Cybersecurity regulatory pressures and robust industry frameworks, a mid-year update
As we cross the halfway mark of 2025, cybersecurity leaders face a landscape marked by both growing regulatory urgency and opportunity. New rules like DORA and NIS2 are transitioning from guidance to enforcement, while foundational frameworks like ISO and NIST continue to evolve to support compliance and resilience.
This mid-year snapshot explores the momentum behind these changes. It offers a perspective on how evolving rules and frameworks can become catalysts for smarter, more adaptive security strategies.
Regulatory milestones in the EU
DORA – Well past the compliance deadline
The Digital Operational Resilience Act (DORA) has been enforceable since 17 January 2025. If you’re in the financial sector, compliance with DORA is now obligatory for you.
DORA requires alignment across five key pillars, from ICT risk management to incident reporting. Three areas remain particularly complex:
- Incident management (Pillar 2), where timely detection and reporting are essential
- Threat-led penetration testing (TLPT under Pillar 3), which demands repeatable, scalable approaches to simulating and addressing real-world threats
- ICT third-party risk management (Pillar 4): Focuses on governance of ICT service providers, industry risk framework, maintaining a robust information register, vendor prioritization, contract controls, concentration risk assessment, and ongoing monitoring of providers’ security performance.
| DORA enforcement and penalties | |
|---|---|
| Maximum penalty | DORA art. 50 requires member states to establish rules on administrative penalties for financial entities, ensuring their effectiveness, proportionality, and dissuasion. For individuals: Maximum individual fines can be €1,000,000. For critical ICT providers: Penalties can be up to €5,000,000 for companies and €500,000 for individuals of those providers. Daily fines: Critical ICT service providers could be fined of up to 1% of their average daily global turnover for each day of non-compliance. |
| Non-financial penalties | Supervisory measures (e.g., requiring specific actions), public reprimands |
| Key infringements | Severe breaches by financial entities and critical ICT third-party providers |
| Enforcement body | National competent authorities |
Atos’ advice
Determine whether your organization falls within the scope of DORA threat-led penetration testing, as this necessitates coordinated planning with your national financial supervisory authority and the appropriate financial industry CERT. Conduct a thorough analysis of your critical ICT third-party service providers, categorize both the providers and associated contracts, and verify that incident response plans adhere to DORA’s rigorous standards for operational resilience and prompt reporting of supply chain-related incidents.
NIS2 – Patchy transposition. High stakes.
The NIS2 Directive should have been transposed into national law by 17 October 2024. Yet, as of mid-2025, only 14 out of 27 EU countries have completed the process.
The EU Commission implementing regulation (EU 2024/2690) from 17th of October 2024 brings a sharper focus:
- Definitions and thresholds for “significant incidents”
- 400+ specific requirements spanning 13 control domains
- Priority areas: Access control, cryptography, and physical security, mapped to ISO/IEC 27001 and NIST
To help you navigate this, ENISA has released technical guidelines (June 2025), offering helpful mappings to existing frameworks. This aids integration with frameworks like ISO/IEC 27001:2022 and NIST Cybersecurity Framework 2.0, plus European (e.g., ETSI, CEN/TS) and specific national frameworks (e.g., Belgium’s Cyber Fundamentals, Germany’s KRITIS requirements).
| NIS2 enforcement and penalties | |
|---|---|
| Maximum penalty | Essential entities: Up to €10 million or 2% of annual global turnover Important entities: Up to €7 million or 1.4% of annual global turnover |
| Non-financial penalties | Temporary prohibitions on individuals from exercising management functions and public statements about security breaches |
| Key infringements | Non-compliance with NIS2 requirements, including significant incidents |
| Enforcement body | National competent authorities |
Atos’ advice
Start with a comprehensive NIS2 compliance gap assessment covering 13 categories (see our guide), including all major third-party suppliers in your supply chain. This assessment goes beyond ICT third party service providers, unlike the DORA regulation. Strengthen each risk management measure -covering both digital and physical cybersecurity – and ensure thorough due diligence in evidence collection for NIS2 compliance. Improve your cyber supply chain procedures and map out obligations related to fourth-party and subcontractor risks.
