The adoption of new regulations is accelerating, with 41 key pieces of regulations identified as part of the IoT Analytics’ Digital and ESG Regulation Outlook 2025–2030.
4 EU regulations are set to have a very high impact on organizations in the coming years: The EU Cyber Resilience Act (CRA), EU Data Act, EU AI Act, and EU CSRD received a very high impact score.
Why it matters
Regulations often come with severe financial and operational penalties if not complied with. Enterprises should be aware of the regulations that impact their operations and work with their legal teams to ensure business compliance and readiness to adapt as new regulations come into effect.
Introduction: The emerging regulations radar
40+ new or amended regulations will impact how organizations operate worldwide. The adoption of new or updated regulations is accelerating, according to IoT Analytics’ Digital and ESG Regulation Outlook 2025–2030 (published August 2025). This is being driven by outdated laws, rapid technological innovations, and growing demands for corporate accountability in how companies handle data, the use of AI, and environmental, social, and governance (ESG) impacts, with the EU leading the charge. To assess the impact these regulations will have on organizations worldwide, the IoT Analytics analyst team identified 41 upcoming or recently updated regulations that will impact enterprises to some degree, with a focus on regulations in the EU, US, China, and the UK.
The impact radar shows 4 upcoming regulations with very high impact. 4 of the upcoming regulations, all from the EU, are classified as having very high overall impact scores and require urgent attention from enterprises doing business in the EU. They are:
- Cyber Resilience Act (CRA) – This act impacts all entities that manufacture, import, or distribute products with digital elements (PDE) placed on the EU market. It places strict cybersecurity obligations on manufacturers and mandates tight incident reporting deadlines. Both the cost of implementation and the severity of non-compliance penalties are very high.
- Data Act – This act impacts all manufacturers of connected products placed on the EU market, users of and data recipients from these products, data holders and processors, and public sector organizations. It gives users the right to access their product data, regulates business-to-business data sharing, eliminates switching fees for cloud providers, and removes trade secrets as an exemption for data access. Both the cost of implementation and the severity of non-compliance penalties are very high.
- AI Act – The act impacts developers, deployers, and users (except for personal/non-professional use) of AI, as well as importers, resellers, and distributors of AI systems. It categorizes AI systems into 4 risk levels, ranging from unacceptable risk to minimal risk. High-risk systems must undergo assessment and be registered in the EU, while generative AI (GenAI) content is subject to specific use and labeling requirements. Both the cost of implementation and the severity of noncompliance penalties are very high.
- Corporate Sustainability Reporting Directive (CSRD) – This act impacts companies that fulfil any of the following criteria: are considered large based on revenue criteria, are listed on an EU-regulated market, are banks or insurance companies, or are EU subsidiaries of non-EU companies. In all, it impacts approximately 60,000 companies. It places ESG and sustainability strategy reporting requirements on companies and requires these reports to be reviewed by independent auditors. Implementation costs are very high, and the severity of noncompliance penalties is fairly high.
The full report delves into each regulation, with the assessed organizational impact score and regulation specifics where relevant. Below are the 41 identified regulations, including their purpose, impacted entities, and the penalties for non-compliance.
Data regulations
EU is a gold standard for privacy laws. Without question, the EU leads with the strictest, most mature data laws. Its General Data Protection Regulation (GDPR) remains the global benchmark for personal data protection, with robust user rights, breach reporting requirements, and substantial penalties. Even US states like California have adopted privacy acts that align closely with GDPR. Meanwhile, China’s strict data acts largely have a national security focus while also providing users the ability to consent to cross-border data transfers.
