Regulatory Updates
Stay ahead of DORA, CSRD, NIS2, GDPR and all major EU regulatory changes. Real-time monitoring, deadline tracking, and expert analysis for compliance teams.
DORA
The Digital Operational Resilience Act (DORA) entered into force on January 16, 2023 and became mandatory on January 17, 2025. Here are the most important recent developments for financial entities and ICT service providers.
January 2025
DORA became mandatory for all in-scope financial entities and ICT third-party service providers across the EU on January 17, 2025. National competent authorities - including BaFin in Germany, AMF in France, and DNB in the Netherlands - now have full supervisory and enforcement powers under the regulation.
2024
The European Supervisory Authorities (EBA, EIOPA, ESMA) published the final batch of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) covering ICT risk management frameworks, incident reporting templates, threat-led penetration testing (TLPT) requirements, and third-party ICT provider oversight. These standards provide the detailed technical requirements financial entities must implement.
Ongoing
The ESAs are establishing the oversight framework for Critical ICT Third-Party Providers (CTPPs). Designated CTPPs will be subject to direct supervision by a Lead Overseer, including on-site inspections and recommendations. Financial entities using CTPPs must ensure their contractual arrangements comply with DORA Articles 28-30.
Germany
BaFin has published guidance on the relationship between DORA and existing national requirements (BAIT, VAIT, KAIT). Financial entities supervised by BaFin should review how DORA obligations interact with and in many cases supersede existing MaRisk/BAIT requirements, particularly around ICT risk management and third-party oversight.
CSRD
The Corporate Sustainability Reporting Directive (CSRD) is rolling out in waves, requiring companies to report under the European Sustainability Reporting Standards (ESRS). Here are the key developments.
FY2024 Reporting
Large listed companies already subject to the Non-Financial Reporting Directive (NFRD) are now required to report under CSRD for financial year 2024. This includes approximately 11,700 companies across the EU that must prepare sustainability reports aligned with the ESRS standards.
FY2025
Large companies not previously subject to NFRD will begin reporting for financial year 2025. This significantly expands the scope of mandatory sustainability reporting to include large non-listed companies meeting two of three criteria: over 250 employees, EUR 50M+ net turnover, or EUR 25M+ total assets.
2024-2025
The European Commission adopted the ESRS delegated acts, establishing the 12 sustainability reporting standards (ESRS 1-2, E1-E5, S1-S4, G1). These standards define the specific disclosures, metrics, and narrative reporting requirements for each sustainability topic. Sector-specific standards are in development.
2025
The European Commission announced an omnibus simplification proposal aimed at reducing the reporting burden for companies. This proposal may adjust certain CSRD requirements, particularly for smaller in-scope companies, while maintaining the core objectives of sustainability transparency. Companies should continue preparing under current requirements until any amendments are formally adopted.
Ongoing
The European Financial Reporting Advisory Group (EFRAG) continues to publish implementation guidance, Q&As, and explanatory materials to help companies apply the ESRS standards correctly. These include guidance on double materiality assessment methodology, value chain reporting boundaries, and transitional provisions.
NIS2
The NIS2 Directive (EU 2022/2555) significantly expands the scope of EU cybersecurity requirements. Member states were required to transpose the directive into national law by October 17, 2024.
October 2024
The NIS2 transposition deadline of October 17, 2024 has passed. While many member states have transposed the directive, several are still in the process of finalizing national legislation. Organizations in all EU member states should prepare for NIS2 requirements regardless of their national transposition status, as the directive's obligations are clear.
Ongoing
Implementation varies across EU member states. Germany's NIS2 transposition (NIS2UmsuCG) has been progressing through the legislative process. France, the Netherlands, Italy, and Spain are at various stages of national implementation. Organizations should monitor their specific member state's transposition status and any additional national requirements.
Guidance
The European Union Agency for Cybersecurity (ENISA) has published guidance on identifying essential and important entities under NIS2. The directive covers 18 sectors, with entities classified based on size, criticality, and sector. Essential entities (large organizations in critical sectors) face stricter supervision, while important entities are subject to ex-post supervision.
Requirements
NIS2 introduces strict incident reporting timelines: an early warning to the national CSIRT within 24 hours of becoming aware of a significant incident, followed by a full incident notification within 72 hours. A final report must be submitted within one month. Organizations must establish processes and capabilities to meet these deadlines.
GDPR
The General Data Protection Regulation continues to evolve through enforcement actions, new guidance, and landmark decisions. Here are the most impactful recent developments.
Enforcement
GDPR enforcement continues to intensify, with total fines exceeding EUR 4.5 billion since 2018. Recent major penalties have targeted large technology companies, financial institutions, and data brokers for violations including inadequate legal bases for processing, insufficient transparency, and failures in data subject rights. The trend toward larger fines and stricter enforcement shows no signs of slowing.
Guidance
The European Data Protection Board (EDPB) has issued guidelines on the use of artificial intelligence and automated decision-making under GDPR. These cover legal bases for AI training data, transparency requirements for automated decisions, the right to explanation under Article 22, and data protection impact assessments for AI systems. Organizations deploying AI must ensure GDPR compliance at every stage of the AI lifecycle.
