Key Takeaways
- Mandatory reporting is now standard. New regulations like DORA, NIS2, and HIPAA updates require organizations to report cyber incidents—sometimes within just 72 hours—to maintain transparency and avoid penalties.
- 72-hour incident response windows are achievable, but only with preparation. Meeting tight timelines demands documented IR plans, defined workflows, cross-functional coordination, and automated detection tools.
- Common technical controls are critical across all frameworks. Resilience strategies like MFA, zero trust, immutable backups, and tested recovery are no longer optional. They’re baseline requirements for compliance and cyber insurance.
- Third-party risk is now your risk. Regulations demand that companies assess, document, and prove the resilience of their vendor ecosystem. Failing to do so can cause outages, data breaches, and regulatory penalties, even if your own systems are secure.
Compliance rules are changing fast in 2025. Whether you’re in IT, a CCO, legal, or just trying to keep your company on track, here’s a simple breakdown of the updates you’ll want on your radar.
In this Q&A blog, we take on this year’s compliance “acronym stew” and cover the complexities of mandatory reporting, tactics for streamlining incident responses, and also ways to strengthen your defenses with common controls across platforms.
Leah Troscianecki, Principal Product Marketing Manager on Veeam’s Enterprise team is joined by Edwin Weijdema, Field CTO for EMEA. With over three decades of industry, technology, and business leadership experience, Edwin serves as a trusted adviser to our global customers, partners, and colleagues. A key focus on data management and cybersecurity makes him the ideal resource to help you look closer at 2025’s compliance concerns and regulations.
Q: What exactly is happening in the compliance world — and why do people call it “acronym stew?”
Leah: We’re specifically focusing on the digital operational resilience act (DORA), the network and information security 2 (NIS2) Directive (a law enhancing cybersecurity across the EU), and the EU cyber-resilience act (CRA). The chaos and complexity of requirements across the EU, specific countries, and even U.S. states inspired the term ‘acronym stew’.
Edwin: That sobriquet “stew” certainly describes the swirl of compliance and regulations we’re enduring. After all, we’ve seen the headlines: it’s a perilous and fraught IT universe! Yet, this span of regulations has a few things in common, such as a local version helping organizations align people, processes, and technology. My bingo card isn’t even full yet on compliance acronyms, but they’re all pushing organizations toward awareness and accountability for their security posture. I also notice that people jump straight into technology to fix something — neglecting people and processes.
Q: Why do regulators demand mandatory reporting — and how should companies respond?
Leah: Across these changes we keep running into the term, ‘mandatory reporting.’ That means an enterprise must reveal to its governing body whenever a cyber incident occurs — sometimes even when it paid ransom — as well as disclosing its mitigation plan.
Edwin: Some years ago, if attacked by ransomware, organizations kept silent, as if ashamed of their breach and infiltration. But now we realize that exposing the truth restores trust faster than hiding the event. Companies should develop a clear and tested incident response plan that includes procedures for reporting. Because responding transparently and within the mandated timelines will help companies maintain trust, as well as avoid penalties.
Q: How do you coach customers?
Edwin: Public/private information-sharing helps the entire industry; other organizations can learn from your case. My advice is this: During the first 48 hours, maintain a blackout; fix things; shrink the blast radius. After that, if you know what happened, you can go public — perhaps not with every detail (which can prompt a second attack) but sufficient information to prove you have the incident under control. After that, if you know what happened, educate everyone enough so rumors don’t define you.
That approach restores confidence: people realize, ‘Okay, it can happen to anyone; they’ve handled it.’ And if you don’t tell the story in your own words, social media or the press will invent it anyway!
Q: What are your thoughts? Is a time-bound incident response window of 72 hours (or less) realistic or impossible?
Leah: Some proposals — including changes to HIPAA — mention a ‘72-hour clock’. Many people scoff at that goal, saying that there is no way they could handle 72 hours. This window is only realistic with good preparation. Companies need to invest in preparedness, automation, and cross-functional coordination. Some must haves are:
- Documented and regularly tested IR plan
- Clear escalation paths
- Real-time monitoring and detection tools
- Pre-approved templates and legal language to accelerate reporting.