| Regulation | Region | Description | Who it applies to | Non-compliance penalties |
|---|---|---|---|---|
| California Privacy Rights Act (CPRA) | US | Regulates how personal data of California residents is used, limits data sharing for targeted ads, and protects correction/deletion rights | For-profit businesses engaged in the collection, processing, or sharing of California residents’ data. To be in scope, a business must fulfill at least one of the following criteria: – Have an annual revenue of at least $25 million – Handle data of 100,000 or more consumers or households – Earn 50% or more of its revenue from selling or sharing personal information |
Fines up to $7,500 for each intentional violation, alongside possible operational restrictions or public disclosure orders |
| Data Act | EU | Grants access to non-personal data, regulates non-personal data sharing across firms and governments, and addresses personal data in specific contexts | All manufacturers of connected products placed on the EU market, EU users of connected products, EU data recipients receiving data from data holders, data holders, providers of data processing services for EU customers, and public sector and EU bodies requesting data | Fines set by EU Member States, with GDPR penalties applying for personal data breaches |
| Data Governance Act (DGA) | EU | Sets rules for the re-use of public sector data, regulates data intermediation services, and establishes the EU Data Innovation Board, all aiming to foster a trustworthy environment for data sharing within the European Union | Public sector entities holding data subject to re-use, data intermediation service providers, data altruism organizations, natural and legal persons, and the EU Data Innovation Board | Fines and operational penalties are set by EU Member States |
| Data Protection Act (DPA) | UK | Regulates how personal data is used by organizations, businesses, and the government; provides individuals with rights over their personal information; and aligns with the EU GDPR (as the UK was part of the EU when the GDPR was adopted) | Any company or entity operating within the UK that processes personal data, including data controllers—entities that determine the purposes and means of processing personal data—and data processors—entities processing personal data on behalf of controllers | Fines up to £17.5 million or 4% of a company’s annual revenue (whichever is higher), alongside possible operational restrictions or public disclosure orders |
| Data Security Law (DSL) | China | Regulates all data handling activities in China, primarily setting strict controls for important and core data to ensure security and national interests | All entities that collect, process, store, and transfer data in general (not just personal data), specifically important data handlers, core national data handles, critical information infrastructure operators, and government bodies handling data | Fines up to ¥10 million (approximately $1.5 million USD), alongside possible operational restrictions, public disclosure orders, or even criminal prosecution |
| Digital Markets Act (DMA) | EU | Regulates obligations and restrictions on designated gatekeepers—large online platforms with significant market influence | All entities identified as gatekeepers, defined by meeting criteria such as an annual turnover exceeding €7.5 billion, operations in at least 3 EU Member States, and a user base of over 45 million monthly active end-users and 10,000 annual business users | Fines up to 20% of the company’s annual revenue, alongside possible operational restrictions or public disclosure orders |
| Digital Services Act (DSA) | EU | Enforces obligations for digital service providers, platforms, and intermediaries; manages illegal content; ensures transparency; and mitigates risks | Intermediary service providers, hosting service providers, online platforms, and online search engines | Fines up to 6% of a company’s annual revenue, alongside possible operational restrictions or public disclosure orders |
| General Data Protection Regulation (GDPR) | EU | Regulates how entities can collect, process, and protect the personal data of individuals within the EU | Any company or entity operating within the European Union that processes personal data. | Absolute fines up to €20 million or percentage-based fines up to 4% of revenue (whichever is higher), public disclosure orders, product recalls or bans, suspension of operations, and rectification or erasure of data |
| Health Insurance Portability and Accountability Act (HIPAA) | US | Regulates the privacy, security, and confidentiality of individuals’ health data, and allows appropriate data access for healthcare operations | Health plans, including insurers and healthcare maintenance organizations (HMOs); healthcare clearinghouses; healthcare providers; and businesses handling protected health information (PHI) on behalf of the above-mentioned entities, like billing companies, data processors, or cloud service providers (CSPs) | Fines up to $250,000, alongside possible operational restrictions, public disclosure orders, or even imprisonment up to 10 years |
| Personal Information Protection Law (PIPL) | China | Regulates the collection, use, storage, transfer, and disclosure of personal information on individuals located in China | Data handlers that collect, process, store, and transfer personal data of individuals located in China; critical information infrastructure operators that handle large-scale or sensitive data; and platform operators with complex business models and a large number of users that process personal data | Fines up to ¥50 million (approximately $7 million USD) or 5% of annual revenue (whichever is higher), alongside possible operational restrictions, public disclosure orders, and even a ban from managerial roles |
Cybersecurity regulations
The scope of cybersecurity acts is expanding globally. The EU, US, UK, and China are either tightening existing cybersecurity laws or introducing new ones, with non-compliance bringing hefty fines and negative operational actions. Beyond avoiding fines, meeting cybersecurity requirements is increasingly essential for doing business. For digital and connected products, failure to comply can mean exclusion from entire markets.
