Cybersecurity regulatory pressures and robust industry frameworks a mid-year update
As we cross the halfway mark of 2025, cybersecurity leaders face a landscape marked by both growing regulatory urgency and opportunity. New rules like DORA and NIS2 are transitioning from guidance to enforcement, while foundational frameworks like ISO and NIST continue to evolve to support compliance and resilience.
This mid-year snapshot explores the momentum behind these changes. It offers a perspective on how evolving rules and frameworks can become catalysts for smarter, more adaptive security strategies.
Regulatory Milestones in the EU
DORA – Well passed the compliance deadline
The Digital Operational Resilience Act (DORA) has been enforceable since 17 January 2025. If you’re in the financial sector, compliance to DORA is now obligatory for you.
DORA requires alignment across five key pillars, from ICT risk management to incident reporting. Two areas remain particularly complex:
- Incident management (Pillar 2), where timely detection and reporting are essential
- Threat-led penetration testing (TLPT under Pillar 3), which demands repeatable, scalable approaches to simulating and addressing real-world threats
DORA enforcement and penalties | |
---|---|
Maximum penalty | 10% million or 5% of the annual worldwide turnover |
Non-financial penalties | Supervisory measures (e.g., requiring specific actions), public reprimands |
Key infringements | Severe breaches by financial entities and critical ICT third-party providers |
Enforcement body | National competent authorities |
Atos’ advice
Deep dive into your critical ICT third-party contracts and incident response plans to ensure they meet DORA’s stringent requirements for resilience and timely reporting of supply chain-related incidents.
Regulatory compliance with real-world results
A global health organization partnered with Atos to align DORA, NIS2, and CRA with ISO and NIST standards. The result? A reusable cybersecurity assurance model that streamlined supplier oversight and accelerated compliance across the board.
NIS2 – Patchy transposition. High stakes.
The NIS2 Directive should have been transposed into national law by 17 October 2024. Yet, as of mid-2025, only 14 out of 27 EU countries have completed the process.
The latest implementing regulation (EU 2024/2690) brings sharper focus:
- Definitions and thresholds for “significant incidents”
- 400+ specific requirements spanning 13 control domains
- Priority areas: Access control, cryptography, and physical security, mapped to ISO/IEC 27001 and NIST
To help you navigate this, (June 2025), offering helpful mappings to existing frameworks. This aids integration with frameworks like ISO/IEC 27001:2022 and NIST Cybersecurity Framework 2.0, plus European (e.g., ETSI, CEN/TS) and specific national frameworks (e.g., Belgium’s Cyber Fundamentals, Germany’s KRITIS requirements).
NIS2 enforcement and penalties | |
---|---|
Maximum penalty | Essential entities: Up to €10 million or 2% of annual global turnover Important entities: Up to €7 million or 1.4% of annual global turnover |
Non-financial penalties | Temporary prohibitions on individuals from exercising management functions and public statements about security breaches |
Key infringements | Non-compliance with NIS2 requirements, including significant incidents |
Enforcement body | National competent authorities |
Atos’ advice
Start with your third-party ecosystem. Strengthen due diligence, upgrade TPRM processes, and map obligations to fourth-party exposure.
Cyber Resilience Act – Laying the foundations
While most CRA obligations apply from December 2027, groundwork is already being laid:
- By 11 December 2025, the EU will define categories for “important” and “critical” digital products like IAM systems and routers.
- Starting 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe cybersecurity incidents without undue delay to the (ENISA). ENISA has started releasing guidance that maps CRA principles to existing standards like ISO 27002 and IEC 62443. The goal: help you start aligning early.
CRA enforcement and penalties | |
---|---|
Maximum penalty | Up to €15 million or 2.5% of total annual worldwide turnover |
Non-financial penalties | Product recalls |
Key infringements | Placing non-compliant products on the market, failing to address vulnerabilities |
Enforcement body | National market surveillance authorities |
Atos’ advice
Engage early with your digital product suppliers to understand how they are preparing for CRA and to ensure your procurement processes reflect these new security-by-design requirements.
EU AI Act – Launching the compliance phase shortly
The EU AI Act came into force on 1 August 2024, with a phased rollout through 2027. In 2025, focus on:
- 2 February 2025: Prohibited AI systems must be withdrawn; requires appropriate AI literacy and competence among personnel
- 2 May 2025: Codes of Conduct for AI system providers
- 2 August 2025: General-purpose AI (GPAI) systems enter scope
- August 2026: Deadline for full compliance by operators of high-risk AI systems
- August 2027: Final deadline for compliance by operators of GPAI systems already in the market before August 2, 2025
Organizations should conduct an AI system inventory and classify each system by the level of risk. Accordingly, perform a gap analysis, develop a remediation plan, set up data governance and security controls, certify compliance, and initiate continuous monitoring protocols and post-deployment audits.
EU AI Act enforcement and penalties | |
---|---|
Maximum penalty | Up to €30 million or 6% of the company’s total worldwide annual turnover (for placing prohibited AI systems on the market) Significant fines for other infringements |
Non-financial penalties | Withdrawal of non-compliant AI systems |
Key infringements | Placing prohibited AI systems on the market, non-compliance with data governance and conformity assessment failures |
Enforcement body | National supervisory authorities |
Atos’ advice
When conducting an inventory check for AI systems, specifically identify and classify those procured from third parties, ensuring your due diligence assesses their compliance with the AI Act’s risk requirements.
