Cybersecurity: Building resilience in a complex regulatory landscape

2024 saw a flurry of new regulations for TMT businesses requiring greater focus on and transparency around digital resilience and cybersecurity. To successfully navigate this regulatory environment and thrive in today’s rapidly evolving digital environment, organisations need to respond with an approach based on continuous compliance, responsible innovation, and employee awareness.  

This will enable a proportionate approach to managing risks, meet regulatory demands, and safeguard their customers, employees and shareholders.  

Key developments entering 2025 

The expanded scope of the EU’s NIS Directive (NIS2) came into force in October 2024, introducing several TMT subsectors to the regulation for the first time. The EU’s AI Act proceeded through approvals in the European courts, with full enforcement in members states anticipated in 2026.  

Implementation of many other regulations is underway, including updated privacy regulations, the EU’s Cyber Resilience Act, and the Digital Operational Resilience Act (DORA).  

Regulators are taking a firmer grip on TMT businesses, and their tolerance for cyber breaches is reducing. Many of these regulations carry larger penalties than the unprecedented fines which GDPR introduced in 2017.  

Boards can now be held personally responsible to account for breaches of compliance. This is happening in the context of an increasingly sophisticated cyber threat landscape, driven by socio-economic factors and more enabled threat groups. No surprise that cyber risk and compliance are nearing the top of most board risk registers.  

The focus for 2025 and beyond 

Overlay this landscape onto the fast-paced change and innovation being seen within TMT industries and it is clear there are many challenges ahead. Businesses are transforming, supply chains are evolving, broadening and becoming more critical. Digital resilience continues to compete with business agility and pace of delivery. Many businesses are struggling to prioritise security investment budgets across a blend of aging infrastructure and new, digital technologies.  

Drawing on our in-depth experience with clients, we have recommendations to help TMT businesses navigate this environment:  

1. Operationalise regulatory compliance: Business should move beyond periodic audits and adopt ongoing compliance observability and monitoring. Automated tools can be implemented to track position against regulatory changes, using data-driven metrics and insights to identify and address potential breaches before they occur. 

2. Navigate global regulations: In a complex global regulatory environment, businesses often need to balance conflicting requirements. Collaborating with strategic business advisors will help create a cohesive and proportionate global compliance strategy, ensuring adaptability across regions while cost-effectively meeting critical obligations. 
3. Proactively address digital resilience: A comprehensive resilience plan should be developed to address not just cyber risk, but also wider business risks with clear incident response protocols and business continuity frameworks that are holistic and proportionate. Regular testing through exercises and investing in zero-trust architecture will strengthen resilience. 
4. Set responsible governance: New and fast-paced technologies must be deployed securely and ethically to maintain trust. Businesses should establish a responsible innovation framework, including bias audits, privacy assessments, and compliance with evolving regulations, to manage risks as an enabler for innovation. 
5. Instil discipline to build sustainable resilience: Hygiene, consistency and continual improvement in risk and security are fundamental and foundational for digital resilience, both within the business and across the supply chain. Getting the simple things right is often enough to stop all but the most persistent threats.

Discover more perspectives on key trends shaping TMT in 2025