The Urgent Impact of New Laws and Compliance Requirements on MSPs in 2025

Technology underpins every corner of the U.S. economy, so legislators and regulators are jumping in to protect consumers and businesses from a wide range of actual and potential threats. However, chaos may ensue. When asked what law or compliance requirements makes them most nervous, three industry experts — Brunsman Advisory Group Founder Joseph Brunsman, National Society of IT Service Providers Founder Karl W. Palachuk, and Beachhead Solutions Vice President of Sales and Marketing Cam Roberson — revealed three different areas of concern, respectively: 

1. State breach notification laws 
2. Compliance 
3. Defense contracting industry standards like Cybersecurity Maturity Model Certification (CMMC 2.0) 

Meanwhile, all three agreed that AI will cause compliance and regulatory issues for many years to come. 

Here, we take a closer look at how each of these concerns may play out and what to look out for in the year to come. 

State Breach Notification Laws 

Joseph Brunsman

These laws, designed to protect consumers in the event of a data breach, vary widely across the country. State breach notification laws mandate how and when businesses must notify individuals about data breaches that expose personal information. 

• Expert Insight: Brunsman, a regular speaker on cyber insurance, noted that MSPs need to understand the fundamentals so they can inform their clients. “For an extra complication, the state law that applies is determined by where the customer’s clients are located, not where the customer is,” he added. 

  Many of those regulations now allow state attorney generals to come after violators. High-profile breaches, worried Brunsman, will be excellent campaign-boosting prosecutions in the run-up to elections. 

• Implications for MSPs: It’s critical to stay informed about the specific breach notification laws in each state where your clients operate. One way to do that may be to set up processes to ensure compliance to avoid hefty fines or legal action. 

• Looking Ahead: As we approach 2025, more states likely will tighten these laws, especially in response to high-profile breaches. Keeping abreast of these changes will be crucial for maintaining compliance and avoiding legal repercussions. 

Compliance Challenges 

Complying with industry-specific regulations is a massive responsibility for IT consultants and MSPs. Businesses now face more regulatory scrutiny, with new regulations continually being introduced. 

• Expert Insight: Palachuk, also an author and business coach, said the IT consultant is becoming the compliance office by default. Clients are more often looking to their MSPs for answers to questions about data security, the data they collect from their clients, data storage, data backup, and other details. 

• Challenges for MSPs: The ambiguity and multiplicity of regulations can make it difficult for MSPs to know exactly what is required of them. “When there’s a break-in, ransomware, or major exfiltration of data, the microscope will focus on your processes and procedures,” said Palachuk. 
  

  Cam Roberson

• Strategic Recommendations: MSPs should develop robust compliance tools and checklists, document their clients’ processes meticulously, and stay informed about regulatory updates. “Ultimately, it might be the insurance companies that force compliance, not the government,” Palachuk added. 

Defense Contracting Standards 

CMMC 2.0, launched by the Department of Defense, is a comprehensive framework designed to protect the defense industry from cyberattacks. It protects confidential but unclassified information and follows the NIST cybersecurity framework outlined in 800-171. It is poised to have a significant impact on MSPs working with defense contractors. 

• Expert Insight: MSPs serving CMMC-regulated clients are a bit nervous because they also will have to be CMMC 2.0 regulated, according to Roberson. CMMC 2.0 should be in place for the largest defense contractors in 2025. Requirements then will move down to first-level subcontractors, likely within a year, and down another level the next year. 

• Impact on MSPs: This cascading effect means MSPs will need to ensure that they follow CMMC 2.0 standards if they want to retain their defense contractor clients. The certification process is rigorous and may require significant investment in cybersecurity infrastructure and training. 

• Preparation Strategies: Begin by asking vendors how to map their products and services for specific mandates. Then, communicate these requirements to clients. 

AI: No. 2 Biggest Concern on Everyone’s List 

The rapid advancement of AI technology is generating lots of excitement but also challenges in compliance and regulation. As AI becomes more integrated into business processes, governments are looking to establish regulatory frameworks for the technology. 

• Expert Insight: Every expert listed AI compliance and regulatory issues among their concerns for 2025 and beyond. In late July, Microsoft President Brad Smith declared the federal government needs to find a way to charge the perpetrators of AI-generated fraud. That said, nothing is codified in law yet. “There’s just a giant question mark,” said Brunsman. 
  

  Karl Palachuk

• Implications for MSPs: As AI technology evolves, MSPs need to develop new strategies to address the compliance risks associated with it. This could include advising clients on the risks of AI, incorporating AI considerations into contract language to absolve them of claims, and staying informed about new AI-related regulations. “Anytime a client is breached, there’s some liability for AI,” Brunsman noted. 

• Future Considerations: The regulatory landscape for AI is still in its early stages. In the short term, various AI laws may be rushed, Brunsman said. “We’ll have attorneys writing laws on AI technology which will be a train wreck.” So, it’s clear that MSPs will need to be proactive in addressing these challenges. 

Navigating 2025’s Regulatory Landscape 

Upcoming changes to laws and compliance requirements will be challenging, but the 2025 landscape also presents opportunities for MSPs who are prepared to navigate it. By staying informed about changes in state breach notification laws, compliance requirements, defense contracting standards, and AI regulations, MSPs can position themselves as valuable partners to their clients. 

“If you decide to get into the compliance game, now’s a good time to make a lot of money,” said Palachuk. “Develop your compliance tools and checklists, document your clients, and you might be able to help them reduce their insurance costs. That’s a great differentiator today.” 

Roberson echoed that sentiment. “Take your service out of the commodity category and get higher MRR, more security, more services, and more margins.” 

Images: iStock