The adoption of new regulations is accelerating, with 41 key pieces of regulations identified as part of the IoT Analytics’ Digital and ESG Regulation Outlook 2025–2030.
4 EU regulations are set to have a very high impact on organizations in the coming years: The EU Cyber Resilience Act (CRA), EU Data Act, EU AI Act, and EU CSRD received a very high impact score.
Why it matters
Regulations often come with severe financial and operational penalties if not complied with. Enterprises should be aware of the regulations that impact their operations and work with their legal teams to ensure business compliance and readiness to adapt as new regulations come into effect.
Introduction: The emerging regulations radar
40+ new or amended regulations will impact how organizations operate worldwide. The adoption of new or updated regulations is accelerating, according to IoT Analytics’ Digital and ESG Regulation Outlook 2025–2030 (published August 2025). This is being driven by outdated laws, rapid technological innovations, and growing demands for corporate accountability in how companies handle data, the use of AI, and environmental, social, and governance (ESG) impacts, with the EU leading the charge. To assess the impact these regulations will have on organizations worldwide, the IoT Analytics analyst team identified 41 upcoming or recently updated regulations that will impact enterprises to some degree, with a focus on regulations in the EU, US, China, and the UK.
The impact radar shows 4 upcoming regulations with very high impact. 4 of the upcoming regulations, all from the EU, are classified as having very high overall impact scores and require urgent attention from enterprises doing business in the EU. They are:
Cyber Resilience Act (CRA) – This act impacts all entities that manufacture, import, or distribute products with digital elements (PDE) placed on the EU market. It places strict cybersecurity obligations on manufacturers and mandates tight incident reporting deadlines. Both the cost of implementation and the severity of non-compliance penalties are very high.
Data Act – This act impacts all manufacturers of connected products placed on the EU market, users of and data recipients from these products, data holders and processors, and public sector organizations. It gives users the right to access their product data, regulates business-to-business data sharing, eliminates switching fees for cloud providers, and removes trade secrets as an exemption for data access. Both the cost of implementation and the severity of non-compliance penalties are very high.
AI Act – The act impacts developers, deployers, and users (except for personal/non-professional use) of AI, as well as importers, resellers, and distributors of AI systems. It categorizes AI systems into 4 risk levels, ranging from unacceptable risk to minimal risk. High-risk systems must undergo assessment and be registered in the EU, while generative AI (GenAI) content is subject to specific use and labeling requirements. Both the cost of implementation and the severity of noncompliance penalties are very high.
Corporate Sustainability Reporting Directive (CSRD) – This act impacts companies that fulfil any of the following criteria: are considered large based on revenue criteria, are listed on an EU-regulated market, are banks or insurance companies, or are EU subsidiaries of non-EU companies. In all, it impacts approximately 60,000 companies. It places ESG and sustainability strategy reporting requirements on companies and requires these reports to be reviewed by independent auditors. Implementation costs are very high, and the severity of noncompliance penalties is fairly high.
The full report delves into each regulation, with the assessed organizational impact score and regulation specifics where relevant. Below are the 41 identified regulations, including their purpose, impacted entities, and the penalties for non-compliance.
Data regulations
EU is a gold standard for privacy laws. Without question, the EU leads with the strictest, most mature data laws. Its General Data Protection Regulation (GDPR) remains the global benchmark for personal data protection, with robust user rights, breach reporting requirements, and substantial penalties. Even US states like California have adopted privacy acts that align closely with GDPR. Meanwhile, China’s strict data acts largely have a national security focus while also providing users the ability to consent to cross-border data transfers.