Transfers
The EU-US Data Privacy Framework provides a new adequacy mechanism for transatlantic data transfers. Organizations must still conduct Transfer Impact Assessments (TIAs) for transfers to non-adequate countries and implement supplementary measures where needed. Standard Contractual Clauses (SCCs) remain the primary safeguard for international transfers outside adequacy decisions.
Enforcement Trend
Data protection authorities across Europe are increasing enforcement on cookie consent practices. Recent decisions have targeted deceptive design patterns ("dark patterns") in consent mechanisms, pre-ticked boxes, and cookie walls. Organizations must ensure their consent mechanisms provide genuine choice and meet GDPR and ePrivacy requirements.
ISO 27001
ISO 27001 remains the global standard for information security management systems. The 2022 revision brought significant changes to Annex A controls and alignment with modern security practices.
Deadline: October 2025
Organizations certified under ISO 27001:2013 must transition to ISO 27001:2022 by October 31, 2025. After this date, ISO 27001:2013 certifications will no longer be valid. Organizations should work with their certification body to plan and execute the transition, including updating their ISMS documentation, risk assessments, and Statement of Applicability.
Changes
ISO 27001:2022 restructured Annex A from 14 control categories (114 controls) to 4 themes (93 controls): Organizational, People, Physical, and Technological. 11 new controls were introduced covering areas such as threat intelligence, cloud security, ICT readiness for business continuity, physical security monitoring, data masking, data leakage prevention, and secure development lifecycle.
Companion Standard
The updated ISO 27002:2022 provides implementation guidance for the Annex A controls. Each control now includes attributes such as control type, information security properties, cybersecurity concepts, and operational capabilities. These attributes help organizations prioritize and categorize controls for effective implementation and mapping to other frameworks like DORA and NIS2.
Stakes
The EU regulatory landscape changes weekly. Staying current is not optional — it is a board-level responsibility with significant financial consequences for non-compliance.
DORA: Up to 2% of global turnover
or EUR 10M for financial entities, with personal liability for board members.
GDPR: Up to 4% of global turnover
or EUR 20M, with fines exceeding EUR 4.5 billion total since enforcement began.
NIS2: Up to EUR 10M
or 2% of worldwide annual turnover for essential entities, with management liability.
Board-Level Accountability
DORA, NIS2, and CSRD all introduce personal accountability for management bodies regarding compliance.
FAQ
EU regulatory frameworks evolve continuously. Major frameworks like DORA, NIS2, and CSRD receive new guidance, technical standards, and enforcement decisions on a weekly basis. Supervisory authorities such as BaFin, ESMA, and ENISA regularly publish implementation guidance, Q&As, and enforcement updates that can affect your compliance obligations.
The Matproof Regulatory Monitor is a free tool that tracks regulatory changes across 21 EU and international compliance frameworks in real-time. It aggregates updates from supervisory authorities, standard-setting bodies, and enforcement agencies across the EU, so compliance teams can stay informed without manually checking dozens of sources.
Matproof monitors DORA, NIS2, GDPR, CSRD, EU AI Act, Cyber Resilience Act (CRA), Digital Services Act (DSA), Digital Markets Act (DMA), eIDAS 2, EU Data Act, AMLD6, PSD3, GPSR, EUDR, the Critical Entities Resilience Directive (CER), MaRisk, ISO/IEC 27001, ISO/IEC 42001, SOC 2, PCI DSS, and HIPAA. Sources include EU CELLAR, EUR-Lex, EBA, ESMA, EDPB, ENISA, ECB, BSI, BaFin, ANSSI, CSSF, CERT-Bund, CERT-FR, CERT-EU, NCSC-NL, and CISA.
The Matproof Regulatory Monitor categorizes updates by framework, entity type, and urgency. You can filter by the frameworks relevant to your organization and receive alerts when new guidance, deadlines, or enforcement actions are published that affect your sector. The Matproof compliance platform also maps regulatory changes directly to your existing controls.
Yes, the Matproof Regulatory Monitor at monitor.matproof.com is free to use. You can also subscribe to our weekly regulatory briefing newsletter at no cost. For automated compliance management, control mapping, and evidence collection, see our platform plans.
Key deadlines include: DORA enforcement (January 17, 2025), NIS2 transposition (October 17, 2024, with ongoing member state implementation), CSRD Wave 2 reporting for large non-listed companies (FY2025), and the ISO 27001:2022 transition deadline (October 2025). The Matproof Regulatory Monitor tracks all upcoming deadlines across frameworks.
Get Started
Matproof continuously monitors 21 frameworks, maps changes to your controls, and surfaces what actually affects your organization.
Live Feed
Every entry below was pulled directly from a regulator’s feed in the last few days — CELLAR, EBA, ESMA, ENISA, BSI, BaFin, ANSSI and 14 other sources — classified against 21 EU compliance frameworks and summarised. Updates daily.
The European Data Protection Supervisor (EDPS) has published a new informational episode concerning the implementation of the eIDAS2 framework, specifically focused on Digital Identity Wallets. This publication is part…