026 planning.

Near-term (Q1 2026): Finalize PCI DSS 4.0 compliance preparations before March 31 deadline. Verify DORA compliance status and address any gaps identified during regulatory engagement.

Medium-term (Q2 2026): Advance EU AI Act compliance programs ahead of August high-risk system deadline. Prepare CSRD reporting capabilities for applicable entities.

Ongoing: Maintain regulatory monitoring for new requirements and enforcement developments. Update compliance programs based on regulatory guidance and enforcement trends. Ensure board and management reporting addresses evolving regulatory landscape.

Zeph Tech Analysis

The compliance landscape continues expanding in scope and complexity, with regulatory initiatives spanning cybersecurity, operational resilience, sustainability, and emerging technology governance. Organizations that invest in integrated compliance frameworks, automated control monitoring, and proactive regulatory engagement will manage obligations more efficiently while reducing compliance risk.

The convergence of requirements across jurisdictions creates opportunities for unified compliance approaches, but implementation details often vary, requiring careful attention to specific obligations. Compliance professionals should prioritize understanding regulatory intent alongside technical requirements to build programs that satisfy both the letter and spirit of applicable rules.

Zeph Tech will continue monitoring regulatory developments and providing compliance guidance as obligations evolve throughout 2026.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 40/100 · September 5, 2025

FTC non-compete ban: 2024 final rule vacatur and enforcement update

The FTC’s 2024 final rule banning new non‑compete clauses was vacated by a federal court. The Commission dropped its appeal on 5 September 2025 and will instead challenge non‑competes through case‑specific enforcement.…

Compliance · Credibility 86/100 · August 29, 2025

AI governance roadmap — EU AI Act high-risk QMS build-out

High-risk AI providers have less than a year to finalise quality management systems, conformity assessments, and post-market monitoring before the EU AI Act’s core obligations activate in 2026, making August 2025 the…

Compliance · Credibility 87/100 · March 31, 2025

Compliance Briefing — March 31, 2025

PCI DSS 4.0 future-dated requirements become mandatory on 31 March 2025, ending the transition period from v3.2.1 and adding new authentication, logging, and risk management controls for cardholder data environments.

Compliance · Credibility 88/100 · January 17, 2025

Compliance Briefing — January 17, 2025

EU Digital Operational Resilience Act (DORA) obligations apply from 17 January 2025, requiring financial entities to prove ICT risk management, incident reporting, testing, and critical third-party oversight.

Compliance · Credibility 88/100 · January 16, 2025

Preparing for DORA: Europe’s Digital Operational Resilience Act, effective January 17 2025

The EU’s Digital Operational Resilience Act (DORA) becomes fully enforceable on 17 January 2025. This brief explains the regulation’s purpose, timeline and core requirements, including ICT risk management frameworks…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• ESG Assurance Operating Guide — Zeph Tech

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.