Regulation
Region
Description
Who it applies to
Non-compliance penalties
California Privacy Rights Act (CPRA)
US
Regulates how personal data of California residents is used, limits data sharing for targeted ads, and protects correction/deletion rights
For-profit businesses engaged in the collection, processing, or sharing of California residents’ data. To be in scope, a business must fulfill at least one of the following criteria:
– Have an annual revenue of at least $25 million
– Handle data of 100,000 or more consumers or households
– Earn 50% or more of its revenue from selling or sharing personal information
Fines up to $7,500 for each intentional violation, alongside possible operational restrictions or public disclosure orders
Data Act
EU
Grants access to non-personal data, regulates non-personal data sharing across firms and governments, and addresses personal data in specific contexts
All manufacturers of connected products placed on the EU market, EU users of connected products, EU data recipients receiving data from data holders, data holders, providers of data processing services for EU customers, and public sector and EU bodies requesting data
Fines set by EU Member States, with GDPR penalties applying for personal data breaches
Data Governance Act (DGA)
EU
Sets rules for the re-use of public sector data, regulates data intermediation services, and establishes the EU Data Innovation Board, all aiming to foster a trustworthy environment for data sharing within the European Union
Public sector entities holding data subject to re-use, data intermediation service providers, data altruism organizations, natural and legal persons, and the EU Data Innovation Board
Fines and operational penalties are set by EU Member States
Data Protection Act (DPA)
UK
Regulates how personal data is used by organizations, businesses, and the government; provides individuals with rights over their personal information; and aligns with the EU GDPR (as the UK was part of the EU when the GDPR was adopted)
Any company or entity operating within the UK that processes personal data, including data controllers—entities that determine the purposes and means of processing personal data—and data processors—entities processing personal data on behalf of controllers
Fines up to £17.5 million or 4% of a company’s annual revenue (whichever is higher), alongside possible operational restrictions or public disclosure orders
Data Security Law (DSL)
China
Regulates all data handling activities in China, primarily setting strict controls for important and core data to ensure security and national interests
All entities that collect, process, store, and transfer data in general (not just personal data), specifically important data handlers, core national data handles, critical information infrastructure operators, and government bodies handling data
Fines up to ¥10 million (approximately $1.5 million USD), alongside possible operational restrictions, public disclosure orders, or even criminal prosecution
Digital Markets Act (DMA)
EU
Regulates obligations and restrictions on designated gatekeepers—large online platforms with significant market influence
All entities identified as gatekeepers, defined by meeting criteria such as an annual turnover exceeding €7.5 billion, operations in at least 3 EU Member States, and a user base of over 45 million monthly active end-users and 10,000 annual business users
Fines up to 20% of the company’s annual revenue, alongside possible operational restrictions or public disclosure orders
Digital Services Act (DSA)
EU
Enforces obligations for digital service providers, platforms, and intermediaries; manages illegal content; ensures transparency; and mitigates risks
Intermediary service providers, hosting service providers, online platforms, and online search engines
Fines up to 6% of a company’s annual revenue, alongside possible operational restrictions or public disclosure orders
General Data Protection Regulation (GDPR)
EU
Regulates how entities can collect, process, and protect the personal data of individuals within the EU
Any company or entity operating within the European Union that processes personal data.
Absolute fines up to €20 million or percentage-based fines up to 4% of revenue (whichever is higher), public disclosure orders, product recalls or bans, suspension of operations, and rectification or erasure of data
Health Insurance Portability and Accountability Act (HIPAA)
US
Regulates the privacy, security, and confidentiality of individuals’ health data, and allows appropriate data access for healthcare operations
Health plans, including insurers and healthcare maintenance organizations (HMOs); healthcare clearinghouses; healthcare providers; and businesses handling protected health information (PHI) on behalf of the above-mentioned entities, like billing companies, data processors, or cloud service providers (CSPs)
Fines up to $250,000, alongside possible operational restrictions, public disclosure orders, or even imprisonment up to 10 years
Personal Information Protection Law (PIPL)
China
Regulates the collection, use, storage, transfer, and disclosure of personal information on individuals located in China
Data handlers that collect, process, store, and transfer personal data of individuals located in China; critical information infrastructure operators that handle large-scale or sensitive data; and platform operators with complex business models and a large number of users that process personal data
Fines up to ¥50 million (approximately $7 million USD) or 5% of annual revenue (whichever is higher), alongside possible operational restrictions, public disclosure orders, and even a ban from managerial roles
Cybersecurity regulations
The scope of cybersecurity acts is expanding globally. The EU, US, UK, and China are either tightening existing cybersecurity laws or introducing new ones, with non-compliance bringing hefty fines and negative operational actions. Beyond avoiding fines, meeting cybersecurity requirements is increasingly essential for doing business. For digital and connected products, failure to comply can mean exclusion from entire markets.
