Navigating the EU Compliance Landscape: GDPR, DORA, NIS2, CRA, and the AI Act

Five Regulations, One Organisation

The European Union's digital regulatory programme has entered a period of unprecedented convergence. Five major legislative instruments — GDPR, NIS2, DORA, the Cyber Resilience Act, and the AI Act — now overlap in scope, impose distinct but related obligations, and carry penalties that can compound against the same organisation for the same underlying failure.

This is not a hypothetical scenario. A financial services firm that processes personal data, relies on ICT third-party providers, deploys AI in credit scoring, and sells a software product into the EU market could be simultaneously subject to all five frameworks. The question is no longer whether these regulations apply, but how to manage them without duplicating effort or leaving gaps.

The timeline below shows how quickly the regulatory landscape has evolved:

A critical implementation note on NIS2: it is a directive, not a regulation, meaning member states must transpose it into national law. The transposition deadline was October 17, 2024. The European Commission opened infringement procedures against 23 member states for missing that deadline, with only Belgium, Croatia, Hungary, and Italy having transposed the directive on time (European Commission, November 2024). This means that as of early 2026, the actual obligations organisations face under NIS2 vary significantly by jurisdiction.

GDPR: Eight Years of Enforcement

The General Data Protection Regulation (Regulation 2016/679) is the most mature of the five frameworks, and its enforcement record provides the clearest indication of where regulators focus their attention.

According to the DLA Piper GDPR Fines and Data Breach Survey published in January 2025, cumulative GDPR fines have reached approximately EUR 5.88 billion since the regulation came into force. The CMS GDPR Enforcement Tracker, which catalogues publicly disclosed enforcement actions, records over 2,245 individual fines with an average penalty of approximately EUR 2.36 million.

The trend line is accelerating. The DLA Piper January 2026 survey update reported that breach notifications across the EEA reached an average of 443 per day, representing a 22% year-on-year increase. This is not simply an artefact of improved detection — it reflects both the expanding digital attack surface and the growing maturity of supervisory authorities in processing and acting on notifications.

Recent landmark fines demonstrate the scale of enforcement:

• Meta Platforms Ireland: EUR 1.2 billion (May 2023) for unlawful transfers of personal data to the United States, imposed by the Irish DPC under Article 83(5) GDPR
• LinkedIn Ireland (Microsoft): EUR 310 million (October 2024) for breaches of lawfulness, fairness, and transparency obligations under Articles 5, 6, and 13 GDPR
• Meta Platforms Ireland: EUR 251 million (December 2024) for insufficient technical and organisational measures following a data breach, under Articles 25 and 32 GDPR

Spain's Agencia Espanola de Proteccion de Datos (AEPD) is the most active supervisory authority by volume, having issued over 932 fines according to the CMS Enforcement Tracker. This is significant because it demonstrates that enforcement is not concentrated in a few jurisdictions — it is widespread and intensifying across the bloc.

For organisations also subject to NIS2 and DORA, the GDPR enforcement pattern is instructive. Regulators increasingly expect documented risk assessments, evidence of board-level oversight, and demonstrable technical measures. These expectations carry directly into the newer frameworks.

NIS2: The Scope Expansion

The revised Network and Information Security Directive (Directive 2022/2555) represents the single largest expansion of EU cybersecurity regulation to date. The European Commission estimates that NIS2 brings over 160,000 entities across 18 sectors into regulatory scope — a tenfold increase from the approximately 15,000 entities covered under the original NIS Directive (ENISA, NIS2 Implementation Overview, 2024).

Essential and Important Entities

NIS2 distinguishes between "essential" entities (Annex I sectors, including energy, transport, banking, health, digital infrastructure) and "important" entities (Annex II sectors, including postal services, waste management, manufacturing, food production, digital providers). Both categories face mandatory cybersecurity risk management measures under Article 21, but essential entities are subject to proactive supervisory oversight, while important entities face primarily reactive enforcement.

Management Body Accountability

Article 20 of NIS2 introduces one of the most consequential provisions in EU cybersecurity law: management body accountability. The directive requires that:

1. Management bodies of essential and important entities approve the cybersecurity risk management measures taken under Article 21
2. Management bodies oversee the implementation of those measures
3. Management bodies can be held personally liable for infringements
4. Members of management bodies must follow mandatory cybersecurity training — and must encourage similar training for employees on a regular basis

Under Article 32(5)(b), competent authorities can impose a temporary ban on an individual from exercising managerial functions at the level of chief executive officer or legal representative in essential entities. This is not theoretical — it is a prescribed enforcement tool available to national authorities.