Global Frameworks and Developing Standards
NIST CSF 2.0 – A broader cybersecurity standard
The updated NIST Cybersecurity Framework 2.0 is seeing rapid adoption. Key improvements include the following:
- A new “Govern” function for strategic clarity
- Stronger emphasis on supply chain risk management
- Expanded scope, applicable beyond critical infrastructure
Atos’ advice
Leverage the new “Govern” function in NIST CSF 2.0 to formally integrate supply chain risk management into your overall cybersecurity strategy and board-level reporting.
NIST Privacy Framework – Modernizing for AI
A draft update (April 2025) brings better alignment with CSF 2.0, with changes focusing on:
- Governance
- AI system privacy
- Emerging risks
Atos’ advice
When assessing privacy risks for AI systems, extend your review to the entire data supply chain, considering how third-party AI components or data processors handle sensitive information in line with NIST Privacy Framework principles.
ISO/IEC 27001:2022 – Transition year
If you’re still certified to the 2013 version, the clock is ticking. Organizations must transition to ISO/IEC 27001:2022 by 31 October 2025. This newer version incorporates modern practices and supports easier integration with DORA, NIS2, and CRA.
Atos’ advice
Review and update your supplier security clauses and audit protocols to align with the ISO/IEC 27001:2022 requirements, particularly those related to information security for supplier relationships.
ISO/IEC 27701:2025 – Privacy in the AI era
A major update is expected by Q3 2025. It’s designed to help you manage privacy in AI-driven environments, integrating elements of ISO 42001 (AI Management Systems) and emphasizing governance and risk assessment.
Atos’ advice
As ISO/IEC 27701:2025 emerges, evaluate your third-party AI service providers and data processors to ensure their privacy controls integrate with your overall privacy information management system.
Australia – Sector-specific mandates
- New Telecommunications Security Rules effective April 4, 2025, under enhancements to the Security of Critical Infrastructure Act, with a grace period until October
- The Prudential Standard CPS 230 Operational Risk Management standard from July 1, 2025, for APRA-regulated entities
Atos’ advice
For entities under Australia’s new Telecommunications Security Rules and CPS 230, explicitly integrate the supply chain security requirements into your third-party risk assessments, particularly for critical vendors impacting telecommunications or operational resilience.
The Cyber Supply Chain Risk: What’s Changing in 2025
Emerging risks — from AI-enabled attacks to quantum computing vulnerabilities, IoT device insecurity, and ransomware-as-a-service — have elevated supply chain security to a strategic concern. Regulations are adapting accordingly:
- NIS2 introduces stricter third-party contract and due diligence obligations.
- NIST SP 800-53 and Secure Software Development Framework (SSDF) are evolving with enhanced third-party risk, patch management and secure software supply chains. ISO 27002 now mandates stronger controls for supplier oversight, complementing ISO 27001’s strengthened supply chain security controls.
- ISO 9001:2025, that is expected at the end of 2025 or early 2026, will address supply chain resilience in quality management.
From strategy to execution: Lessons from the field
Atos outlines a practical roadmap for supply chain security:
- Conduct cyber due diligence and security ratings.
- Implement TPRM and assess fourth-party risks.
- Include cybersecurity clauses in contracts.
- Perform regular audits and penetration testing.
- Use C-SCRM/TPRM software and threat intelligence platforms
Sector-specific risks
A comparative table from Atos highlights how risks differ across industries:
Sector | Supplier Categories | Key Risks |
---|---|---|
Insurance | Reinsurers TPAs ICT vendors Data providers |
Data breaches AI bias System downtime |
Banking | Fintechs Cloud providers Card networks |
Data breaches AI bias System downtime |
Manufacturing | OEMs Logistics IoT vendors |
Ransomware IP theft ERP outage |
Organizations are urged to adopt post-quantum cryptography, improve firmware security in OT/IoT, and include geopolitical threat intelligence in supplier vetting.
Looking Forward
Cybersecurity regulation in 2025 isn’t just about compliance — it’s a catalyst for stronger, more resilient operations. By building trusted frameworks and adopting proactive practices, you’re not just meeting requirements. You’re strengthening your business.
The first half of 2025 has been one of rapid regulatory acceleration. While some frameworks like DORA and ISO 27001:2022 now require full compliance, others like CRA and AI Act are entering into phased enforcement. The biggest challenge isn’t just the scope — it’s the complexity of aligning overlapping, evolving obligations across countries and sectors.
Here’s what organizations should do:
- Map obligations across jurisdictions.
- Leverage ENISA and NIST mappings for implementation.
- Stay ahead of product classification (CRA, AI Act).
- Transition frameworks (ISO 27001, 27701).
- Invest in continuous monitoring and training.
And then let’s move from checking boxes to building lasting resilience — together.
Sławomir Pijanowski
Global Governance Risk Compliance Practice Leader, Atos
View detailsof Sławomir Pijanowski >