| Regulation | Region | Description | Who it applies to | Non-compliance penalties |
|---|---|---|---|---|
| Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) | US | Requires critical infrastructure entities to report significant cyber incidents and ransomware payments to the US Cybersecurity and Infrastructure Security Agency (CISA) | All private and public entities in critical infrastructure sectors as defined by Presidential Policy Directive 21 (PPD-21), which include entities operating in the energy, healthcare, financial services, transportation, and communications sectors | Fines established through civil actions, alongside possible public disclosure orders |
| Cyber Resilience Act (CRA) | EU | Sets security standards and mandatory requirements for designing digital products, requiring manufacturers to manage vulnerabilities throughout the product lifecycle | Manufacturers that design, develop, or market PDEs under their name; importers that place non-EU PDEs on the EU market; and distributors that supply PDEs without modifying them | At least €15 million or a minimum of 2.5% of the total annual worldwide turnover (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of license |
| Cybersecurity and Infrastructure Security Agency (CISA) Act | US | Establishes CISA in the Department of Homeland Security and strengthens federal protection of critical infrastructure from cyber threats | Federal agencies, state, local, tribal, and territorial governments, and all critical infrastructure operators | Penalties for non-compliance do not exist unless mandated by other legislative acts |
| Cybersecurity Law | China | Regulates network security, personal data protection, and critical information infrastructure | All network and critical information infrastructure operators, network product providers and 3rd-party contractors, entities that deal with personal and cross-border data (if data is collected in China), and entities operating in China | A fine of ¥1 million, alongside possible product recalls or bans, suspension of operations, and loss of licenses |
| Digital Operations Resilience Act (DORA) | EU | Mandates ICT risk management frameworks for the financial sector and requires oversight of critical third-party ICT service providers | Most financial entities, such as banks, investment firms, payment institutions, asset and fund managers, insurers, and crypto platforms, and 3rd-party ICT service providers offering services to financial entities, such as cloud and data service providers, software vendors, and ICT outsourcing firms | Fines are set by EU Member States, while operational penalties include public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses |
| Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity | US | Requires federal agencies to implement security measures and software bills of materials (SBOMs) to ensure the integrity of the software supply chain | All federal agencies, critical infrastructure operators, ICT and OT service providers, cloud service providers, software (classified as critical), and hardware vendors, if under contract with federal agencies and critical infrastructure operators (CIO) | No fines, but organizations could face operational penalties such as public disclosure orders, suspension of operations, and disqualification from federal contracts |
| EU Cybersecurity Act | EU | Regulates the European Union Agency for Cybersecurity (ENISA) and establishes a European cybersecurity certification framework for ICT products, services, and processes | ENISA and providers of ICT products, services, and processes only if they choose to certify their products or are mandated to do so by EU or national regulations | Fines are set by EU Member States, while operational penalties include product recalls or bans and suspension of operations |
| IoT Cybersecurity Improvement Act | US | Mandates the development of minimum-security standards for IoT devices purchased or used by federal agencies | All federal agencies that procure or manage IoT devices, IoT device manufacturers or vendors that supply IoT devices to US federal agencies, and IoT service providers for US federal agencies | No fines, but organizations could face operational penalties such as product recall or bans, suspension of operations, loss of licenses, and disqualification from federal contracts |
| National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 | US | Guides organizations in managing cybersecurity risks through 6 core functions: govern, identify, protect, detect, respond, and recover | All US federal agencies, when mandated by other EOs and regulations, and critical infrastructure service providers, when mandated by EOs and legislation | Penalties for non-compliance do not exist unless mandated by other legislative acts |
| National Security Investment (NSI) Act | UK | Regulates acquisitions and investments that can have national security risks and allows the government to condition acquisitions in 17 sensitive sectors | UK-based companies acquiring another UK or foreign company with UK operations or foreign companies acquiring control over UK business, assets, or intellectual property | At least £10 million or 5% of revenue (whichever is higher), alongside possible transaction voiding |
| Network and Information Systems Regulations | UK | Establishes measures to improve the cybersecurity and resilience of critical services and implements reporting obligations | All operators of essential services, such as energy, health, and digital infrastructure companies, as well as online marketplaces, online search engines, and cloud service providers | A fine of £17 million, alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses |
| Network Data Security Management Regulation | China | Secures network data in China and establishes risk assessments and strict controls on data sharing and cross-border transfers | All entities involved in network data processing within China, including data collection, storage, use, transfer, and deletion, specifically network data processors, critical information infrastructure operators, large platforms, and 3rd-party service providers | A fine of ¥10 million, alongside possible product recalls or bans, suspension of operations, and loss of licenses |
