Europe’s Compliance Task: Cybersecurity, Resilience, Privacy, and AI (2025–2027)

This shift is arriving during a time where we see threat landscapes are continuing to intensify. ENISA’s 2025 threat-landscape analysis reviewed 4,875 significant incidents across Europe in a single year, outlining that disruption at scale is no longer an outlier, but becoming more common. In Germany, Bitkom estimated nearly €300 billion in annual economic damage attributable to cyberattacks, largely driven by operational disruption. The same survey found ransomware impacting 34% of companies, nearly tripling from 2022. CrowdStrike’s 2025 European Threat Landscape Report shows that Europe now accounts for approx. 22% of global ransomware/extortion activity, and several groups are compressing attack cycles so that ransomware may be deployed within a day of initial intrusion.

These conditions explain the EU’s regulatory direction, and the introduction of these regulations. The aim is not paperwork; it is trust in critical systems and services. For CISOs and executive leadership, the challenge is to interpret this regulatory stack at a level that allows for business-making / strategic decisions. For operational teams and managers, the challenge is to implement requirements without creating an unsustainable amount of parallel initiatives and double handling of control requirements across regulations. The answer, increasingly demonstrated across large European organizations in impacted industries, is the convergence (or coming together) of these regulations.

Leading organizations are not treating each regulation as a separate compliance project. They are consolidating obligations into a single control and assurance model, more often than not, anchored in ISO 27001:2022, extended to include resilience evidence and AI lifecycle governance. This approach reduces cost, speeds up readiness, and creates an easy-to-understand supervisory story. This whitepaper explains why convergence is now essential, how it works in practice, and what implementation patterns are being seen among Europe’s most regulated industries.

DORA, NIS2, CRA, GDPR and CER assume that organizations form part of critical digital environments where disruptions can flow through supply chains. The EU AI Act assumes that AI creates systemic risk modes—bias, opacity, unsafe autonomy, and data misuse, which cannot be mitigated with policy alone. The compliance question therefore shifts from “Do we have a program?” to “Can we continuously prove that the program works?”

Running multiple detached compliance programs is no longer feasible. It results in duplicated controls, conflicting taxonomies and wording, and fragmented evidence. Convergence builds one durable, risk-based operating model that regulators can understand and that businesses can sustain.

DORA, applying from 17th January 2025, makes digital operational resilience a supervised discipline. It requires structured ICT risk management, major incident reporting within tight timelines, resilience testing, and direct oversight of key ICT providers. DORA’s logic is that stability of the financial system depends on the resilience of the digital landscape supporting it.

NIS2 expands regulation into many more critical sectors and introduces reinforced risk management expectations, quick notification duties, and explicit management accountability. It positions cybersecurity posture as a regulated board responsibility rather than a purely technical concern.

CRA shifts security obligations into the product domain. It requires secure-by-design development, formal vulnerability handling, and transparency about software and hardware components. For many organizations, CRA represents a transformation of SDLC expectations into compliance.

CER requires critical entities to demonstrate continuity of essential services across hazards, not only cyber. It forces alignment between cyber recovery, physical resilience, crisis management, and supplier dependency governance.

ISO 27001 and GDPR remain the stable foundation of information and cyber security, and privacy. Most of the capabilities demanded by newer practices - governance, risk management, DR testing, SDLC control, third-party oversight, incident handling, auditability, protection of sensitive data - already exist within ISO 27001 and GDPR frameworks. The difference is that resilience evidence and AI lifecycle controls must now be integrated extensions of these foundations.

Taken together, the strictest common denominator across EU frameworks is a 24-hour external notification expectation, with some regimes requiring action even sooner. As a result, leading organizations no longer design incident response around the 72-hour GDPR window, but instead standardize a single major-incident process capable of regulator-ready reporting within 24 hours, embed evidence capture from the first response actions, and layer in sector-specific notifications as required by DORA, NIS2, CRA, or AI-specific obligations.

Third-party governance is another area where EU regulations clearly converge. DORA introduces the most prescriptive regime, requiring financial entities to identify critical ICT third-party providers, perform pre-contract risk assessments, include mandatory security, audit, access, and termination clauses in contracts, conduct ongoing monitoring and resilience testing, and in some cases submit providers to direct EU-level oversight. NIS2 reinforces supply-chain security by requiring organizations to address supplier risks across the lifecycle, including security requirements, incident reporting obligations, and oversight proportionate to risk. CER extends this further by mandating dependency mapping for critical services, requiring organizations to understand and manage reliance on external providers for continuity of essential functions. The Cyber Resilience Act shifts obligations upstream by forcing manufacturers to maintain visibility into components, software dependencies, and vulnerabilities throughout a product’s lifecycle, while the AI Act introduces provider and deployer accountability across AI value chains.