Regulation
Region
Description
Who it applies to
Non-compliance penalties
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
US
Requires critical infrastructure entities to report significant cyber incidents and ransomware payments to the US Cybersecurity and Infrastructure Security Agency (CISA)
All private and public entities in critical infrastructure sectors as defined by Presidential Policy Directive 21 (PPD-21), which include entities operating in the energy, healthcare, financial services, transportation, and communications sectors
Fines established through civil actions, alongside possible public disclosure orders
Cyber Resilience Act (CRA)
EU
Sets security standards and mandatory requirements for designing digital products, requiring manufacturers to manage vulnerabilities throughout the product lifecycle
Manufacturers that design, develop, or market PDEs under their name; importers that place non-EU PDEs on the EU market; and distributors that supply PDEs without modifying them
At least €15 million or a minimum of 2.5% of the total annual worldwide turnover (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of license
Cybersecurity and Infrastructure Security Agency (CISA) Act
US
Establishes CISA in the Department of Homeland Security and strengthens federal protection of critical infrastructure from cyber threats
Federal agencies, state, local, tribal, and territorial governments, and all critical infrastructure operators
Penalties for non-compliance do not exist unless mandated by other legislative acts
Cybersecurity Law
China
Regulates network security, personal data protection, and critical information infrastructure
All network and critical information infrastructure operators, network product providers and 3rd-party contractors, entities that deal with personal and cross-border data (if data is collected in China), and entities operating in China
A fine of ¥1 million, alongside possible product recalls or bans, suspension of operations, and loss of licenses
Digital Operations Resilience Act (DORA)
EU
Mandates ICT risk management frameworks for the financial sector and requires oversight of critical third-party ICT service providers
Most financial entities, such as banks, investment firms, payment institutions, asset and fund managers, insurers, and crypto platforms, and 3rd-party ICT service providers offering services to financial entities, such as cloud and data service providers, software vendors, and ICT outsourcing firms
Fines are set by EU Member States, while operational penalties include public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses
Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity
US
Requires federal agencies to implement security measures and software bills of materials (SBOMs) to ensure the integrity of the software supply chain
All federal agencies, critical infrastructure operators, ICT and OT service providers, cloud service providers, software (classified as critical), and hardware vendors, if under contract with federal agencies and critical infrastructure operators (CIO)
No fines, but organizations could face operational penalties such as public disclosure orders, suspension of operations, and disqualification from federal contracts
EU Cybersecurity Act
EU
Regulates the European Union Agency for Cybersecurity (ENISA) and establishes a European cybersecurity certification framework for ICT products, services, and processes
ENISA and providers of ICT products, services, and processes only if they choose to certify their products or are mandated to do so by EU or national regulations
Fines are set by EU Member States, while operational penalties include product recalls or bans and suspension of operations
IoT Cybersecurity Improvement Act
US
Mandates the development of minimum-security standards for IoT devices purchased or used by federal agencies
All federal agencies that procure or manage IoT devices, IoT device manufacturers or vendors that supply IoT devices to US federal agencies, and IoT service providers for US federal agencies
No fines, but organizations could face operational penalties such as product recall or bans, suspension of operations, loss of licenses, and disqualification from federal contracts
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0
US
Guides organizations in managing cybersecurity risks through 6 core functions: govern, identify, protect, detect, respond, and recover
All US federal agencies, when mandated by other EOs and regulations, and critical infrastructure service providers, when mandated by EOs and legislation
Penalties for non-compliance do not exist unless mandated by other legislative acts
National Security Investment (NSI) Act
UK
Regulates acquisitions and investments that can have national security risks and allows the government to condition acquisitions in 17 sensitive sectors
UK-based companies acquiring another UK or foreign company with UK operations or foreign companies acquiring control over UK business, assets, or intellectual property
At least £10 million or 5% of revenue (whichever is higher), alongside possible transaction voiding
Network and Information Systems Regulations
UK
Establishes measures to improve the cybersecurity and resilience of critical services and implements reporting obligations
All operators of essential services, such as energy, health, and digital infrastructure companies, as well as online marketplaces, online search engines, and cloud service providers
A fine of £17 million, alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses
Network Data Security Management Regulation
China
Secures network data in China and establishes risk assessments and strict controls on data sharing and cross-border transfers
All entities involved in network data processing within China, including data collection, storage, use, transfer, and deletion, specifically network data processors, critical information infrastructure operators, large platforms, and 3rd-party service providers
