Cyber threats are evolving, and regulations are tightening, especially in the EU. In 2025, new cybersecurity standards like NIS2 and DORA, and updates on existing ones like ISO 27001:2022 bring stricter compliance requirements for businesses across the EU.
These regulations illustrate the European Union’s commitment to strengthening digital security and data protection, forcing businesses in various sectors to adapt to new legal obligations in the coming years.
Some companies are already well aware of these regulations; others may not have them on their radar yet, but non-compliance isn’t an option. Whether you manage IT security directly or oversee your company’s tech infrastructure, it’s crucial to understand how these frameworks impact your business and what steps you need to take.
What’s at stake?
How can you prepare for NIS2, DORA, and 27001:2022 compliance? Discover practical steps in this article! 👇🏻
In this article :
Adopted in November 2022, the NIS2 Directive (Network and Information Security Directive 2) aims to strengthen cybersecurity across critical sectors, including energy, transportation, healthcare, and digital infrastructure.
NIS2 had to be transposed into national legislation by October 2024. By March 2025, most EU member states have finalized this transposition, making the directive's requirements immediately enforceable for affected businesses.
Companies must now comply with the new requirements, particularly in terms of risk management and incident reporting.
In practical terms, the NIS2 directive advocates the integration of cyber resilience into the supply and lifecycle management of IT equipment, as well as internal awareness-raising and training to ensure proactive compliance.
For bconnex and its brands, this also implies being compliant, in order to meet the requirements of our customers subject to NIS2, as they will also demand a high level of security from their service providers.
🔍 NIS2 directive overview
Objective: to extend cybersecurity obligations to critical and strategic companies
Adoption date: November 2022 – Required to be transposed by October 2024 (as of March 2025, most EU member states have integrated NIS2 into their national legislation)
Who is affected?
- Essential sectors: energy, transportation, healthcare, digital infrastructure, etc.
- Important sectors: telecommunications, waste management, digital services, etc. IT service providers - working with these industries must comply
Key obligations:
- Strengthened requirements for cybersecurity risk management
- Strict deadlines for incident reporting (24 to 72 hours)
- Regular audits and security controls to ensure compliance
What does this imply?
- Cyber resilience must be integrated at all stages of the IT lifecycle
- Internal awareness and training are critical for proactive compliance
- Service providers working with affected industries must also comply with the NIS2 directive)
For French companies: find out more on NIS2 at https://monespacenis2.cyber.gouv.fr/directive
Coming into force on January 17, 2025, the DORA (Digital Operational Resilience Act) regulation requires EU financial entities to implement robust risk management measures for information and communication technologies (ICT). Companies must now comply with DORA requirements to ensure their operational resilience in the face of cyber threats.
The DORA regulation thus complements the NIS2 directive, since it targets a specific sector (the financial sector) with specific requirements. Compliance with one helps prepare for the other.
Let's not forget that the DORA regulation doesn't just concern financial institutions: their IT service providers must also align themselves with these cyber-resilience requirements. Subcontractor compliance is becoming a key criterion for contracts with banks and insurance companies. That's why at bconnex, we also make it a point to comply with DORA regulations!
🔍 DORA regulation overview
Objective: to ensure the digital operational resilience of financial institutions and their IT providers in the face of cyber threats
Adoption date: January 17, 2025 in the entire EU
Who is affected?
- Banks, insurance companies, fintechs, asset managers, etc.
- IT service providers working with these entities
Key obligations:
- Establishment of robust IT risk management frameworks
- Requirement for regular operational resilience testing (identification and remediation of vulnerabilities)
- Increased monitoring of critical third-party service providers
What is the link between DORA and NIS2?
- The DORA regulation is complementary to the NIS2 directive, which covers a broad spectrum (all sectors), whereas the DORA regulation targets the financial sector with specific requirements
- Compliance with one of the two helps to prepare for the other
What this means:
- Compliance by these companies' service providers (such as bconnex and its brands)
Find out more about DORA: https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en
The international standard ISO 27001, revised in 2022, provides a framework for the secure management of information systems (ISMS - Information Security Management System). Although not an EU regulation, it is widely adopted by European companies to comply with regulatory requirements, including those of DORA and NIS2.
Organizations certified to the 2013 version have a transition period until October 2025 to migrate to the new version.
The 27001:2022 standard applies to any organization managing sensitive data, and requires in particular:
ISO 27001 also emphasizes the commitment of management and the integration of information security into the organizational culture.
Adopting the ISO 27001 standard enables proactive management of cyber risks and ensures compliance with NIS2 and DORA requirements. Its certification is a differentiating asset for any company concerned about cybersecurity - including bconnex 😉
🔍 ISO 27001:2022 standard overview
Objective: to provide a framework for the secure management of information systems (ISMS - Information Security Management System)
Adoption date: October 2022 for the revised version - Transition period until October 2025 to migrate to the new version (for companies certified to the 2013 version)
Who is affected?
- Any company managing sensitive data
Obligations and best practices:
- Updating controls to reflect technological developments and new threats
- Identification and management of cyber risks via a robust ISMS
- Definition of clear policies and processes (access management, backups, encryption, etc.)
- Awareness-raising and ongoing training of teams
Why is it important?
- Alignment with NIS2 and DORA, facilitating compliance with these regulations
- Secure customer data and your own IS
- Structured, certifiable approach, an asset for proving your commitment to cybersecurity
Complementary ISO standards:
- ISO 27018: protection of personal data in the cloud
- ISO 27701: extension of the 27001 for personal data management (closely linked to GDPR)
🎯 bconnex has initiated, in 2025, a process to obtain ISO 27001 certification
Implemented in May 2018, the GDPR (General Data Protection Regulation) remains one of the world's most stringent and comprehensive data protection frameworks. While it has been in force for several years, it is far from outdated.
With the rise of cyber threats, stricter compliance requirements, and increasing penalties, the GDPR continues to shape how businesses handle personal data. Whether companies operate within the EU or process data of EU citizens, ensuring compliance is still critical in 2025.
Despite the growing focus on new cybersecurity regulations like NIS2 and DORA, the GDPR remains at the core of data security and privacy. Companies must continue to align their security policies, risk management, and incident response strategies with GDPR obligations to avoid costly fines and reputational damage.
Let's not forget either that a good technical security framework (NIS2/DORA/ISO) reinforces the protection of personal data (GDPR).
🔍 GDPR overview
Reminder: since 2018, the GDPR frames the collection, processing and protection of personal data in Europe
Why is it still key?
- Complementary with NIS2, DORA and ISO 27001: securing systems (NIS2), managing IT resilience (DORA), and protecting data (GDPR)
- Requirements still in effect (right of access, data minimization, security...)
What we do at bconnex to comply with the GDPR:
- Integrating GDPR best practices into all our IT solutions
- Raising team awareness and compliance with personal data obligations
- Working with our customers to ensure shared compliance
In September 2024, Meta was fined 91 million euros for storing user passwords in clear text
In December 2024, Meta was fined another 251 million euros for a data breach that occurred in 2018, affecting 29 million users
Between November 2023 and January 2024, UK consumers lost over £11.5 million to online fraud, with an average loss of £695 per victim
Find out more about the GDPR:
Cybersecurity is becoming a strategic requirement for all sectors. The NIS2 directive and DORA regulations impose strict obligations, including on IT service providers. ISO 27001 (even in the EU) and GDPR remain essential pillars for structuring cyber resilience.
At bconnex, we are committed to this dynamic, in particular with:
At bconnex, we're committed to improving and securing the connected user experience. Of course, this also means supporting our customers in managing the cybersecurity of their IT assets.