Supply Chain Requirements

Article 21(2)(d) mandates that entities address supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. This goes beyond traditional vendor management. It requires organisations to consider the specific vulnerabilities of each direct supplier, the overall quality of products and cybersecurity practices of suppliers, and the results of coordinated security risk assessments.

DORA: Prescriptive Resilience for Financial Services

The Digital Operational Resilience Act (Regulation 2022/2554) applies to 21 categories of financial entities, ranging from credit institutions and investment firms to crypto-asset service providers and crowdfunding platforms (Article 2). It also establishes a direct oversight framework for critical ICT third-party service providers (CTPPs).

A Prescriptive Approach

Where GDPR is principles-based and NIS2 sets minimum requirements for member state transposition, DORA is notably prescriptive. Article 5 requires the management body to:

• Define, approve, oversee, and be responsible for the implementation of the ICT risk management framework
• Bear the ultimate responsibility for managing ICT risk
• Set clear roles and responsibilities for ICT-related functions
• Approve and periodically review the entity's digital operational resilience strategy

Critically, Article 5(4) states that members of the management body shall "actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity" — including through regular training. This is not a recommendation. It is a legal obligation with enforcement consequences.

The Lex Specialis Principle

For organisations subject to both NIS2 and DORA, the lex specialis principle applies. Recital 16 of DORA and Article 4 of NIS2 confirm that DORA takes precedence over NIS2 for ICT-specific risk management obligations in the financial sector. In practice, this means a bank subject to both frameworks must comply with DORA's more detailed ICT risk management, incident reporting, and testing requirements, while still meeting NIS2's broader cybersecurity measures for non-ICT aspects.

Threat-Led Penetration Testing

Article 26 of DORA mandates that certain financial entities carry out threat-led penetration testing (TLPT) at least every three years. TLPT must be performed by independent testers, cover critical functions, and follow the TIBER-EU framework or equivalent standards. This requirement has no equivalent in GDPR or NIS2 and represents an additional testing obligation that organisations must plan and budget for.

CRA and AI Act: The Next Wave

The Cyber Resilience Act

The Cyber Resilience Act (Regulation 2024/2847) is the first EU regulation targeting the cybersecurity of products with digital elements. Unlike NIS2 and DORA, which regulate organisations and their operations, the CRA regulates the products themselves — imposing obligations on manufacturers, importers, and distributors throughout the product lifecycle.

The CRA applies to any product with digital elements — hardware and software — placed on the EU market. This includes everything from consumer IoT devices to enterprise software, firmware, and components. The obligations are phased:

• September 11, 2026: Reporting obligations for actively exploited vulnerabilities and severe incidents take effect (Article 14)
• December 11, 2027: Full essential cybersecurity requirements apply, including secure-by-default configurations, vulnerability handling processes, and software bill of materials (SBOM) requirements

The CRA introduces a new obligation for manufacturers to provide security updates for the expected product lifetime or a minimum of five years, whichever is shorter (Article 13(8)). This has significant implications for software vendors and hardware manufacturers alike.

The AI Act

The Artificial Intelligence Act (Regulation 2024/1689) establishes a risk-based classification system for AI systems and imposes obligations that escalate with the level of risk. The phased implementation schedule is among the most complex of any EU regulation:

• February 2, 2025: Prohibitions on unacceptable-risk AI practices take effect (Article 5), including social scoring systems, real-time biometric identification in public spaces (with limited exceptions), and AI that exploits vulnerabilities of specific groups
• August 2, 2025: Obligations for general-purpose AI (GPAI) model providers apply (Chapter V)
• August 2, 2026: Requirements for high-risk AI systems apply (Annex III)
• August 2, 2027: Full application, including high-risk AI systems embedded in regulated products (Annex I)

For organisations already managing GDPR compliance, the AI Act introduces additional data governance requirements. Article 10 mandates that training, validation, and testing datasets for high-risk AI systems meet specific quality criteria, and Article 22 preserves the data subject rights established under GDPR, including the right not to be subject to solely automated decisions.

Where They Overlap: Incident Reporting

Incident reporting is where regulatory overlap creates the most immediate operational complexity. An organisation subject to multiple frameworks may need to file notifications with different authorities, under different timelines, with different content requirements — for the same incident.