Across all frameworks, the strictest practical requirement is not initial due diligence, but continuous, enforceable control over critical third parties—including contractual rights to audit, incident notification within defined timelines, resilience and security assurance, and the ability to act if a supplier becomes a systemic risk. As a result, leading organizations design a single third-party governance model aligned to DORA-level expectations for critical suppliers, then reuse that structure to satisfy NIS2 supply-chain risk management, CER dependency mapping, and CRA/AI Act lifecycle accountability—rather than maintaining fragmented, regulation-specific supplier processes. Convergence evolving around your capabilities creates an easy-to-understand supervisory model: one enterprise (common) control system or framework, one evidence model, many regulatory mappings. It also reduces internal friction because teams are not asked to comply with overlapping requirements separately.

A common pattern is that banks are building what amounts to a single resilience spine that serves DORA, NIS2 and GDPR (where applicable), and their existing EBA/ECB expectations. DORA’s application from January 2025 has accelerated this. In practice, banks are tightening major-incident regimes to meet DORA and NIS2 clocks (as outlined in the previous section of this paper), designing evidence capture directly into ticketing and incident tooling so that regulatory notifications become a product of normal operations rather than a parallel compliance sprint.

The most visible operational change is the scaled adoption of threat-led penetration testing (TLPT) under DORA. The Eurosystem updated the TIBER-EU red-teaming framework in February 2025 to align to DORA’s TLPT regulatory technical standards, which were published later in June 2025.5 Banks that previously treated TIBER-EU exercises as periodic “stress events” are now embedding TLPT readiness into continuous security engineering: confirming critical service maps, validating detection and response playbooks against realistic attack techniques. Here, we are seeing that resilience testing is changing from annual check-box tasks to repeatable capability cycles, as DORA assumes resilience must be demonstrable at any point in time.

The EU AI Act is landing in banks in a similarly integrated way. The EBA’s 2025 sector mapping highlights that credit scoring and creditworthiness evaluation AI are classified as ‘high-risk uses’, meaning banks must implement full AI lifecycle governance, not just transparency statements.6 We have now seen leading banks across the EU respond by pulling AI governance into the same operational-risk function that already manages stress testing and regulatory models. In effect, they are treating AI Act compliance as a continuation of existing safety and model-risk discipline, not a new “AI compliance office” - reducing friction.

Another major convergence effort is around ICT suppliers and cloud concentration risk. Under DORA, critical ICT third-party providers become part of the regulated perimeter. Banks are therefore expanding vendor governance past traditional questionnaires (at time facilitated by tools such as OneTrust) into actual assurance, requesting evidence of resilience testing, incident reporting SLAs aligned to DORA, and participation in joint crisis exercises.7 The banks that do this well aren’t creating a separate supplier program. They’re bringing suppliers into the same resilience framework they use for their own critical services. Put together, the new banking digital compliance model is clear: one integrated security-and-resilience system, continuously tested, with AI risk governed through existing model-risk muscle, and suppliers treated as operational dependencies.

NIS2 strengthens cybersecurity duties in energy, water, health, chemicals, food and other ‘essential’ and ‘important’ sectors, expanding scope and enforcing executive accountability, supply-chain security, and quick incident reporting. CER adds a similar but wider expectation: critical entities must withstand disruption from any hazard, cyber included, and Member States are required to formally identify critical entities by July 2026, increasing oversight pressure through 2026–27. As a result, critical-infrastructure operators are not separating “cyber compliance” from “resilience compliance.” They are merging them into a single operational program that links cyber recovery directly to service continuity.

In practice, this is showing up as a renewed focus on dependency mapping and realistic disruption scenarios. Energy operators are mapping digital and physical dependencies together: operational technology, telemetry, control systems, core ICT services, and the suppliers that support all of them. This mapping is then used to drive resilience tests that satisfy both NIS2 cyber risk expectations and CER all-hazards continuity demands. Rather than running two test calendars, organizations are designing one scenario framework that can produce evidence for both supervisors and internal safety leadership.

The CRA introduces a further driver for this sector. Energy companies are not only operators; many also procure or embed digital products into critical environments. CRA’s secure-by-design and Software Bill of Material (SBOM) expectations are pushing utilities to examine their software and device supply chain more frequently, especially where operational technology and IoT are involved. CRA compliance requires SBOMs and vulnerability handling for products with digital elements sold into the EU market, with full compliance required by December 2027. Forward-leaning critical-infrastructure operators are using CRA to justify a practical uplift they have long needed anyway: tighter component visibility, contractual vulnerability disclosure, and faster patch governance for embedded systems.

