Regulatory Updates

EU Regulatory Updates & Compliance Monitor

Stay ahead of DORA, CSRD, NIS2, GDPR and all major EU regulatory changes. Real-time monitoring, deadline tracking, and expert analysis for compliance teams.

Open Live MonitorBook a Demo

DORA

DORA Regulatory Updates.

The Digital Operational Resilience Act (DORA) entered into force on January 16, 2023 and became mandatory on January 17, 2025. Here are the most important recent developments for financial entities and ICT service providers.

January 2025

DORA Enforcement Begins

DORA became mandatory for all in-scope financial entities and ICT third-party service providers across the EU on January 17, 2025. National competent authorities - including BaFin in Germany, AMF in France, and DNB in the Netherlands - now have full supervisory and enforcement powers under the regulation.

2024

ESA Final RTS/ITS Published

The European Supervisory Authorities (EBA, EIOPA, ESMA) published the final batch of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) covering ICT risk management frameworks, incident reporting templates, threat-led penetration testing (TLPT) requirements, and third-party ICT provider oversight. These standards provide the detailed technical requirements financial entities must implement.

Ongoing

DORA Oversight Framework for Critical ICT Providers

The ESAs are establishing the oversight framework for Critical ICT Third-Party Providers (CTPPs). Designated CTPPs will be subject to direct supervision by a Lead Overseer, including on-site inspections and recommendations. Financial entities using CTPPs must ensure their contractual arrangements comply with DORA Articles 28-30.

Germany

BaFin Implementation Guidance

BaFin has published guidance on the relationship between DORA and existing national requirements (BAIT, VAIT, KAIT). Financial entities supervised by BaFin should review how DORA obligations interact with and in many cases supersede existing MaRisk/BAIT requirements, particularly around ICT risk management and third-party oversight.

CSRD

CSRD Regulatory Updates.

The Corporate Sustainability Reporting Directive (CSRD) is rolling out in waves, requiring companies to report under the European Sustainability Reporting Standards (ESRS). Here are the key developments.

FY2024 Reporting

Wave 1: Large Listed Companies Reporting

Large listed companies already subject to the Non-Financial Reporting Directive (NFRD) are now required to report under CSRD for financial year 2024. This includes approximately 11,700 companies across the EU that must prepare sustainability reports aligned with the ESRS standards.

FY2025

Wave 2: Large Non-Listed Companies

Large companies not previously subject to NFRD will begin reporting for financial year 2025. This significantly expands the scope of mandatory sustainability reporting to include large non-listed companies meeting two of three criteria: over 250 employees, EUR 50M+ net turnover, or EUR 25M+ total assets.

2024-2025

ESRS Delegated Acts Finalized

The European Commission adopted the ESRS delegated acts, establishing the 12 sustainability reporting standards (ESRS 1-2, E1-E5, S1-S4, G1). These standards define the specific disclosures, metrics, and narrative reporting requirements for each sustainability topic. Sector-specific standards are in development.

2025

Omnibus Simplification Proposal

The European Commission announced an omnibus simplification proposal aimed at reducing the reporting burden for companies. This proposal may adjust certain CSRD requirements, particularly for smaller in-scope companies, while maintaining the core objectives of sustainability transparency. Companies should continue preparing under current requirements until any amendments are formally adopted.

Ongoing

EFRAG Implementation Guidance

The European Financial Reporting Advisory Group (EFRAG) continues to publish implementation guidance, Q&As, and explanatory materials to help companies apply the ESRS standards correctly. These include guidance on double materiality assessment methodology, value chain reporting boundaries, and transitional provisions.

NIS2

NIS2 Regulatory Updates.

The NIS2 Directive (EU 2022/2555) significantly expands the scope of EU cybersecurity requirements. Member states were required to transpose the directive into national law by October 17, 2024.