The critical distinction for DORA lies in Article 19(4)(a): the initial notification must be submitted no later than 4 hours from the moment the ICT-related incident is classified as major, and no later than 24 hours from the time the financial entity became aware of the incident. The 4-hour clock starts from classification, not from detection — but the 24-hour outer limit from detection acts as a hard backstop.

For a financial institution that also processes personal data and falls within NIS2 scope, a single cybersecurity incident involving personal data could trigger three parallel reporting obligations:

1. GDPR Article 33 notification to the data protection authority within 72 hours
2. NIS2 Article 23 early warning to the CSIRT within 24 hours
3. DORA Article 19 initial notification to the competent financial authority within 4 hours of classification

The organisation must meet the strictest applicable timeline — which means the DORA 4-hour requirement effectively becomes the operational standard for any incident that is also reportable under GDPR and NIS2.

Where They Overlap: Penalties

The penalty regimes across these five frameworks are distinct but can compound against the same organisation. The table below summarises the maximum administrative fines:

Several points merit attention:

• DORA's penalty structure is unique. Article 50 delegates financial entity penalty specifics to national competent authorities under existing financial regulation frameworks. The 1% daily turnover penalty in Article 35 applies specifically to critical third-party providers under the oversight framework.
• The AI Act's 7% global turnover for prohibited AI practices is the highest penalty percentage in EU regulatory history, exceeding even GDPR's 4%.
• Penalties can stack. A GDPR fine for a data breach does not preclude a NIS2 fine for the same incident if it also constitutes a failure of cybersecurity risk management measures. The ne bis in idem principle has limited application across distinct regulatory frameworks administered by different authorities.

Where They Overlap: Personal Liability

The trend toward personal accountability for management bodies is one of the most significant shifts in the recent EU regulatory cycle.

NIS2 Article 20 establishes that management bodies of essential and important entities must approve and oversee cybersecurity risk management measures and can be held personally liable for infringements. Article 32(5)(b) empowers competent authorities to request judicial orders or other administrative decisions to temporarily ban a natural person from exercising managerial functions at the level of CEO or legal representative in essential entities.

DORA Article 5 places ultimate responsibility for ICT risk management on the management body and mandates that its members maintain sufficient knowledge and skills through regular training. While DORA does not include the same explicit managerial ban provision as NIS2, the financial services regulatory framework within which DORA operates already provides mechanisms for supervisory authorities to assess the fitness and propriety of senior managers.

The combined effect is clear: board members and senior executives can no longer treat cybersecurity as a delegated function. Both NIS2 and DORA require documented evidence of management body engagement, training participation, and active oversight. The absence of such evidence creates a direct personal liability exposure.

Building a Unified Control Framework

Given the degree of overlap between these frameworks, treating each as a separate compliance programme is both inefficient and risky. A unified control framework — built on a recognised management system standard and extended with regulatory-specific controls — is the more sustainable approach.

ISO 27001 as the Foundation

ISO/IEC 27001:2022 provides substantial coverage of the underlying control requirements:

• NIS2 coverage: ISO 27001 addresses approximately 70-80% of NIS2's Article 21 cybersecurity risk management measures, according to analysis by DataGuard (2024)
• DORA coverage: ISO 27001 addresses approximately 85-90% of DORA's ICT risk management requirements, based on mapping analyses by IT Governance (2024) and MetaCompliance (2024)

The Remaining Gaps

However, ISO 27001 does not address several critical regulatory requirements:

1. Prescribed incident reporting timelines. ISO 27001 Annex A Control A.5.24 addresses incident management but does not prescribe notification timelines. NIS2's 24-hour early warning, DORA's 4-hour classification-based notification, and GDPR's 72-hour window are all regulatory additions that must be implemented on top of the management system.

2. Management body personal training and liability. ISO 27001 addresses competence (Clause 7.2) and awareness (Clause 7.3) at a general level, but NIS2 Article 20 and DORA Article 5 impose specific obligations on management body members — including personal liability — that go beyond standard information security training programmes.

3. Supply chain security specifics. ISO 27001 Annex A Control A.5.19 addresses information security in supplier relationships, but NIS2 Article 21(2)(d) requires entities to assess the specific vulnerabilities of each direct supplier and the overall quality of their cybersecurity practices. This is a more granular requirement.

4. Threat-led penetration testing. DORA Article 26 mandates TLPT at least every three years for certain financial entities, following the TIBER-EU framework. ISO 27001 Annex A Control A.8.34 addresses penetration testing in general terms, but TLPT's threat intelligence-led, red-team-style testing is a distinct and more rigorous requirement.

