Daily GRC Times News Digest
Welcome to your GRC Times News Digest — your go-to source for updates and commentary across Governance, Risk, and Compliance. Today’s highlights cover the most important shifts in the regulatory landscape that every GRC, cybersecurity, and risk professional should know.
1. Accelerating Regulatory Changes
- Regulatory changes in 2025 are speeding up, especially around cybersecurity.
- Key frameworks to watch: DORA, the EU AI Act, and the NIS2 Directive.
- Organizations must align compliance and risk goals with business strategy.
- Focus on closing control gaps and centralizing change management for stronger compliance posture.
2. Financial Regulation Updates
- The CFTC is launching a new stablecoin initiative.
- The Bank Policy Institute has urged the SEC to tighten crypto custody requirements.
- Financial institutions need to stay informed on fast-evolving digital currency regulations.
- New reforms could open opportunities for innovation and stimulate the economy.
3. ISO 27001 Transition Deadline
- The ISO 27001:2022 standard, introduced in October 2022, brings updated cybersecurity controls.
- All certifications must transition to the new version by October 31, 2025.
- Companies should update their Information Security Management Systems (ISMS) to address new and emerging cyber risks.
4. Defense Cybersecurity – CMMC Rule
- The Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) rule.
- It will be part of the DFARS framework starting November 10, 2025.
- Contractors must obtain a CMMC unique identifier and maintain valid certification to qualify for contracts.
- Only about 1% of contractors are currently ready for full audits — action is critical.
5. Operational and Cyber Resilience
- Regulatory attention is increasing on operational and cyber resilience.
- Key requirements include the EU Digital Operational Resilience Act (DORA) and OCC sound practices.
- Organizations will need significant investment in cybersecurity infrastructure to meet these global standards.
6. Corporate Governance and ESG
- Boards face growing political and regulatory scrutiny.
- Stakeholders are demanding stronger CEO accountability and ethical oversight.
- AI-powered governance tools are becoming common but raise new ethical and compliance challenges.
- Behavioral aspects are now being included in the risk process, setting leaders apart.
7. Data Privacy Enforcement
- The California Privacy Protection Agency issued a record $1.35 million fine for job applicant data misuse.
- The EU also fined Apple and Meta for privacy violations.
- Companies must strengthen compliance with data privacy laws, especially around candidate and biometric data.
- New state laws are emerging to protect sensitive information like brain data.
8. Compliance for Banks and Credit Unions
- The CFPB extended the Section 1071 small business lending rule compliance date to July 1, 2026 (Tier 1 lenders).
- The FDIC extended digital signage compliance to March 1, 2026.
- Financial institutions must track these shifting deadlines closely to stay compliant.
9. AI and Cybersecurity
- AI is transforming cybersecurity — both as a defense tool and a potential threat vector.
- Strong governance frameworks are essential to ensure ethical AI use and protect data integrity.
- Organizations must balance innovation with accountability to prevent AI-related risks.
10. Third-Party Risk Management
- Mature third-party risk programs are now a central part of enterprise GRC strategies.
- Vendors must meet strict security and compliance standards.
- Weak vendor oversight can lead to regulatory breaches and major security incidents.
- Integrating vendor management into the GRC roadmap strengthens overall resilience.
Closing Note
That’s your Daily GRC Digest.
Stay alert, stay compliant, and stay resilient.