| Network Information Systems Directive 2 (NIS2) | EU | A legislative act aimed at establishing security risk management measures, regulating management compliance, and setting incident reporting procedures while repealing and replacing the original 2016 NIS Directive, addressing prior shortcomings in cybersecurity legislation | Public and private sector entities of all sizes (small, medium, and large) with domestic or foreign headquarters operating within the EU jurisdiction | Fines of at least €10 million or a minimum of 2% of the total annual worldwide turnover (whichever is higher), alongside operational restrictions and public disclosure orders |
| Product Security and Telecommunications Infrastructure Act (PSTIA) | UK | Imposes cybersecurity requirements on manufacturers, importers, and distributors of UK consumer smart products | Any manufacturer of a UK consumer smart product, entity that markets a product manufactured by another entity under that entity’s name or trademark, importer of UK consumer smart products, and distributor of UK consumer smart products | A fine of at least £10 million or 4% of revenue (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses |
| Regulation 2023/2841: Regulation on Cybersecurity Measures for EU Institutions | EU | Establishes common cybersecurity measures across EU institutions | EU institutions, offices, and agencies | No fines, but institutions could face suspension of operations, warnings, and recommendations |
| Regulation 2024/482: Commission Implementing Regulation on European Common Criteria-based Cybersecurity Certification Scheme | EU | Establishes rules and obligations for manufacturers and certification entities involved in the EU Common Criteria (introduced in the EU Cybersecurity Act) | Manufacturers, importers, and distributors of ICT products subject to or pursuing EUCC certification, whether required by EU law or chosen voluntarily | Fines are set by EU Member States, while operational penalties include public disclosure orders, product recalls or bans, and suspension of operations |
| Telecommunications (Security) Act (TSA) | UK | Enforces legal obligations on telecom providers in the UK to safeguard their networks | Public electronic communication network providers, public electronic communications service providers, suppliers of telecommunication equipment, and managed service providers for telecommunication networks | A fine of at least £10 million or 10% of revenue (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, loss of licenses, and enforcement notices |
AI regulations
AI technology outpaces regulatory development worldwide. AI is a prime example of a technology that is evolving faster than legislative acts can keep pace, leaving many jurisdictions either unregulated or without clear compliance requirements. Governments are still in the early stages of AI governance, relying on guidelines rather than regulations. Meanwhile, much of the world is looking to the EU, the US, and China for regulatory direction. Many governments are delaying their own AI regulation efforts to observe how these leading economies structure governance. In general, the EU is moving ahead with strict, rule-based AI oversight while the US favors a more innovation-oriented approach. China, by contrast, is prioritizing control through state-led security and enforcement frameworks.
| Regulation | Region | Description | Who it applies to | Non-compliance penalties |
|---|---|---|---|---|
| AI Act | EU | Regulates the development, marketing, and use of AI systems, bans certain AI practices, imposes obligations on high-risk AI, and ensures human oversight | All AI providers (developers and deployers), including providers of foundational models, GenAI, and pre-trained AI models integrated in AI systems, as well as AI component suppliers; all AI deployers (users), except for personal or non-professional activities; and importers, resellers, and distributors of AI systems | A fine of €35 million or 7% of revenue (whichever is higher), alongside possible content access restrictions |
| EO 14141 on Advancing US Leadership in AI Infrastructure | US | Sets rules on the development of AI data centers, requires clean energy usage, and requires compliance with NIST standards | Companies engaged in the development, operation, or supply of AI infrastructure, specifically in AI infrastructure development (AI data centers, computing clusters, clean energy infrastructure) and AI model development and operations | Does not specify explicit penalties but empowers federal agencies (the Departments of Defense, Energy, and Commerce) to establish regulations that enforce penalties |
| Interim Measures for the Management of GenAI Services | China | Enforces rules for AI service providers on content control, data security, algorithm transparency, user rights, and compliance with state ideology | GenAI service providers that develop, deploy, or offer GenAI services (such as LLMs, image generators, and automated content creation tools) and AI infrastructure and platform operators, such as cloud computing platforms, data centers, and algorithm marketplaces that provide infrastructure for generative AI services | Financial penalties from other legal acts, such as the Personal Information Protection Law and the Cybersecurity Law, apply |
Sustainability regulations
Regulatory pressure sustains green tech demand. As IoT Analytics recently noted, CEO discussions around sustainability and related topics have steadily declined in corporate earnings calls since their peak in Q1 2021. This does not mean companies are abandoning or losing interest in sustainability initiatives, though it could indicate such initiatives are afterthoughts for CEOs amid new digitalization and AI initiatives. Nonetheless, regulations remain in place that compel transparent reporting and set targets for energy consumption reduction. These regulatory pressures are helping propel the sustainability platform market toward an estimated $3.7 billion by 2029.