5. Prescriptive third-party contractual requirements. DORA Articles 28-30 specify detailed contractual provisions that financial entities must include in agreements with ICT third-party service providers, including exit strategies, audit rights, and sub-outsourcing restrictions. ISO 27001's supplier management controls do not reach this level of prescription.

The Practical Approach

The recommended approach is to use ISO 27001 as the management system foundation and layer approximately 20% additional regulatory-specific controls on top. In practice, this means:

• A single risk register that maps risks to multiple regulatory obligations, rather than maintaining parallel risk assessments for GDPR, NIS2, and DORA
• A unified incident management process with tiered notification workflows that automatically route to the correct authorities based on the incident type, affected data, and applicable frameworks
• Integrated evidence collection that captures compliance artefacts once and maps them to the relevant control requirements across all applicable frameworks
• A management body training programme that satisfies both NIS2 and DORA training obligations simultaneously, documented with attendance records and competence assessments

This approach eliminates the duplication that arises from treating each regulation as a standalone programme, while ensuring that the specific requirements of each framework are met.

What Comes Next

The regulatory convergence trend is accelerating, not slowing. Looking ahead:

• September 11, 2026: CRA reporting obligations for actively exploited vulnerabilities take effect, adding a new product-level incident reporting requirement alongside the entity-level obligations under GDPR, NIS2, and DORA
• August 2, 2026: AI Act high-risk requirements begin to apply, imposing new conformity assessment, documentation, and monitoring obligations on organisations deploying high-risk AI systems
• December 11, 2027: CRA full essential requirements apply, including secure-by-default configurations and SBOM obligations
• August 2, 2027: AI Act reaches full application, completing the most complex phased implementation of any EU regulation

Organisations that invest in building unified control frameworks now — with a single management system, integrated risk register, and coordinated reporting processes — will be positioned to absorb these new obligations incrementally. Those that continue to treat each regulation as a separate project will face compounding costs, fragmented governance, and an increasing probability of enforcement gaps.

For boards and executive teams, the personal liability provisions in NIS2 and DORA add urgency. Demonstrating ongoing competence in cybersecurity risk oversight is not a one-time training exercise — it is a continuous obligation that supervisory authorities will assess in enforcement proceedings.

The regulatory environment rewards integration and penalises fragmentation. The time to act on that reality is before the next compliance deadline arrives.

Sources

1. GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council. EUR-Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj

2. NIS2 Directive — Directive (EU) 2022/2555 of the European Parliament and of the Council. EUR-Lex: https://eur-lex.europa.eu/eli/dir/2022/2555/oj

3. DORA — Regulation (EU) 2022/2554 of the European Parliament and of the Council. EUR-Lex: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

4. Cyber Resilience Act — Regulation (EU) 2024/2847 of the European Parliament and of the Council. EUR-Lex: https://eur-lex.europa.eu/eli/reg/2024/2847/oj

5. AI Act — Regulation (EU) 2024/1689 of the European Parliament and of the Council. EUR-Lex: https://eur-lex.europa.eu/eli/reg/2024/1689/oj

6. DLA Piper GDPR Fines and Data Breach Survey — January 2025. DLA Piper: https://www.dlapiper.com/en/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-2025

7. CMS GDPR Enforcement Tracker — CMS Law: https://www.enforcementtracker.com/

8. European Commission NIS2 Infringement Proceedings — November 2024. EC Digital Strategy: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

9. ENISA NIS2 Implementation Overview — 2024. European Union Agency for Cybersecurity: https://www.enisa.europa.eu/topics/nis-directive

10. DataGuard — "ISO 27001 and NIS2: How Much Is Covered?" (2024): https://www.dataguard.com/blog/iso-27001-nis2/

11. IT Governance — "DORA and ISO 27001 Mapping" (2024): https://www.itgovernance.co.uk/dora-iso-27001

12. MetaCompliance — "DORA Compliance and ISO 27001" (2024): https://www.metacompliance.com/blog/dora-compliance-iso-27001

13. Meta EUR 1.2B Fine — Irish Data Protection Commission decision, May 2023: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-conclusion-inquiry-meta-ireland

14. LinkedIn EUR 310M Fine — Irish Data Protection Commission decision, October 2024: https://www.dataprotection.ie/en/news-media/press-releases/linkedin-ireland

15. European Commission Digital Strategy — DORA Overview: https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-act_en

16. TIBER-EU Framework — European Central Bank: https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html