Edwin: There are two distinct pieces here, too. One: 72 hours to report; two: 72 hours to get back on your feet. In Europe, you must report within 72 hours. HIPAA’s draft wants you operational in 72! So, being prepared can’t be understated.
Q: Can organizations manage such a challenging part of the incident response?
Edwin: Many think, ‘We’ll never manage that.’ But I believe it’s possible, at least for the primary processes. If people, processes, and technology are aligned and you practice with AI and automation, you could draft a notice in five minutes — but only if you know the workflow and who signs off. Without testing, it’s unrealistic.
Q: What is the significance of common technical controls like MFA and zero-trust and what do they have in common?
Leah: We do keep seeing those same technical controls. Even cyber-insurance carriers demand immutable backups (so attackers can’t wipe it), MFA, incident-response testing and so forth…
Edwin: Absolutely. Whether DORA, NIS2, or a domestic U.S. regulation, the controls have a commonality: they’re all focused on minimizing the blast radius of an attack and preserving operational continuity. Controls like MFA, zero trust, immutable backups, and endpoint detection aren’t random. They’re prescriptive because they’ve proven effective across real-world incidents.
At their core, these controls are about resilience and verification. MFA prevents attacks from gaining access with stolen credentials. Zero trust enforces continuous authentication and segmentation, reducing lateral movement. Immutable backups guarantee that even if production systems are compromised, recovery is possible. And incident-response testing ensures that when something does go wrong, and it will, teams can act swiftly and in a coordinated way.
What they all have in common is that they’re preventive and recoverable measures. Regulators and insurers alike are signaling: it’s not enough to detect and respond — you must design your environment to withstand, contain, and recover from an attack. That’s pretty much the essence of modern cyber resilience.
- threats,
Q: Third-party/supply-chain risk: why the sudden regulatory spotlight?
Leah: Let’s end with third-party risk mitigation. Regulations now ask you to prove that your entire supply chain is secure. Such regulatory scrutiny naturally extends to supply chain security, requiring risk assessments, contractual security terms, and evidence of resilience to avoid outages caused by vendor failures.
Edwin: Veeam invests heavily in maintaining certifications, audits, and secure development practices. This tells me: look over your left and right shoulders and don’t just trust a vendor’s ‘blue eyes.’ Perform risk assessments; bake security terms into contracts; ask for evidence. Data resilience is the foundation of operational resilience. Note that acronym: D-O-R-A—those middle letters O-R stand for operational resilience. That’s where Veeam focuses its investment.
Q: Can you share any real-world examples where third-party risk caused an outage?
Leah: American Express experienced downtime due to a vendor in their supply chain. Can you add color, anonymous or otherwise?
Edwin: Certainly. You see a big brand — American Express in that case — and the root cause is a supplier failure. A merchant processor used by its customers was hacked. As a result, card account numbers, expiration dates, and cardholder names of many AMEX users were exposed. That’s why I tell clients: ‘every partner is a shackle.’ You own the risk your vendors bring. Do a real risk assessment, not just a checkbox. Ask yourself, ‘If this vendor goes down, what happens to me? What’s their RPO, RTO, cyber-resilience posture?’ Many firms only discover their weaknesses after a public outage. And by then, the damage to their reputation and revenue is done.
Q: How does Veeam itself handle third-party-risk mitigation?
Edwin: Veeam spends millions you don’t see, just to keep the Veeam shackle strong. Behind the shield, we have ISO certifications, SOC audits, a secure-development lifecycle — the whole Veeam Trust Center. Those aren’t just logos or acronyms; they prove our product has been penetration-tested. The organization running the product is tested, compliant, and aligned with the very regulations we’re discussing — DORA, NIS2, CRA; you name it.
Leah: When customers look at our Trust Center, they gain evidence that the vendor they rely on is living up to its side of the bargain.
To wrap up: despite the regulatory whirlwind, four themes keep repeating:
- Mandatory reporting
- Time-bound response windows
- Common controls around zero-trust and resilience
- Third-party-risk programs
If you nail people and processes first, technology like Veeam’s can satisfy the control requirements and keep you in good shape. This acronym stew comprises and outlines key compliance changes, challenges, and strategies to meet these demands effectively.
The post Key 2025 Compliance Updates You Should Know appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/IVWND58
Share this content: