EU Regulatory Updates & Compliance Monitor
Stay ahead of DORA, CSRD, NIS2, GDPR and all major EU regulatory changes. Real-time monitoring, deadline tracking, and expert analysis for compliance teams.
Matproof Regulatory Monitor
Track regulatory changes across 11 EU frameworks in real-time. Get alerts when new guidance, deadlines, or enforcement actions affect your organization.
DORA Regulatory Updates
The Digital Operational Resilience Act (DORA) entered into force on January 16, 2023 and became mandatory on January 17, 2025. Here are the most important recent developments for financial entities and ICT service providers.
DORA Enforcement Begins
DORA became mandatory for all in-scope financial entities and ICT third-party service providers across the EU on January 17, 2025. National competent authorities - including BaFin in Germany, AMF in France, and DNB in the Netherlands - now have full supervisory and enforcement powers under the regulation.
ESA Final RTS/ITS Published
The European Supervisory Authorities (EBA, EIOPA, ESMA) published the final batch of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) covering ICT risk management frameworks, incident reporting templates, threat-led penetration testing (TLPT) requirements, and third-party ICT provider oversight. These standards provide the detailed technical requirements financial entities must implement.
DORA Oversight Framework for Critical ICT Providers
The ESAs are establishing the oversight framework for Critical ICT Third-Party Providers (CTPPs). Designated CTPPs will be subject to direct supervision by a Lead Overseer, including on-site inspections and recommendations. Financial entities using CTPPs must ensure their contractual arrangements comply with DORA Articles 28-30.
BaFin Implementation Guidance
BaFin has published guidance on the relationship between DORA and existing national requirements (BAIT, VAIT, KAIT). Financial entities supervised by BaFin should review how DORA obligations interact with and in many cases supersede existing MaRisk/BAIT requirements, particularly around ICT risk management and third-party oversight.
CSRD Regulatory Updates
The Corporate Sustainability Reporting Directive (CSRD) is rolling out in waves, requiring companies to report under the European Sustainability Reporting Standards (ESRS). Here are the key developments.
Wave 1: Large Listed Companies Reporting
Large listed companies already subject to the Non-Financial Reporting Directive (NFRD) are now required to report under CSRD for financial year 2024. This includes approximately 11,700 companies across the EU that must prepare sustainability reports aligned with the ESRS standards.
Wave 2: Large Non-Listed Companies
Large companies not previously subject to NFRD will begin reporting for financial year 2025. This significantly expands the scope of mandatory sustainability reporting to include large non-listed companies meeting two of three criteria: over 250 employees, EUR 50M+ net turnover, or EUR 25M+ total assets.
ESRS Delegated Acts Finalized
The European Commission adopted the ESRS delegated acts, establishing the 12 sustainability reporting standards (ESRS 1-2, E1-E5, S1-S4, G1). These standards define the specific disclosures, metrics, and narrative reporting requirements for each sustainability topic. Sector-specific standards are in development.
Omnibus Simplification Proposal
The European Commission announced an omnibus simplification proposal aimed at reducing the reporting burden for companies. This proposal may adjust certain CSRD requirements, particularly for smaller in-scope companies, while maintaining the core objectives of sustainability transparency. Companies should continue preparing under current requirements until any amendments are formally adopted.
EFRAG Implementation Guidance
The European Financial Reporting Advisory Group (EFRAG) continues to publish implementation guidance, Q&As, and explanatory materials to help companies apply the ESRS standards correctly. These include guidance on double materiality assessment methodology, value chain reporting boundaries, and transitional provisions.
NIS2 Regulatory Updates
The NIS2 Directive (EU 2022/2555) significantly expands the scope of EU cybersecurity requirements. Member states were required to transpose the directive into national law by October 17, 2024.
Transposition Deadline Passed
The NIS2 transposition deadline of October 17, 2024 has passed. While many member states have transposed the directive, several are still in the process of finalizing national legislation. Organizations in all EU member states should prepare for NIS2 requirements regardless of their national transposition status, as the directive's obligations are clear.
Member State Implementation Status
Implementation varies across EU member states. Germany's NIS2 transposition (NIS2UmsuCG) has been progressing through the legislative process. France, the Netherlands, Italy, and Spain are at various stages of national implementation. Organizations should monitor their specific member state's transposition status and any additional national requirements.
ENISA Guidance on Essential and Important Entities
The European Union Agency for Cybersecurity (ENISA) has published guidance on identifying essential and important entities under NIS2. The directive covers 18 sectors, with entities classified based on size, criticality, and sector. Essential entities (large organizations in critical sectors) face stricter supervision, while important entities are subject to ex-post supervision.
Incident Reporting Requirements (24h/72h)
NIS2 introduces strict incident reporting timelines: an early warning to the national CSIRT within 24 hours of becoming aware of a significant incident, followed by a full incident notification within 72 hours. A final report must be submitted within one month. Organizations must establish processes and capabilities to meet these deadlines.
GDPR Regulatory Updates
The General Data Protection Regulation continues to evolve through enforcement actions, new guidance, and landmark decisions. Here are the most impactful recent developments.