October 2024

Transposition Deadline Passed

The NIS2 transposition deadline of October 17, 2024 has passed. While many member states have transposed the directive, several are still in the process of finalizing national legislation. Organizations in all EU member states should prepare for NIS2 requirements regardless of their national transposition status, as the directive's obligations are clear.

Ongoing

Member State Implementation Status

Implementation varies across EU member states. Germany's NIS2 transposition (NIS2UmsuCG) has been progressing through the legislative process. France, the Netherlands, Italy, and Spain are at various stages of national implementation. Organizations should monitor their specific member state's transposition status and any additional national requirements.

Guidance

ENISA Guidance on Essential and Important Entities

The European Union Agency for Cybersecurity (ENISA) has published guidance on identifying essential and important entities under NIS2. The directive covers 18 sectors, with entities classified based on size, criticality, and sector. Essential entities (large organizations in critical sectors) face stricter supervision, while important entities are subject to ex-post supervision.

Requirements

Incident Reporting Requirements (24h/72h)

NIS2 introduces strict incident reporting timelines: an early warning to the national CSIRT within 24 hours of becoming aware of a significant incident, followed by a full incident notification within 72 hours. A final report must be submitted within one month. Organizations must establish processes and capabilities to meet these deadlines.

GDPR

GDPR Regulatory Updates.

The General Data Protection Regulation continues to evolve through enforcement actions, new guidance, and landmark decisions. Here are the most impactful recent developments.

Enforcement

Major Fines and Enforcement Actions

GDPR enforcement continues to intensify, with total fines exceeding EUR 4.5 billion since 2018. Recent major penalties have targeted large technology companies, financial institutions, and data brokers for violations including inadequate legal bases for processing, insufficient transparency, and failures in data subject rights. The trend toward larger fines and stricter enforcement shows no signs of slowing.

Guidance

EDPB Guidelines on AI and Data Processing

The European Data Protection Board (EDPB) has issued guidelines on the use of artificial intelligence and automated decision-making under GDPR. These cover legal bases for AI training data, transparency requirements for automated decisions, the right to explanation under Article 22, and data protection impact assessments for AI systems. Organizations deploying AI must ensure GDPR compliance at every stage of the AI lifecycle.

Transfers

Cross-Border Transfer Mechanisms Post-Schrems II

The EU-US Data Privacy Framework provides a new adequacy mechanism for transatlantic data transfers. Organizations must still conduct Transfer Impact Assessments (TIAs) for transfers to non-adequate countries and implement supplementary measures where needed. Standard Contractual Clauses (SCCs) remain the primary safeguard for international transfers outside adequacy decisions.

Enforcement Trend

Cookie Consent Enforcement Trends

Data protection authorities across Europe are increasing enforcement on cookie consent practices. Recent decisions have targeted deceptive design patterns ("dark patterns") in consent mechanisms, pre-ticked boxes, and cookie walls. Organizations must ensure their consent mechanisms provide genuine choice and meet GDPR and ePrivacy requirements.

ISO 27001

ISO 27001 Updates.

ISO 27001 remains the global standard for information security management systems. The 2022 revision brought significant changes to Annex A controls and alignment with modern security practices.

Deadline: October 2025

ISO 27001:2022 Transition Deadline

Organizations certified under ISO 27001:2013 must transition to ISO 27001:2022 by October 31, 2025. After this date, ISO 27001:2013 certifications will no longer be valid. Organizations should work with their certification body to plan and execute the transition, including updating their ISMS documentation, risk assessments, and Statement of Applicability.

Changes

New Annex A Controls Mapping

ISO 27001:2022 restructured Annex A from 14 control categories (114 controls) to 4 themes (93 controls): Organizational, People, Physical, and Technological. 11 new controls were introduced covering areas such as threat intelligence, cloud security, ICT readiness for business continuity, physical security monitoring, data masking, data leakage prevention, and secure development lifecycle.

Companion Standard

ISO 27002:2022 Changes

The updated ISO 27002:2022 provides implementation guidance for the Annex A controls. Each control now includes attributes such as control type, information security properties, cybersecurity concepts, and operational capabilities. These attributes help organizations prioritize and categorize controls for effective implementation and mapping to other frameworks like DORA and NIS2.

Stakes

Why Regulatory Monitoring Matters.

The EU regulatory landscape changes weekly. Staying current is not optional — it is a board-level responsibility with significant financial consequences for non-compliance.

DORA: Up to 2% of global turnover

or EUR 10M for financial entities, with personal liability for board members.

GDPR: Up to 4% of global turnover

or EUR 20M, with fines exceeding EUR 4.5 billion total since enforcement began.

NIS2: Up to EUR 10M

or 2% of worldwide annual turnover for essential entities, with management liability.

Board-Level Accountability

DORA, NIS2, and CSRD all introduce personal accountability for management bodies regarding compliance.

Never Miss a Regulatory Change
Live regulatory monitoring

Never miss a compliance update.

Get weekly digests of DORA, NIS2, GDPR, MaRisk, and ISO 27001 changes — straight to your inbox. Free.

No spam. Weekly digest only. Unsubscribe anytime.

DORANIS2GDPRMaRiskISO 27001

FAQ

Frequently Asked Questions

How often do EU regulations change?+

EU regulatory frameworks evolve continuously. Major frameworks like DORA, NIS2, and CSRD receive new guidance, technical standards, and enforcement decisions on a weekly basis. Supervisory authorities such as BaFin, ESMA, and ENISA regularly publish implementation guidance, Q&As, and enforcement updates that can affect your compliance obligations.

What is the Matproof Regulatory Monitor?+

The Matproof Regulatory Monitor is a free tool that tracks regulatory changes across 21 EU and international compliance frameworks in real-time. It aggregates updates from supervisory authorities, standard-setting bodies, and enforcement agencies across the EU, so compliance teams can stay informed without manually checking dozens of sources.

Which frameworks does Matproof monitor?+

Matproof monitors DORA, NIS2, GDPR, CSRD, EU AI Act, Cyber Resilience Act (CRA), Digital Services Act (DSA), Digital Markets Act (DMA), eIDAS 2, EU Data Act, AMLD6, PSD3, GPSR, EUDR, the Critical Entities Resilience Directive (CER), MaRisk, ISO/IEC 27001, ISO/IEC 42001, SOC 2, PCI DSS, and HIPAA. Sources include EU CELLAR, EUR-Lex, EBA, ESMA, EDPB, ENISA, ECB, BSI, BaFin, ANSSI, CSSF, CERT-Bund, CERT-FR, CERT-EU, NCSC-NL, and CISA.

How do I know if a regulatory change affects my organization?+

The Matproof Regulatory Monitor categorizes updates by framework, entity type, and urgency. You can filter by the frameworks relevant to your organization and receive alerts when new guidance, deadlines, or enforcement actions are published that affect your sector. The Matproof compliance platform also maps regulatory changes directly to your existing controls.

Is the regulatory monitor free?+

Yes, the Matproof Regulatory Monitor at monitor.matproof.com is free to use. You can also subscribe to our weekly regulatory briefing newsletter at no cost. For automated compliance management, control mapping, and evidence collection, see our platform plans.

What are the biggest compliance deadlines in 2025-2026?+

Key deadlines include: DORA enforcement (January 17, 2025), NIS2 transposition (October 17, 2024, with ongoing member state implementation), CSRD Wave 2 reporting for large non-listed companies (FY2025), and the ISO 27001:2022 transition deadline (October 2025). The Matproof Regulatory Monitor tracks all upcoming deadlines across frameworks.

Get Started

Stay ahead of every EU compliance change.

Matproof continuously monitors 21 frameworks, maps changes to your controls, and surfaces what actually affects your organization.

Book a DemoOpen Live Monitor →