A fine of ¥10 million, alongside possible product recalls or bans, suspension of operations, and loss of licenses
Network Information Systems Directive 2 (NIS2)
EU
A legislative act aimed at establishing security risk management measures, regulating management compliance, and setting incident reporting procedures while repealing and replacing the original 2016 NIS Directive, addressing prior shortcomings in cybersecurity legislation
Public and private sector entities of all sizes (small, medium, and large) with domestic or foreign headquarters operating within the EU jurisdiction
Fines of at least €10 million or a minimum of 2% of the total annual worldwide turnover (whichever is higher), alongside operational restrictions and public disclosure orders
Product Security and Telecommunications Infrastructure Act (PSTIA)
UK
Imposes cybersecurity requirements on manufacturers, importers, and distributors of UK consumer smart products
Any manufacturer of a UK consumer smart product, entity that markets a product manufactured by another entity under that entity’s name or trademark, importer of UK consumer smart products, and distributor of UK consumer smart products
A fine of at least £10 million or 4% of revenue (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, and loss of licenses
Regulation 2023/2841: Regulation on Cybersecurity Measures for EU Institutions
EU
Establishes common cybersecurity measures across EU institutions
EU institutions, offices, and agencies
No fines, but institutions could face suspension of operations, warnings, and recommendations
Regulation 2024/482: Commission Implementing Regulation on European Common Criteria-based Cybersecurity Certification Scheme
EU
Establishes rules and obligations for manufacturers and certification entities involved in the EU Common Criteria (introduced in the EU Cybersecurity Act)
Manufacturers, importers, and distributors of ICT products subject to or pursuing EUCC certification, whether required by EU law or chosen voluntarily
Fines are set by EU Member States, while operational penalties include public disclosure orders, product recalls or bans, and suspension of operations
Telecommunications (Security) Act (TSA)
UK
Enforces legal obligations on telecom providers in the UK to safeguard their networks
Public electronic communication network providers, public electronic communications service providers, suppliers of telecommunication equipment, and managed service providers for telecommunication networks
A fine of at least £10 million or 10% of revenue (whichever is higher), alongside possible public disclosure orders, product recalls or bans, suspension of operations, loss of licenses, and enforcement notices
AI regulations
AI technology outpaces regulatory development worldwide. AI is a prime example of a technology that is evolving faster than legislative acts can keep pace, leaving many jurisdictions either unregulated or without clear compliance requirements. Governments are still in the early stages of AI governance, relying on guidelines rather than regulations. Meanwhile, much of the world is looking to the EU, the US, and China for regulatory direction. Many governments are delaying their own AI regulation efforts to observe how these leading economies structure governance. In general, the EU is moving ahead with strict, rule-based AI oversight while the US favors a more innovation-oriented approach. China, by contrast, is prioritizing control through state-led security and enforcement frameworks.
Regulation
Region
Description
Who it applies to
Non-compliance penalties
AI Act
EU
Regulates the development, marketing, and use of AI systems, bans certain AI practices, imposes obligations on high-risk AI, and ensures human oversight
All AI providers (developers and deployers), including providers of foundational models, GenAI, and pre-trained AI models integrated in AI systems, as well as AI component suppliers; all AI deployers (users), except for personal or non-professional activities; and importers, resellers, and distributors of AI systems
A fine of €35 million or 7% of revenue (whichever is higher), alongside possible content access restrictions
EO 14141 on Advancing US Leadership in AI Infrastructure
US
Sets rules on the development of AI data centers, requires clean energy usage, and requires compliance with NIST standards
Companies engaged in the development, operation, or supply of AI infrastructure, specifically in AI infrastructure development (AI data centers, computing clusters, clean energy infrastructure) and AI model development and operations
Does not specify explicit penalties but empowers federal agencies (the Departments of Defense, Energy, and Commerce) to establish regulations that enforce penalties
Interim Measures for the Management of GenAI Services
China
Enforces rules for AI service providers on content control, data security, algorithm transparency, user rights, and compliance with state ideology
GenAI service providers that develop, deploy, or offer GenAI services (such as LLMs, image generators, and automated content creation tools) and AI infrastructure and platform operators, such as cloud computing platforms, data centers, and algorithm marketplaces that provide infrastructure for generative AI services
Financial penalties from other legal acts, such as the Personal Information Protection Law and the Cybersecurity Law, apply
Sustainability regulations
Regulatory pressure sustains green tech demand. As IoT Analytics recently noted, CEO discussions around sustainability and related topics have steadily declined in corporate earnings calls since their peak in Q1 2021. This does not mean companies are abandoning or losing interest in sustainability initiatives, though it could indicate such initiatives are afterthoughts for CEOs amid new digitalization and AI initiatives. Nonetheless, regulations remain in place that compel transparent reporting and set targets for energy consumption reduction. These regulatory pressures are helping propel the sustainability platform market toward an estimated $3.7 billion by 2029.
