Welcome to the inaugural edition of Regulatory Radar — Orizon's monthly briefing on the European regulatory landscape. Each edition surfaces the developments that matter most to compliance and security teams operating in the EU mid-market, with a focus on what changed, what is coming, and where to direct attention now.
This Month's Headlines
- DORA entered its enforcement phase on January 17, 2025 and financial entities are now operating under live supervisory scrutiny from the ESAs (EBA, EIOPA, ESMA) — ICT incident reporting and third-party risk frameworks are no longer advisory.
- NIS2 transposition across EU member states remains uneven thirteen months after the October 17, 2024 deadline, creating a fragmented compliance environment for organisations operating across borders.
- The Netherlands has advanced its own implementation through an update to the Wbni (Wet beveiliging netwerk- en informatiesystemen), bringing Dutch-specific obligations into force for in-scope entities.
- The Cyber Resilience Act is now in force, with the critical upcoming milestone being the start of active exploitation and vulnerability reporting obligations in September 2026 — less than seven months away.
- GDPR cumulative fines across the EU have surpassed EUR 7 billion since the regulation became enforceable in 2018, underscoring that data protection enforcement continues to escalate alongside cybersecurity regulation.
What Changed
DORA: From preparation to enforcement
The Digital Operational Resilience Act crossed from a preparation phase into an active enforcement regime in January 2025. Financial entities — banks, insurance firms, investment firms, and their critical ICT third-party providers — are now subject to supervisory review. The European Supervisory Authorities published the final batch of technical standards in the lead-up to the enforcement date, covering ICT incident classification thresholds, DORA-specific TLPT (threat-led penetration testing) frameworks, and the oversight regime for critical third-party providers.
For organisations that completed a compliance gap assessment in 2024, this month is a practical test of whether those frameworks hold under operational conditions. For those that did not, supervisory engagement is no longer hypothetical.
NIS2: An uneven patchwork
The NIS2 Directive required member states to transpose its requirements into national law by October 17, 2024. That deadline has passed, but implementation across the EU's 27 member states is not uniform. Some member states completed transposition on schedule; others have been slower, creating a situation where organisations with cross-border operations must simultaneously track multiple national regimes at different stages of maturity.
In the Netherlands, the updated Wbni gives effect to NIS2 obligations domestically. Dutch entities in scope — including those in the energy, transport, financial market infrastructure, digital infrastructure, and managed service provider sectors — should treat this as the operative framework for their compliance obligations, not the Directive text alone.
What's Coming
September 2026 — CRA reporting obligations begin
The Cyber Resilience Act entered into force in late 2024, but its most operationally significant requirements arrive in phases. From September 2026, manufacturers of products with digital elements must begin notifying ENISA of actively exploited vulnerabilities and severe incidents within defined timeframes. This is not the full compliance deadline — that falls in December 2027 — but September 2026 is the point at which reporting obligations become legally binding. Organisations that manufacture or distribute connected products into the EU should be building the internal incident detection and reporting pipelines now, not in six months.
Ongoing — DORA ICT incident reporting
Financial entities must classify and report major ICT incidents under the timelines established in the DORA technical standards. The initial notification, intermediate report, and final report sequence now applies to live operational incidents. Supervisory bodies are watching both the quality of reports and the underlying resilience demonstrated by reporting entities.
Orizon's Take
The period between now and September 2026 is the most consequential window for compliance teams across two distinct regulatory tracks. For financial entities, DORA enforcement is already live — the question is not whether to comply but how well existing frameworks perform under supervisory scrutiny. Third-party risk management, in particular, is an area where many organisations built documentation-level compliance without the operational depth required to satisfy ESA expectations. That gap will surface.
For organisations in the digital products space, the CRA's September 2026 reporting milestone is closer than it appears. Vulnerability disclosure processes, internal incident detection, and the technical infrastructure needed to report to ENISA on the required timelines all take meaningful time to build correctly. The organisations that treat September as the start date will find themselves in a difficult position. The ones that treat today as the planning deadline will not.
Key Dates
| Date | Regulation | Event |
|---|---|---|
| January 17, 2025 | DORA | Enforcement date — financial entities and critical ICT third-party providers must comply |
| October 17, 2024 | NIS2 | Member state transposition deadline (passed — check national implementation status) |
| September 2026 | CRA | Active exploitation and vulnerability reporting obligations begin |
| December 2027 | CRA | Full Cyber Resilience Act compliance deadline |
| Ongoing | GDPR | DPA enforcement activity across member states continues |
Regulatory Radar is published monthly by Orizon. Content reflects publicly available regulatory information as of the publication date. Nothing in this briefing constitutes legal advice. Consult qualified counsel for advice specific to your organisation.