← Back to Security Blog
Compliance & Regulations 2026년 3월 6일 8분 읽기

2026년 3월 보안 규제 업데이트: NIS2 시행 개시, DORA 마감 임박, GDPR 역대 최고 벌금

NIS2 Directive enforcement accelerates across EU member states with first 벌금 issued. DORA 규정 준수 마감일 approaches—only 9 months remaining. GDPR enforcement reaches record levels with €2.1B in fines for 2025. EU AI Act enters application phase with high-risk system registrations opening. 치명적 compliance updates for security and risk teams.


⚖️ NIS2 지시문: 시행 단계 시작

규정 준수 마감일 Passed — Enforcement Active

The NIS2 Directive transposition deadline passed in October 2024. EU member states are now actively enforcing cybersecurity requirements, with the first administrative 벌금 issued in Q1 2026. Organizations found non-compliant face fines up to €10 million or 2% of global annual turnover, whichever is higher.

NIS2 Scope & Requirements

The Network and Information Security Directive 2 (NIS2) significantly expands cybersecurity obligations across the European Union:

Recent 집행 조치

Germany issued its first NIS2 벌금 in February 2026 to a mid-sized cloud service provider for failure to implement 위험 관리 measures and incident response procedures. Fine: €850,000.

France opened investigations into 14 entities across healthcare and digital infrastructure sectors for inadequate cybersecurity governance and missing 사고 보고 mechanisms.

Netherlands published compliance guidance requiring all essential and important entities to complete self-assessment by June 2026.

Action required: Organizations in scope must immediately implement NIS2 cybersecurity measures including 위험 관리, incident response, business continuity, supply chain security, cryptography, access control, and 취약점 handling.


🏦 DORA: 규정 준수 마감까지 9개월

The Digital Operational Resilience Act (DORA) enters into force on January 17, 2025. Financial entities have less than 9 months remaining to achieve full compliance.

DORA Requirements Overview

Pillar Key Requirements
ICT 위험 관리 Comprehensive framework covering identification, protection, detection, response, recovery, and learning capabilities
사고 보고 Major ICT incidents reported to supervisory authorities within strict timelines
Operational Resilience Testing Regular testing including threat-led penetration testing (TLPT) for significant entities
Third-Party Risk Management of ICT third-party providers with contractual arrangements ensuring oversight
Information Sharing Participation in cyber threat intelligence sharing arrangements

Who Must Comply?

치명적 ICT Third-Party Providers

DORA introduces a new oversight framework for critical ICT third-party service providers. Cloud providers, data center operators, and managed security service providers serving financial entities will face direct EU supervision and must register with the European Supervisory Authorities (ESAs).

Timeline pressure: Many 금융 기관 report significant gaps in DORA readiness, particularly around third-party 위험 관리 and operational resilience testing. Supervisory authorities are preparing for day-one enforcement.


🛡️ GDPR 집행: 2025년 역대 최고 21억 유로 벌금

GDPR enforcement reached unprecedented levels in 2025, with EU data protection authorities issuing €2.1 billion in administrative fines — a 40% increase over 2024.

2025 Enforcement Trends

아니오table 2025 집행 조치

€650M — Major social media platform (Ireland DPA)
Violations: Unlawful processing of personal data for behavioral advertising, inadequate legal basis, transparency failures

€425M — Global advertising technology company (France CNIL)
Violations: Real-time bidding data sharing without valid consent, inadequate data minimization

€380M — Healthcare AI platform (Germany)
Violations: Processing health data without adequate safeguards, automated decision-making without human oversight

Emerging Focus Areas for 2026


🤖 EU AI Act: 적용 단계 시작

The EU Artificial Intelligence Act entered into force in August 2024. Key provisions begin applying in phases through 2026-2027.

2026 Application Timeline

날짜 Provisions Applying
February 2026 Prohibited AI practices (Article 5)
May 2026 General-purpose AI model requirements (Chapter V)
August 2026 높음-risk AI system requirements (Chapter III)
August 2027 Full application of all AI Act requirements

Prohibited AI Practices (아니오w in Effect)

As of February 2026, the following AI systems are banned in the EU:

높음-Risk AI Systems Registration

Registration Opens Q2 2026

The EU AI Office will open registration for high-risk AI systems in Q2 2026. Providers must register systems before market placement. 높음-risk categories include: biometric identification, critical infrastructure, education/vocational training, employment, essential services, law enforcement, migration/border control, and justice/democratic processes.

General-Purpose AI Models (May 2026)

Providers of general-purpose AI models (GPT-4, Claude, Gemini, Llama, etc.) must comply with transparency requirements and, for systemic-risk models (>10^25 FLOPs training), additional obligations including:


📋 규정 준수 체크리스트: 2026년 2분기

  1. NIS2 (Immediate):
    • Confirm in-scope status (essential or important entity)
    • Implement all 10 minimum security measures
    • Establish 24/72-hour 사고 보고 procedures
    • Document supply chain security assessments
    • Ensure management body accountability mechanisms
  2. DORA (9 months remaining):
    • Complete ICT 위험 관리 framework implementation
    • Inventory all ICT third-party providers and assess criticality
    • Update contracts with ICT service providers for DORA compliance
    • Plan threat-led penetration testing (TLPT) for 2026
    • Establish incident classification and reporting processes
  3. GDPR (Ongoing):
    • Review AI/automated decision-making for Article 22 compliance
    • Audit cookie consent mechanisms for dark patterns
    • Update Records of Processing Activities (ROPA)
    • Test data 침해 통지 procedures (<72 hours)
    • Review international data transfer mechanisms
  4. EU AI Act:
    • Inventory all AI systems and classify risk levels
    • Discontinue any prohibited AI practices immediately
    • Prepare high-risk AI system technical documentation
    • For GPAI providers: Implement transparency requirements
    • 모니터링 EU AI Office guidance and registration timelines

⚠️ 규제 위험 평가

높음 enforcement risk: Organizations operating in multiple regulated sectors (e.g., financial services + healthcare) face overlapping 규정 준수 의무 from NIS2, DORA, GDPR, and sector-specific regulations. Gaps in any framework create compounding regulatory risk.

Supply chain exposure: Both NIS2 and DORA impose explicit supply chain security and third-party 위험 관리 requirements. Organizations relying on non-compliant vendors inherit regulatory risk.

Cross-border complexity: Different EU member states are transposing and enforcing NIS2 at different paces, creating compliance complexity for organizations operating across multiple jurisdictions.

Navigate Compliance with KENSAI

Automated compliance mapping for NIS2, DORA, GDPR, and EU AI Act. Real-time regulatory updates and gap analysis.

Book Compliance Demo

Stay compliant. Stay informed.

🗡️ KENSAI Compliance Team

March 6, 2026