01 apr.
In 7-8 years, my dad’s dairy farm and other “normal” non-techy companies will need to have formal information security programs.
Here’s why:
The World Economic Forum (WEF) has been publishing their Cybersecurity Outlook reports since 2022. In the latest 2025 report, two key insights stood out to me:
1. Regulations are becoming more accepted as an effective way to boost resilience.
Back in 2022, only 39% of respondents thought that cyber regulations actually helped reduce risk.
Fast forward to 2025, and that number has jumped to 78%.
That’s a massive 2x shift!
I think it’s because more organizations have gone through their first rounds of compliance implementations and actually seen the results.
Placement Suggestion: Insert Chart 1: Cyber and Privacy Regulations Effectiveness here.
2. At the same time, small and medium-sized organizations are falling behind.
In 2022, only 5% of smaller companies reported insufficient cyber resilience.
By 2025, that number has grown to 35%—a whopping 7x increase!
And the gap keeps widening.
This poses a risk not just to the small organizations themselves, but also to the entire ecosystem due to interconnected supply chains.
Larger organizations and regulators have a strong incentive to support and invest in smaller, less-capable organizations to enhance the resilience of the whole ecosystem.
The Future of Cyber Regulations
That’s why I think we’re heading toward a future where even smaller organizations (yes, maybe even dairy farms) will be brought under new regulatory frameworks like NIS 3. This means that even small businesses will need formal Governance, Risk, and Compliance (GRC) programs.
Strengthening those weaker links is just common sense for all of us.
Reference:
Insights from the World Economic Forum’s Cybersecurity Outlook Report 2025
Estonian 
English