Regulation
Region
Description
Who it applies to
Non-compliance penalties
Corporate Sustainability and Due Diligence Directive (CSDDD)
EU
Requires due diligence reporting and regulates how companies identify, prevent, and address human rights and environmental impacts in their value chains
All companies with over 1,000 employees and a global revenue of at least €450m in the last financial year
Fines are set by EU Member States (percentage-based fines are at least 5% of revenue), as are operational restrictions
Corporate Sustainability Reporting Directive (CSRD)
EU
Requires companies to disclose ESG impacts, imposes standardized reporting, and requires independent audits
All companies that fulfil any of the following criteria:
Are large EU companies (meeting the revenue criteria)
Are listed on an EU-regulated market
Are EU banks or insurance companies
Are non-EU companies (meeting the revenue criteria)
Fines and operational penalties are set by EU Member States
Ecodesign for Sustainable Products Regulation (ESPR)
EU
Sets sustainability requirements for a wide range of physical products placed on the EU market and establishes the digital product passport
All manufacturers of physical goods placed on the EU market, including components and intermediate products (with exceptions for food and feed, medical products, living organisms, vehicles, and certain products in the construction sector), importers and distributors of physical goods, and online marketplaces and online search engines
Fines and operational penalties are set by EU Member States
(New) Energy Efficiency Directive (EED)
EU
Enforces measures to improve energy efficiency in the EU and sets binding requirements and targets for energy consumption reduction in various sectors
All enterprises with high energy consumption (i.e., enterprises consuming >10 TJ annually and those consuming > 85 TJ over the past 3 years), all data centers with an IT power demand of over 500 kW, and public sector contractors
Fines and operational penalties are set by EU Member States
Machinery Regulation
EU
Establishes safety and compliance rules for machinery and related products and addresses new AI and connectivity-related risks
Machinery manufacturers, importers, and distributors
Fines and operational penalties are set by EU Member States
Net Zero Industry Act (NZIA)
EU
Sets rules for scaling up EU manufacturing capacity, streamlining permitting procedures, and sets supply chain resilience rules for 19 net-zero technologies
All companies that manufacture, develop, or operate net-zero technologies
Fines and operational penalties are set by EU Member States
New Batteries Regulation
EU
Regulates the production, recycling, and disposal of batteries and sets rules for extended producer responsibility, material recovery, and supply chain due diligence
Battery manufacturers, importers and distributors of batteries, waste management and recycling operators, and independent operators involved in battery repair, maintenance, or repurposing
Fines and operational penalties are set by EU Member States
Renewable Energy Directive (RED) III
EU
Sets targets to increase renewable energy levels by 2030 and requires Member States to optimize permitting procedures and grid integration for clean energy transition
Transmission system operators, distribution system operators, fuel suppliers, renewable energy producers, battery manufacturers, and EV manufacturers
Fines and operational penalties are set by EU Member States
Sustainable Finance Disclosure Regulation (SFDR)
EU
Regulates the transparency of sustainability risks in the decision-making processes of financial market participants and financial advisers
Financial market participants, such as investment and insurance firms, institutions for occupational retirement provision, manufacturers of pension products, alternative investment fund managers (AIFMs), entrepreneurship and venture capital funds, management companies of undertakings for collective investment in transferable securities (UCITS), and credit institutions, as well as financial advisors, such as insurance intermediaries, investment firms, AIFMs, and UCITS
Fines and operational penalties are set by EU Member States
Taxonomy Regulation
EU
Sets criteria to assess if an economic activity is sustainable and establishes the extent to which an investment is environmentally sustainable
Financial market participants, such as asset managers, institutional investors, insurance companies, and pension funds; financial advisors; and large public interest companies, subject to non-financial reporting under Directive 2013/34/EU
Fines and operational penalties are set by EU Member States
The post 2025 Regulatory Overview: Digital and ESG Measures to Keep in Focus appeared first on IoT Business News.
