The State of EU Compliance in 2026: NIS2, DORA, and What's Changed

If you're running a business in the European Union, the regulatory landscape looks fundamentally different than it did two years ago. The combination of NIS2 enforcement, DORA going live, and increasingly aggressive GDPR penalties has created a new reality: compliance is no longer optional for any company that handles data or provides digital services.

This article breaks down where things stand, what's actually being enforced, and what it means for companies that haven't started yet.

NIS2: The Directive That Changed the Scope

The Network and Information Security Directive 2 (NIS2) replaced its predecessor in October 2024, and its impact has been significant. While NIS1 applied mainly to operators of essential services — energy companies, healthcare providers, transport — NIS2 dramatically expanded the scope.

Who's now covered: Any medium-sized or large company in 18 critical sectors, including digital infrastructure, ICT service management, public administration, food production, manufacturing, and waste management. The threshold is simple: more than 50 employees or more than €10 million in annual turnover in a covered sector.

The practical implication is that thousands of companies that never had to think about formal cybersecurity governance now need documented security policies, incident response procedures, supply chain risk management, and regular security assessments.

What NIS2 actually requires

At its core, NIS2 mandates a risk-based approach to cybersecurity with specific obligations:

• Risk analysis and security policies — documented, approved, and regularly reviewed
• Incident handling — procedures for detection, response, and reporting (24-hour early warning, 72-hour full report)
• Business continuity — backup management, disaster recovery, crisis management
• Supply chain security — assessment of third-party and supplier security
• Security in acquisition and development — vulnerability handling and disclosure
• Cybersecurity training — regular training for management and staff
• Cryptography and encryption — policies on the use of cryptographic controls
• Access control and asset management — human resources security measures

Management bodies are personally accountable. This isn't a detail to gloss over — directors and C-level executives can face personal liability for non-compliance. Training for management is mandatory, not recommended.

DORA: Financial Services Gets Its Own Rulebook

The Digital Operational Resilience Act (DORA) became applicable on 17 January 2025 and applies to virtually all financial entities in the EU: banks, insurance companies, investment firms, payment institutions, and critically, their ICT third-party service providers.

If NIS2 is the broad cybersecurity directive, DORA is the sector-specific deep dive for financial services. It mandates:

• ICT risk management framework — comprehensive, documented, and regularly tested
• ICT-related incident reporting — classification and reporting to competent authorities
• Digital operational resilience testing — including threat-led penetration testing (TLPT) for significant entities
• ICT third-party risk management — due diligence, contractual requirements, exit strategies
• Information sharing — arrangements for sharing cyber threat intelligence

For fintech companies and their technology providers, DORA means you need a formal ICT risk management framework that goes beyond what you might have built for GDPR or ISO 27001.

GDPR: Enforcement Has Matured

GDPR isn't new, but enforcement patterns in 2025-2026 have shifted meaningfully. We're seeing larger fines for smaller companies, not just the headline penalties against Big Tech. Data protection authorities across Europe have increased their enforcement capacity, and cross-border cooperation through the EDPB consistency mechanism is producing more harmonized decisions.

Key enforcement trends:

• Data breach notification failures remain the most common penalty trigger. If you're not reporting breaches within 72 hours, that's an enforcement action waiting to happen.
• Insufficient technical measures — authorities are looking beyond the privacy notice at actual security controls. Article 32 (security of processing) citations are increasing.
• International transfer mechanisms — post-Schrems II, companies are still struggling with transfer impact assessments. The EU-US Data Privacy Framework helps for US transfers, but other jurisdictions remain complex.
• AI and automated decision-making — with the EU AI Act coming into force, the intersection of GDPR's Article 22 (automated decision-making) and AI regulation is creating new compliance challenges.

ISO 27001: Still the Gold Standard

ISO 27001:2022 remains the most widely recognized information security management standard globally. For EU companies navigating the new regulatory landscape, it serves as an anchor — a well-structured ISMS aligned with ISO 27001 satisfies a significant portion of NIS2 and DORA requirements automatically.

The 2022 revision reorganized Annex A controls from 14 domains into 4 themes: Organizational, People, Physical, and Technological controls. The total number was consolidated from 114 to 93, but new controls were added covering threat intelligence, cloud security, data masking, and monitoring activities. Companies still certified under the 2013 version need to transition by October 2025.

For SMBs, the key insight is that ISO 27001 certification isn't always necessary — alignment is often sufficient. Many customer security questionnaires ask "are you aligned with ISO 27001" rather than "are you certified." Building your security program around ISO 27001's structure gives you a defensible answer to both questions.

SOC 2: The Bridge to US Markets

While SOC 2 is an American standard (AICPA Trust Services Criteria), it's increasingly relevant for EU companies serving US clients. SaaS companies, payment processors, and cloud service providers targeting the US market will encounter SOC 2 requirements in nearly every enterprise sales process.

The good news: SOC 2's trust services criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) overlap substantially with ISO 27001 and GDPR. A company with a mature ISO 27001 ISMS and GDPR compliance is typically 60-70% of the way to SOC 2 readiness.

The key difference is that SOC 2 requires an independent audit by a CPA firm, resulting in either a Type I report (point-in-time) or Type II report (over an observation period, typically 6-12 months). For EU companies, this represents an additional investment but opens significant market opportunities.

What This Means for Your Business

If you're a company with 50+ employees operating in the EU, the question isn't whether these regulations apply to you — it's how many of them do. A typical mid-sized tech company might need to comply with GDPR, NIS2, and potentially DORA if they serve financial clients.

The practical steps haven't changed, but the urgency has:

• Document your security policies. Not in a shared drive. In a managed system where you can track versions, approvals, and reviews.
• Implement incident response. You need to report within 24 hours under NIS2. If you're building your process during an active incident, you've already failed.
• Assess your supply chain. Both NIS2 and DORA require formal supplier risk management. This means contracts, assessments, and ongoing monitoring.
• Train your management. NIS2 makes this explicit — management must receive cybersecurity training and is personally accountable.
• Map your frameworks. If you're subject to multiple regulations, understand the overlaps. An ISO 27001 ISMS can satisfy many NIS2 requirements. GDPR's Article 32 aligns with ISO 27001 controls.

The Overlap Opportunity

Here's the good news: these frameworks overlap significantly. A well-implemented information security management system based on ISO 27001 can cover 60-70% of NIS2 requirements and a substantial portion of DORA's ICT risk management obligations. GDPR's technical and organizational measures align naturally with ISO 27001's Annex A controls.

The companies that approach this intelligently — building one security program that maps to multiple frameworks — spend significantly less time and money than those treating each regulation as a separate project.

Looking Ahead

The EU AI Act is the next major regulation on the horizon, with obligations rolling out between 2025 and 2027 depending on the risk category. For companies already building AI-powered products or using AI in decision-making, now is the time to start understanding your obligations.

The Cyber Resilience Act (CRA) will add product security requirements for hardware and software manufacturers, with enforcement expected from 2027.

The direction is clear: the EU is building the most comprehensive digital regulation framework in the world. Companies that invest in compliance infrastructure now will have a structural advantage over those scrambling to catch up later.