| Regulation | Region | Description | Who it applies to | Non-compliance penalties |
|---|---|---|---|---|
| Corporate Sustainability and Due Diligence Directive (CSDDD) | EU | Requires due diligence reporting and regulates how companies identify, prevent, and address human rights and environmental impacts in their value chains | All companies with over 1,000 employees and a global revenue of at least €450m in the last financial year | Fines are set by EU Member States (percentage-based fines are at least 5% of revenue), as are operational restrictions |
| Corporate Sustainability Reporting Directive (CSRD) | EU | Requires companies to disclose ESG impacts, imposes standardized reporting, and requires independent audits | All companies that fulfil any of the following criteria:
|
Fines and operational penalties are set by EU Member States |
| Ecodesign for Sustainable Products Regulation (ESPR) | EU | Sets sustainability requirements for a wide range of physical products placed on the EU market and establishes the digital product passport | All manufacturers of physical goods placed on the EU market, including components and intermediate products (with exceptions for food and feed, medical products, living organisms, vehicles, and certain products in the construction sector), importers and distributors of physical goods, and online marketplaces and online search engines | Fines and operational penalties are set by EU Member States |
| (New) Energy Efficiency Directive (EED) | EU | Enforces measures to improve energy efficiency in the EU and sets binding requirements and targets for energy consumption reduction in various sectors | All enterprises with high energy consumption (i.e., enterprises consuming >10 TJ annually and those consuming > 85 TJ over the past 3 years), all data centers with an IT power demand of over 500 kW, and public sector contractors | Fines and operational penalties are set by EU Member States |
| Machinery Regulation | EU | Establishes safety and compliance rules for machinery and related products and addresses new AI and connectivity-related risks | Machinery manufacturers, importers, and distributors | Fines and operational penalties are set by EU Member States |
| Net Zero Industry Act (NZIA) | EU | Sets rules for scaling up EU manufacturing capacity, streamlining permitting procedures, and sets supply chain resilience rules for 19 net-zero technologies | All companies that manufacture, develop, or operate net-zero technologies | Fines and operational penalties are set by EU Member States |
| New Batteries Regulation | EU | Regulates the production, recycling, and disposal of batteries and sets rules for extended producer responsibility, material recovery, and supply chain due diligence | Battery manufacturers, importers and distributors of batteries, waste management and recycling operators, and independent operators involved in battery repair, maintenance, or repurposing | Fines and operational penalties are set by EU Member States |
| Renewable Energy Directive (RED) III | EU | Sets targets to increase renewable energy levels by 2030 and requires Member States to optimize permitting procedures and grid integration for clean energy transition | Transmission system operators, distribution system operators, fuel suppliers, renewable energy producers, battery manufacturers, and EV manufacturers | Fines and operational penalties are set by EU Member States |
| Sustainable Finance Disclosure Regulation (SFDR) | EU | Regulates the transparency of sustainability risks in the decision-making processes of financial market participants and financial advisers | Financial market participants, such as investment and insurance firms, institutions for occupational retirement provision, manufacturers of pension products, alternative investment fund managers (AIFMs), entrepreneurship and venture capital funds, management companies of undertakings for collective investment in transferable securities (UCITS), and credit institutions, as well as financial advisors, such as insurance intermediaries, investment firms, AIFMs, and UCITS | Fines and operational penalties are set by EU Member States |
| Taxonomy Regulation | EU | Sets criteria to assess if an economic activity is sustainable and establishes the extent to which an investment is environmentally sustainable | Financial market participants, such as asset managers, institutional investors, insurance companies, and pension funds; financial advisors; and large public interest companies, subject to non-financial reporting under Directive 2013/34/EU | Fines and operational penalties are set by EU Member States |
Source: IoT Analytics
The post 2025 Regulatory Overview: Digital and ESG Measures to Keep in Focus appeared first on IoT Business News.