Cyber resilience act – Laying the foundations
While most CRA obligations apply from December 2027, groundwork is already being laid:
- By 11 December 2025, the EU is expected to define technical specifications for “important” and “critical” digital products like IAM systems and routers, which are outlined in Annex III and IV of the CRA.
- Starting 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe cybersecurity incidents without undue delay to the European Union Agency for Cybersecurity (ENISA). ENISA has started releasing guidance that maps CRA principles to existing standards like ISO 27002 and IEC 62443. The goal: help you start aligning early.
| CRA enforcement and penalties | |
|---|---|
| Maximum penalty | Up to €15 million or 2.5% of total annual worldwide turnover |
| Non-financial penalties | Product recalls |
| Key infringements | Placing non-compliant products on the market, failing to address vulnerabilities |
| Enforcement body | National market surveillance authorities |
Atos’ advice
Engage early with your digital product suppliers to understand how they are preparing for CRA and to ensure your procurement processes reflect these new security-by-design requirements.
EU AI Act – Launching the compliance phase shortly
The EU AI Act came into force on 1 August 2024, with a phased rollout through 2027. In 2025, focus on:
- 2 February 2025: Prohibited AI systems must be withdrawn; requires appropriate AI literacy and competence among personnel
- 2 May 2025: Codes of Conduct for AI system providers
- 2 August 2025: General-purpose AI (GPAI) systems enter scope
- 2 August 2026: Deadline for full compliance by operators of high-risk AI systems
- 2 August 2027: Final deadline for compliance by operators of GPAI systems already in the market before August 2, 2025
Organizations should conduct an AI system inventory and classify each system by the level of risk. Accordingly, perform a gap analysis, develop a remediation plan, set up data governance and security controls, certify compliance, and initiate continuous monitoring protocols and post-deployment audits.
| EU AI Act enforcement and penalties | |
|---|---|
| Maximum penalty | Up to €35 million or 7% of the company’s total worldwide annual turnover (for placing prohibited AI systems on the market) |
| Non-financial penalties | Withdrawal of non-compliant AI systems |
| Key infringements | Placing prohibited AI systems on the market, non-compliance with data governance and conformity assessment failures |
| Enforcement body | National supervisory authorities |
Atos’ advice
When conducting an inventory check for AI systems, specifically identify and classify those procured from third parties, ensuring your due diligence assesses their compliance with the AI Act’s risk requirements.
Global frameworks and developing standards
NIST CSF 2.0 – A broader cybersecurity standard
The updated NIST Cybersecurity Framework 2.0 is seeing rapid adoption. Key improvements include the following:
- A new “Govern” function for strategic clarity
- Stronger emphasis on supply chain risk management
- Expanded scope, applicable beyond critical infrastructure
Atos’ advice
Leverage the new “Govern” function in NIST CSF 2.0 to formally integrate supply chain risk management into your overall cybersecurity strategy and board-level reporting. Consider migration of your framework from NIST CSF 1.1 to 2.0. Ensure mapping into ISO 27001:2022 if you are operating both in Europe and the US.
NIST privacy framework – Modernizing for AI
A draft update (April 2025) brings better alignment with CSF 2.0, with changes focusing on:
- Governance
- AI system privacy
- Emerging risks
Atos’ advice
When assessing privacy risks for AI systems, extend your review to the entire data supply chain, considering how third-party AI components or data processors handle sensitive information in line with NIST privacy framework principles.
ISO/IEC 27001:2022 – Transition year
If you’re still certified to the 2013 version, the clock is ticking. Organizations must transition to ISO/IEC 27001:2022 by 31 October 2025. This newer version incorporates modern practices and supports easier integration with DORA, NIS2, and CRA.
Atos’ advice
Review and update your ISMS (Information Security Management System) with special focus on supply chain security or resilience requirements to be included in contractual clauses, including the right to audit by independent parties and perform mapping of your ISMS to NIS2 or DORA requirements if your company is in scope of those regulations. Mutual alignment of NIS2, DORA (and later CRA) with the ISO/IEC 27001:2022 requirements will generate important synergies in terms of compliance cost planning.
