For at least three years, EU compliance professionals have been warning their boards that a regulatory tsunami was coming. In 2025, it arrived. Not as a single dramatic wave, but as a rising tide that kept going — each quarter bringing another framework from legislative text to operational reality.
DORA became applicable on January 17. The EU AI Act's prohibited practices provision took effect on February 2. NIS2 transposition deadlines passed — and in many Member States, transposition actually happened, creating new legal obligations for tens of thousands of organisations that had never been subject to EU cybersecurity regulation before. By the end of Q3, the Commission had initiated infringement proceedings against Member States that missed the transposition deadline entirely.
This is the year-in-review for 2025. Not every development, but the ones that will shape how compliance programs operate in 2026 and beyond.
Q1 2025: DORA Goes Live, AI Act Prohibited Practices Apply
January 17, 2025 was the date the financial services sector had been preparing for — or scrambling toward — since DORA was published in the Official Journal in December 2022. Regulation (EU) 2022/2554 became directly applicable across all 27 Member States, with no transposition required. Every credit institution, insurance undertaking, investment firm, payment institution, and crypto-asset service provider in the EU woke up on January 17 subject to a comprehensive ICT risk management framework backed by supervisory enforcement.
The immediate reality was less dramatic than the preparation suggested. Supervisors did not launch enforcement actions on day one. The European Supervisory Authorities (ESAs) — EBA, ESMA, and EIOPA — had signalled throughout 2024 that the initial supervisory approach would be constructive rather than punitive, focusing on understanding the sector's readiness rather than penalising gaps. The first DORA-related supervisory communications emphasised the importance of having ICT risk management frameworks in place, registers of information on ICT third-party arrangements completed, and incident classification and reporting capabilities operational.
Two weeks later, on February 2, the AI Act's Article 5 prohibited practices became the first enforceable provision of Regulation (EU) 2024/1689. The scope was narrower than the broader AI Act, targeting eight categories of AI practices deemed unacceptable — from social scoring to emotion recognition in workplaces. The direct operational impact on most enterprises was limited, but the compliance obligation to assess and document was real. Organisations that had not yet inventoried their AI systems against Article 5 criteria were technically non-compliant from day one.
The lesson from Q1 was structural: direct applicability (DORA, AI Act) creates a different compliance dynamic than directive transposition (NIS2). When a regulation applies, there is no ambiguity about timing, no waiting for national law, no cross-border variation in when obligations begin. The preparation period either happened or it did not.
Q2 2025: First DORA Supervisory Inquiries, NIS2 Transposition Progress
By April, the ESAs had moved beyond introductory communications to targeted supervisory inquiries. The first requests were predictable to anyone who had read the regulatory technical standards (RTS) published in 2024: ICT risk management frameworks (Art. 6-16), registers of information on ICT third-party service providers (Art. 28(3)), and incident classification and reporting procedures (Art. 17-23).
What surprised many organisations was the granularity of supervisory expectations. The register of information, specified in the joint ESA RTS, required detailed data on every ICT third-party arrangement — including sub-outsourcing chains, data storage locations, service criticality assessments, and exit strategy documentation. Organisations that had maintained simple vendor lists discovered that a vendor list is not a register of information. The structural gap between "we know who our vendors are" and "we can produce a complete, current, and auditable register of all ICT third-party arrangements" consumed significant compliance resources in Q2.
Meanwhile, NIS2 transposition was advancing unevenly. The Directive's transposition deadline had been October 17, 2024, and as of that date, only a handful of Member States had completed transposition. By mid-2025, the picture had improved substantially — roughly half of Member States had adopted transposition legislation — but significant gaps remained. Some of Europe's largest economies were still finalising their national transposition, creating an awkward period where organisations knew they would be subject to NIS2 obligations but could not yet determine the precise scope and severity of those obligations under national law.
This gap created a practical compliance challenge. Multinational organisations operating across multiple Member States faced the question: do we build our NIS2 compliance program against the Directive text (knowing national variations will come) or wait for each national transposition? Most compliance leaders chose to build against the Directive, treating it as the minimum baseline and planning to adjust for national specifics as they emerged. This was the right call, but it required a compliance architecture flexible enough to accommodate variation — something that spreadsheet-based programs struggle to deliver.
Q3 2025: Commission Infringement Proceedings for Late NIS2 Transposition
In July 2025, the Commission took the step that many had anticipated: formal infringement proceedings under Article 258 TFEU against Member States that had failed to transpose NIS2 by the October 2024 deadline. The proceedings were not unexpected — the Commission had issued letters of formal notice in late 2024 — but the escalation to reasoned opinions signalled that the Commission was treating NIS2 transposition failures seriously.
The Member States in scope included several that are home to significant regulated entities. The practical consequence was acceleration: political pressure from infringement proceedings compressed legislative timelines, with several Member States fast-tracking their transposition bills through parliamentary processes in Q3 and Q4.
For compliance teams, the infringement proceedings reinforced a paradox. The regulatory obligation existed at the EU level (the Directive), but enforcement infrastructure depended on national transposition (designating competent authorities, defining essential and important entity categories, establishing supervisory powers). In Member States that had not yet transposed, organisations were technically in a regulatory vacuum — subject to obligations in principle but without a designated national authority to enforce them.
The Commission's position was clear: the transposition deadline was not a suggestion, and the obligations under the Directive could not be deferred indefinitely by Member State inaction. But for compliance officers trying to allocate budget and resources, the practical question remained: who is going to audit us, and against what specific national standard?
