2025 Incidents Exposed Gaps

Reviews of major 2025 cyber incidents shifted from blaming one hack to documenting weak oversight, incomplete controls and missed compliance duties at operators of essential services. (industrialcyber.co) In the U.S. power sector, Federal Energy Regulatory Commission staff said in an October 22, 2025 lessons-learned report that most audited entities met baseline rules, but auditors still found potential noncompliance and security risks. The gaps they flagged centered on asset classification, third-party due diligence and cloud-service compliance risk. (industrialcyber.co) In finance, the Federal Reserve’s July 2025 report to Congress listed third-party provider risk and other emerging technology threats alongside cyber-criminal activity and geopolitical tensions. The report framed resilience as a supervision issue, not only a network-defense issue. (federalreserve.gov) Critical infrastructure means the systems people use every day — power, water, transport, hospitals, telecoms and payments. When those operators fail to map assets, vet suppliers or rehearse outages, a single intrusion can spread into service disruption. (cisc.gov.au) That is the direction regulators have been moving. The European Union required member states to transpose the NIS2 cyber rules by October 17, 2024, put the Critical Entities Resilience Directive into application on October 18, 2024, and began applying the Digital Operational Resilience Act for finance on January 17, 2025. (ec.europa.eu) (home-affairs.ec.europa.eu) (eiopa.europa.eu) Those regimes all push the same controls: incident reporting, board-level accountability, third-party risk reviews, testing and recovery planning. ISACA said NIS2 and DORA both cover risk management, information security, incident reporting, third-party and supply-chain security, and periodic testing. (isaca.org) Governments also spent 2025 building the machinery to enforce that approach. CISA said it published more than 1,600 products, triaged more than 30,000 incidents through its 24/7 operations center, and led 148 cyber and physical security exercises with more than 10,000 participants. (cisa.gov) Australia’s 2025 Critical Infrastructure Annual Risk Review made the same point from another angle: cyber incidents are rising, and human error or system failures can be as disruptive as deliberate attacks. The review said operators need clear awareness of cyber, supply-chain and interdependency risks affecting essential services. (cisc.gov.au) The practical result is that breach investigations now read more like audit findings. The next round of scrutiny is likely to focus on whether critical operators can prove they identified key assets, checked vendors, tested recovery plans and assigned responsibility before the next incident hits. (industrialcyber.co) (isaca.org)