ISO/IEC 27701:2025 – Privacy in the AI era
A major update is expected by Q3 2025. It’s designed to help you manage privacy in AI-driven environments, integrating elements of ISO 42001 (AI Management Systems) and emphasizing governance and risk assessment.
Atos’ advice
As ISO/IEC 27701:2025 emerges, evaluate your third-party AI service providers and data processors to ensure their privacy controls integrate with your overall privacy information management system.
Australia – Sector-specific mandates
- New Telecommunications Security Rules effective April 4, 2025, under enhancements to the Security of Critical Infrastructure Act, with a grace period until October
- The Prudential Standard CPS 230 Operational Risk Management standard from July 1, 2025, for APRA-regulated entities
Atos’ advice
For entities under Australia’s new Telecommunications Security Rules and CPS 230, explicitly integrate the supply chain security requirements into your third-party risk assessments, particularly for critical vendors impacting telecommunications or operational resilience.
The cyber supply chain risk: What’s changing in 2025
Emerging risks — from AI-enabled attacks to quantum computing vulnerabilities, IoT device insecurity, and ransomware-as-a-service — have elevated supply chain security to a strategic concern. Regulations are adapting accordingly:
- NIS2 introduces stricter third-party contract and due diligence obligations.
- NIST SP 800-53 and Secure Software Development Framework (SSDF) are evolving with enhanced third-party risk, patch management and secure software supply chains. ISO 27002 now mandates stronger controls for supplier oversight, complementing ISO 27001’s strengthened supply chain security controls.
- ISO 9001:2025, which is expected at the end of 2025 or early 2026, will address supply chain resilience in quality management.
From strategy to execution: Lessons from the field
Atos outlines a practical roadmap for supply chain security:
- Conduct cyber due diligence and security ratings.
- Implement TPRM and assess fourth-party risks.
- Include cybersecurity clauses in contracts.
- Perform regular audits and penetration testing.
- Use C-SCRM/TPRM software and threat intelligence platforms
Sector-specific risks
A comparative table from Atos highlights how risks differ across industries:
| Sector | Supplier Categories | Key Risks |
|---|---|---|
| Insurance | Reinsurers TPAs ICT vendors Data providers |
Data breaches AI bias System downtime |
| Banking | Fintechs Cloud providers Card networks |
Data breaches AI bias System downtime |
| Manufacturing | OEMs Logistics IoT vendors |
Ransomware IP theft ERP outage |
Organizations are urged to adopt post-quantum cryptography, improve firmware security in OT/IoT, and include geopolitical threat intelligence in supplier vetting.
Looking Forward
Cybersecurity regulation in 2025 isn’t just about compliance – it’s a catalyst for stronger, more resilient operations. By building trusted frameworks and adopting proactive practices, you’re not just meeting requirements. You’re strengthening your business.
The first half of 2025 has been one of rapid regulatory acceleration. While some frameworks like DORA and ISO 27001:2022 now require full compliance, others like CRA and AI Act are entering into phased enforcement. The biggest challenge isn’t just the scope – it’s the complexity of aligning overlapping, evolving obligations across countries and sectors.
Here’s what organizations should do:
- Map obligations across jurisdictions.
- Leverage ENISA and NIST mappings for implementation.
- Stay ahead of product classification (CRA, AI Act).
- Transition frameworks (ISO 27001, 27701).
- Invest in continuous monitoring and training.
And then let’s move from checking boxes to building lasting resilience – together.
Contact Atos Cybersecurity Consulting for a customized roadmap to regulatory compliance.
Share this article
Sławomir Pijanowski
Global Governance Risk Compliance Practice Leader, Atos
View detailsof Sławomir Pijanowski >
Subscribe for regular insights
More on Digital supply chains
Are you the weakest link? Why the chief product security officer is now your digital bodyguard
How secure digital identities and zero touch onboarding are unlocking the future of OT cybersecurity
The anatomy of modern IT supply chain attacks
The hidden supply chain risks of AI workloads in the cloud
Threat actor playbooks: Who is targeting the IT supply chain & how
Three steps to managing secure third-party access in your supply chain
Unifying and securing the software supply chain with ASPM
