Compliance concerns for boards in 2025
This edition of the Diligent Minute, written by Amanda Carty, General Manager, Compliance at Diligent, highlights three compliance areas that have garnered board attention.
Diligent has the unique benefit of gathering insights from over 700,000 board members globally, as well as top executives from various industries. Our discussions have often focused on the evolving compliance landscape, driven by a shifting technological landscape and new regulations.
Boards have identified the following key compliance concerns for 2025:
- Cybersecurity and data privacy
- Climate, environmental issues, and DE&I (diversity, equity and inclusion)
- Supply chain management, anti-bribery measures and corruption prevention
Let's take a closer look at each of these areas.
Cybersecurity and data privacy
Technological progress represents an area of opportunity for managing compliance risk. AI and data analytics enhance compliance processes by analyzing large datasets and identifying issues and potential vulnerabilities. Unified compliance platforms streamline operations, reduce redundancy and ensure consistency. These technologies improve efficiency and help organizations stay agile amid regulatory changes.
At the same time, that technology itself can increase cyber risk if not managed properly. And regulators are taking notice. Over 60 countries have passed or are in the process of considering over 750 pieces of AI legislation, often with global reach. At the same time, three quarters of knowledge workers are now using AI at work, often without the knowledge or approval of employers.
Bitsight, a cybersecurity firm and Diligent partner, shared that key cyber vulnerabilities typically take months to remediate, often exceeding government deadlines.
How can boards help prepare their organizations?
Boards play a crucial role in preparing their organizations for potential data breaches or cyberattacks. They should set clear governance and oversight by establishing robust policies and ensuring regular reviews and updates.
Additionally, boards must foster a culture of cybersecurity awareness, educating both their own board members and their employees about the importance of data protection and the consequences of cyberthreats. Allocating adequate resources, including budget and personnel, is essential to support cybersecurity initiatives.
Boards should regularly monitor and assess the organization’s cybersecurity posture through audits, vulnerability assessments and penetration testing. They should also ensure that comprehensive and well-communicated incident response plans are in place, complete with measurable metrics and clear expectations around downtime costs and regulatory impacts, such as fines, penalties or risks to business licenses.
Lastly, staying informed about the latest threats and compliance standards by engaging with regulators and peers is vital.
Climate, the environment and DE&I
Sustainability reporting has grown more rigorous and complex, a pattern anticipated to persist beyond 2025, particularly for major global corporations.
The EU has passed several pieces of broad compliance legislation with global implications. The Corporate Sustainability Due Diligence Directive (CSDDD) requires companies to manage risks related to human rights and the environment in their operations and supply chains. The Corporate Sustainability Reporting Directive (CSRD) requires new public reporting standards (ESRS) that range from pollution, water and emissions reductions to disclosures on labor, biodiversity and business conduct. And the EU Whistleblower Directive requires organizations to prove they are listening to and acting on relevant information as it comes in.
How can boards help prepare their organizations?
As sustainability reporting becomes more rigorous and complex, boards need to ensure their organizations are well-prepared to meet these challenges. Boards should ask leadership the following questions to ensure the right processes and checkpoints are in place:
- Cross-functional collaboration: Are legal, finance and HR leaders actively involved in setting and implementing sustainability objectives and strategies?
- Technical expertise: Do we have the necessary technical expertise to address diverse topics such as climate models, supply chain complexities and the legal implications of regulatory updates?
- Compliance readiness: Are we prepared to meet the new public reporting standards (ESRS) required by the Corporate Sustainability Reporting Directive (CSRD)?
- Risk management: How are we managing risks related to human rights and the environment in our operations and supply chains, as required by the Corporate Sustainability Due Diligence Directive (CSDDD)?
- Whistleblower protections: How are we ensuring that we are listening to and acting on relevant information as required by the EU Whistleblower Directive?
Boards can create a competent, cross-functional reporting structure that has properly identified the most strategic themes and chosen proper metrics for measurement. Setting up a committee that reviews progress toward goals, targets and compliance deadlines is a good step forward.
Supply chain, anti-bribery and corruption
Governments are increasingly asking companies to publicly share how they are addressing risks to their supply chains, increasing reputational risks. At the same time, supply chain risks themselves are becoming more complex, as companies are including labor practices and environmental impact to traditional anti-bribery, anti-corruption, and anti-money laundering due diligence.
Enforcement of anti-bribery and anti-corruption rules has been significant, with major fines in the UK and Switzerland for issues in Turkey and Ecuador. And new legislation continues to impact the compliance burden. Australia’s Combatting Foreign Bribery Act can hold companies not only responsible for the actions of their employees, but also their external contractors, agents and third-party affiliates.
What can boards do to address these types of risks?
Make sure there are clearly published policies and procedures to manage labor practices, supply chain and distribution channels — and that these policies are reviewed, updated and published on a regular schedule. Moreover, third-party affiliates should undergo the same ethics and compliance trainings as employees. Contractors should be held to some of the same standards laid out in codes of conduct.
The Diligent One Platform is continuously optimized around cyber and AI risk, third-party risk management, due diligence, greenhouse gas emissions, compliance and ethics training, and enterprise risk management to ensure companies can stay compliant and operate at an advantage in their markets.
Curious to learn more? Diligent recently released a 2025 Compliance Risk Outlook.
Keep exploring
Putting AI to work for better board management
Learn how cutting-edge AI is reshaping corporate governance, making it easier than ever to prepare, track performance and make data-driven decisions — before, during, and after your board and committee meetings.
Cybersecurity governance: The board’s secret weapon for unlocking shareholder value
Discover how effective board oversight in cybersecurity drives resilience, boosts shareholder value, and safeguards long-term organizational success.
Building a high-impact third-party risk management program in 2025
Essential strategies for managing third-party risks and navigating evolving compliance regulations in 2025.