Major Fines and Enforcement Actions
GDPR enforcement continues to intensify, with total fines exceeding EUR 4.5 billion since 2018. Recent major penalties have targeted large technology companies, financial institutions, and data brokers for violations including inadequate legal bases for processing, insufficient transparency, and failures in data subject rights. The trend toward larger fines and stricter enforcement shows no signs of slowing.
EDPB Guidelines on AI and Data Processing
The European Data Protection Board (EDPB) has issued guidelines on the use of artificial intelligence and automated decision-making under GDPR. These cover legal bases for AI training data, transparency requirements for automated decisions, the right to explanation under Article 22, and data protection impact assessments for AI systems. Organizations deploying AI must ensure GDPR compliance at every stage of the AI lifecycle.
Cross-Border Transfer Mechanisms Post-Schrems II
The EU-US Data Privacy Framework provides a new adequacy mechanism for transatlantic data transfers. Organizations must still conduct Transfer Impact Assessments (TIAs) for transfers to non-adequate countries and implement supplementary measures where needed. Standard Contractual Clauses (SCCs) remain the primary safeguard for international transfers outside adequacy decisions.
Cookie Consent Enforcement Trends
Data protection authorities across Europe are increasing enforcement on cookie consent practices. Recent decisions have targeted deceptive design patterns ("dark patterns") in consent mechanisms, pre-ticked boxes, and cookie walls. Organizations must ensure their consent mechanisms provide genuine choice and meet GDPR and ePrivacy requirements.
ISO 27001 Updates
ISO 27001 remains the global standard for information security management systems. The 2022 revision brought significant changes to Annex A controls and alignment with modern security practices.
ISO 27001:2022 Transition Deadline
Organizations certified under ISO 27001:2013 must transition to ISO 27001:2022 by October 31, 2025. After this date, ISO 27001:2013 certifications will no longer be valid. Organizations should work with their certification body to plan and execute the transition, including updating their ISMS documentation, risk assessments, and Statement of Applicability.
New Annex A Controls Mapping
ISO 27001:2022 restructured Annex A from 14 control categories (114 controls) to 4 themes (93 controls): Organizational, People, Physical, and Technological. 11 new controls were introduced covering areas such as threat intelligence, cloud security, ICT readiness for business continuity, physical security monitoring, data masking, data leakage prevention, and secure development lifecycle.
ISO 27002:2022 Changes
The updated ISO 27002:2022 provides implementation guidance for the Annex A controls. Each control now includes attributes such as control type, information security properties, cybersecurity concepts, and operational capabilities. These attributes help organizations prioritize and categorize controls for effective implementation and mapping to other frameworks like DORA and NIS2.
Why Regulatory Monitoring Matters
The EU regulatory landscape changes weekly. Staying current is not optional - it is a board-level responsibility with significant financial consequences for non-compliance.
or EUR 10M for financial entities, with personal liability for board members.
or EUR 20M, with fines exceeding EUR 4.5 billion total since enforcement began.
or 2% of worldwide annual turnover for essential entities, with management liability.
DORA, NIS2, and CSRD all introduce personal accountability for management bodies regarding compliance.
Frequently Asked Questions
How often do EU regulations change?
EU regulatory frameworks evolve continuously. Major frameworks like DORA, NIS2, and CSRD receive new guidance, technical standards, and enforcement decisions on a weekly basis. Supervisory authorities such as BaFin, ESMA, and ENISA regularly publish implementation guidance, Q&As, and enforcement updates that can affect your compliance obligations.
What is the Matproof Regulatory Monitor?
The Matproof Regulatory Monitor is a free tool that tracks regulatory changes across 11 EU compliance frameworks in real-time. It aggregates updates from supervisory authorities, standard-setting bodies, and enforcement agencies across the EU, so compliance teams can stay informed without manually checking dozens of sources.
Which frameworks does Matproof monitor?
Matproof monitors DORA (Digital Operational Resilience Act), CSRD (Corporate Sustainability Reporting Directive), NIS2 (Network and Information Security Directive), GDPR (General Data Protection Regulation), ISO 27001, SOC 2, MaRisk, BAIT, VAIT, KAIT, and CSDR (Central Securities Depositories Regulation).
How do I know if a regulatory change affects my organization?
The Matproof Regulatory Monitor categorizes updates by framework, entity type, and urgency. You can filter by the frameworks relevant to your organization and receive alerts when new guidance, deadlines, or enforcement actions are published that affect your sector. The Matproof compliance platform also maps regulatory changes directly to your existing controls.
Is the regulatory monitor free?
Yes, the Matproof Regulatory Monitor at monitor.matproof.com is free to use. You can also subscribe to our weekly regulatory briefing newsletter at no cost. For automated compliance management, control mapping, and evidence collection, see our platform plans.
What are the biggest compliance deadlines in 2025-2026?
Key deadlines include: DORA enforcement (January 17, 2025), NIS2 transposition (October 17, 2024, with ongoing member state implementation), CSRD Wave 2 reporting for large non-listed companies (FY2025), and the ISO 27001:2022 transition deadline (October 2025). The Matproof Regulatory Monitor tracks all upcoming deadlines across frameworks.