Q4 2025: First Enforcement Signals, Supervisory Expectations Clarifying
The final quarter of 2025 has been characterised less by dramatic enforcement actions and more by the steady clarification of supervisory expectations across all three major frameworks.
On DORA, the ESAs published thematic reviews summarising findings from their initial supervisory inquiries. Without naming individual entities, these reviews identified common gaps: incomplete registers of information, ICT risk management frameworks that existed on paper but lacked operational integration with business continuity processes, and incident classification procedures that did not align with the RTS thresholds. The message was constructive but unambiguous: supervisors expected material progress by the first anniversary of application, and entities that had not addressed identified gaps could expect escalating supervisory attention in 2026.
On NIS2, the Member States that had completed transposition began operationalising their supervisory apparatus. Competent authorities published guidance on entity registration requirements, incident notification procedures, and supervisory expectations. The first registration deadlines created new compliance obligations — entities designated as essential or important under national law were required to register with their competent authority, providing information on their sector, sub-sector, size, and cross-border operations.
On the AI Act, the AI Office continued building its capacity and engaging with stakeholders. The prohibited practices prohibition had not yet produced a published enforcement action, but the Office was actively receiving complaints and conducting preliminary assessments. The development of codes of practice for general-purpose AI models, due to inform the August 2025 obligations, progressed through multi-stakeholder working groups — setting the stage for the next phase of AI Act implementation.
Top 5 Lessons from 2025
1. Inventory is the prerequisite for everything. Whether it was DORA's register of information, NIS2's entity self-identification, or the AI Act's prohibited practices assessment — the first compliance question in every framework was "what do you have?" Organisations without current, comprehensive inventories of ICT arrangements, network and information systems, and AI applications could not meaningfully assess their obligations under any framework.
2. Direct applicability exposes preparation gaps immediately. DORA and the AI Act applied without waiting for national transposition. On the application date, either the controls were in place or they were not. This created a starkly different compliance dynamic than NIS2, where transposition delays gave organisations additional (if uncertain) preparation time. Expect future EU regulations to follow the directly applicable model.
3. Multi-framework overlap is the operational reality. A financial services organisation in the EU is now simultaneously subject to DORA, potentially NIS2 (depending on sector classification and national transposition), GDPR (which never went away), and potentially the AI Act. Managing these as separate compliance workstreams is unsustainable. Integrated control frameworks — mapping controls to multiple regulatory requirements — are no longer a nice-to-have.
4. Evidence quality matters more than evidence volume. Supervisors did not ask for more documents. They asked for better documents — current, structured, linked to specific controls, and demonstrably reviewed. A 200-page ICT risk management framework that was last updated in 2023 is worse than a 30-page framework updated quarterly with documented review decisions.
5. Cross-border complexity is underestimated. NIS2 transposition variations, DORA's application across 27 financial sectors with different supervisory traditions, and the AI Act's interaction with national market surveillance authorities create a compliance landscape where "EU-wide" does not mean "uniform." Multinational organisations need country-specific compliance intelligence, not just EU-level analysis.
The 2026 Outlook: What Is Coming Next
2026 will not be quieter than 2025. Three developments will dominate the compliance agenda.
AI Act high-risk obligations (August 2, 2026). The most operationally intensive phase of the AI Act arrives when the obligations for high-risk AI systems under Annex III become applicable. This requires conformity assessments, quality management systems, technical documentation, transparency obligations, and human oversight mechanisms for AI systems in areas including biometric identification, critical infrastructure management, education, employment, and law enforcement. Organisations deploying high-risk AI systems should be deep in their preparation programs now. Those starting in mid-2026 will not be ready.
Cyber Resilience Act vulnerability reporting (September 11, 2026). The CRA, Regulation (EU) 2024/2847, introduces cybersecurity requirements for products with digital elements. While the full product conformity obligations do not apply until December 2027, manufacturers must begin actively exploited vulnerability reporting by September 2026. This is a new obligation for many hardware and software manufacturers who have not previously had mandatory vulnerability reporting obligations.
Continued NIS2 enforcement ramp-up. With transposition completing across remaining Member States and competent authorities becoming operational, 2026 will see the first wave of NIS2 supervisory activity at scale. Expect registration enforcement, incident notification audits, and — for essential entities in particular — proactive supervisory inspections.
The combined regulatory load is unprecedented in European cybersecurity history. The organisations that will manage it effectively are those investing now in integrated compliance platforms, automated evidence management, and continuous control monitoring — not those planning to handle each framework as a separate project with separate teams and separate tools. The research on EU compliance readiness entering 2026 confirms what most practitioners already sense: the gap between regulatory expectation and operational reality remains wide, but it is closing faster in organisations that treat compliance as an engineering problem rather than a documentation exercise.
Key Takeaways
2025 was the year of first application. DORA, AI Act Article 5, and NIS2 transposition all created new binding obligations within a 12-month period. The regulatory tsunami that was predicted has arrived.
Inventory and evidence quality separated prepared from unprepared organisations. The first supervisory questions were about completeness, currency, and structure — not about policy intent.
2026 will be more demanding, not less. AI Act high-risk obligations in August, CRA vulnerability reporting in September, and accelerating NIS2 enforcement mean that compliance programs need to scale their operational capacity now.
Integrated compliance is no longer optional. Organisations managing DORA, NIS2, GDPR, and the AI Act as separate workstreams will exhaust their teams and their budgets. A unified control framework with automated evidence management is the only sustainable architecture.