La aplicación de la directiva NIS2 se acelera en los estados miembros de la UE. Cuenta atrás para el plazo de cumplimiento de DORA. La aplicación del RGPD alcanza niveles récord con 2.100 millones de euros en multas. La Ley de IA de la UE entra en fase de aplicación. Actualizaciones críticas para equipos de seguridad y cumplimiento.
The NIS2 Directive transposition deadline passed in October 2024. EU estados miembros are now actively enforcing cybersecurity requirements, with the first administrative penalties issued in Q1 2026. Organizations found non-compliant face multas de hasta €10 million or 2% of global annual turnover, whichever is higher.
The Network and Information Security Directive 2 (NIS2) significantly expands cybersecurity obligations across the European Union:
Germany issued its first NIS2 penalty in February 2026 to a mid-sized cloud service provider for failure to implement gestión de riesgos measures and respuesta a incidentes procedures. Fine: €850,000.
France opened investigations into 14 entities across healthcare and digital infrastructure sectors for inadequate cybersecurity governance and missing reporte de incidentes mechanisms.
Netherlands published compliance guidance requiring all essential and important entities to complete self-assessment by June 2026.
Action required: Organizations in scope must immediately implement NIS2 cybersecurity measures including gestión de riesgos, respuesta a incidentes, business continuity, cadena de suministro security, cryptography, access control, and vulnerability handling.
The Digital Operational Resilience Act (DORA) enters into force on 17 de enero de 2025. Financial entities have less than 9 months remaining to achieve full compliance.
| Pillar | Key Requirements |
|---|---|
| ICT Risk Management | Comprehensive framework covering identification, protection, detection, response, recovery, and learning capabilities |
| Incident Reporting | Major ICT incidents reported to supervisory authorities within strict timelines |
| Operational Resilience Testing | Regular testing including threat-led penetration testing (TLPT) for significant entities |
| Third-Party Risk | Management of ICT third-party providers with contractual arrangements ensuring oversight |
| Information Sharing | Participation in cyber threat intelligence sharing arrangements |
DORA introduces a new oversight framework for critical ICT third-party service providers. Cloud providers, data center operators, and managed security service providers serving financial entities will face direct EU supervision and must register with the European Supervisory Authorities (ESAs).
Timeline pressure: Many financial institutions report significant gaps in DORA readiness, particularly around third-party gestión de riesgos and operational resilience testing. Supervisory authorities are preparing for day-one enforcement.
GDPR enforcement reached unprecedented levels in 2025, with EU data protection authorities issuing €2.1 billion in administrative fines — a 40% increase over 2024.
€650M — Major social media platform (Ireland DPA)
Violations: Unlawful processing of personal data for behavioral advertising, inadequate legal basis, transparency failures
€425M — Global advertising technology company (France CNIL)
Violations: Real-time bidding data sharing without valid consent, inadequate data minimization
€380M — Healthcare AI platform (Germany)
Violations: Processing health data without adequate safeguards, automated decision-making without human oversight
The EU Artificial Intelligence Act entered into force in August 2024. Key provisions begin applying in phases through 2026-2027.
| Date | Provisions Applying |
|---|---|
| February 2026 | Prohibited AI practices (Article 5) |
| May 2026 | General-purpose AI model requirements (Chapter V) |
| August 2026 | High-risk AI system requirements (Chapter III) |
| August 2027 | Full application of all AI Act requirements |
As of February 2026, lo siguiente AI systems are banned in the EU:
The EU AI Office will open registration for high-risk AI systems in Q2 2026. Providers must register systems before market placement. High-risk categories include: biometric identification, infraestructura crítica, education/vocational training, employment, essential services, law enforcement, migration/border control, and justice/democratic processes.
Providers of general-purpose AI models (GPT-4, Claude, Gemini, Llama, etc.) debe cumplir with transparency requirements and, for systemic-risk models (>10^25 FLOPs training), additional obligations including:
High enforcement risk: Organizations operating in multiple regulated sectors (e.g., financial services + healthcare) face overlapping obligaciones de cumplimiento from NIS2, DORA, GDPR, and sector-specific regulations. Gaps in any framework create compounding regulatory risk.
Cadena de suministro exposure: Both NIS2 and DORA impose explicit cadena de suministro security and third-party gestión de riesgos requirements. Organizations relying on non-compliant vendors inherit regulatory risk.
Cross-border complexity: Different EU estados miembros are transposing and enforcing NIS2 at different paces, creating compliance complexity for organizations operating across multiple jurisdictions.
Automated compliance mapping for NIS2, DORA, GDPR, and EU AI Act. Real-time regulatory updates and gap analysis.
Book Compliance DemoStay compliant. Stay informed.
🗡️ KENSAI Compliance Team
6 de marzo de 2026