The critical-infrastructure story therefore converges around one theme: make continuity provable. The organizations most comfortable with NIS2/CER/CRA are those translating mature safety-and-resilience traditions into cyber-evidence, supplier assurance, and secure-engineering expectations.

The pressure is reinforced by the threat landscape. Retail has become one of the most ransomware-targeted sectors in Europe, and 2025 saw a sharp rise in disclosed incidents. Sector tracking found retail ransomware attacks rising 58% quarter-over-quarter globally in mid-2025, with European firms disproportionately represented10. Even where incidents do not lead to public exposure, the operational impact is disruptive by design: retail’s dependence on high-availability digital services makes it an attractive extortion target. For manufacturing, ransomware groups continue to focus on availability disruption. Industry reporting in 2025 shows manufacturing attacks rising and remaining among the most consistently targeted sectors, outlining the leverage attackers gain when production lines stop.

What this means operationally is that retailers and manufacturers are converging security, resilience, and product governance in ways that resemble both the banking and critical-infrastructure models, but with a stronger engineering and supply-chain focus. Many of the leading multinationals are beginning their convergence programs with a unified dependency and product view: one inventory that ties together critical ICT services, OT/IoT environments, digital products shipped to market, embedded components, and the AI systems operating across all of them. This reflects a hard reality under CRA: you cannot demonstrate secure-by-design or vulnerability handling unless you know, with evidence, what software and components you are distributing and operating. CRA requires manufacturers to maintain vulnerability management processes and provide transparency about software composition, typically through SBOM capability, with full compliance expected by December 2027.

In practice, large manufacturers are taking CRA as the legal push needed to formalize what many had treated as “good practice but optional”: secure SDLC gates for all products with digital elements, structured open-source governance, and component-level vulnerability disclosure paths. The more mature organizations are not running this as a separate “CRA project.” They are embedding the CRA requirements directly into engineering and release pipelines, so that evidence of secure design, testing, and vulnerability handling becomes a natural output of product development rather than a compliance layer bolted-on afterward.

Retailers, meanwhile, are highlighting convergence through supply-chain security and operational resilience. NIS2’s focus on dependency risk is particularly noticeable in retail sectors built on complex service networks: payment providers, loyalty platforms, SaaS commerce stacks, logistics partners, and cloud infrastructure. What we see in leading Nordic retailers is that third-party assurance is being moved closer to operations. Rather than relying on annual questionnaires, they are applying tier-based supplier monitoring, resilience-aligned contractual obligations (such as SLAs), and pre-agreed incident notification rules mapped to the strictest regulatory clocks. This allows the organization to tell a coherent story to regulators: critical suppliers are governed as extensions of the retailer’s risk perimeter.

AI governance adds the final convergence pressure. Retailers and manufacturers are among the fastest adopters of AI in Europe, and their use cases frequently touch customer profiling, automated decisioning, safety-critical robotics, and industrial optimization, all areas which may fall into “high-risk” territory under the EU AI Act. The organizations preparing best are not treating AI compliance as a policy annex. Instead, they are aligning AI risk tiering and documentation to the same engineering and product-assurance obligations already being widened under CRA. In other words, they are building a single lifecycle governance model where digital products and AI systems are governed together: one set of design-time controls, one evidence trail, and one monitoring discipline during operation.

These sectors do not have the luxury of slow, parallel compliance initiatives and programs. Their peers are forming a single trust operating model rooted in secure engineering, supply-chain visibility, and resilience proof; because regulators, attackers, and markets are all testing the same thing at once: whether their services and products remain dependable under pressure.

Another failure mode is treating the EU AI Act as a documentation exercise. The most demanding obligations are technical and operational, including training-data governance, monitoring, traceability, and human oversight under real use. Governance teams cannot deliver these alone.

A third risk is delaying action while waiting for perfect national NIS2 clarity. Directive-level expectations are stable. Organizations building now will only need incremental tuning later.

Finally, supply-chain under-scoping is becoming a primary supervisory concern. DORA, NIS2, CER, and CRA all assume that critical digital risk lives in dependencies. Weak supplier assurance will be among the first issues regulators challenge.

About NCG NCG is a Stockholm-based specialist cybersecurity advisory firm focusing on helping organizations build trust through practical, evidence-driven security, privacy, resilience and identity programs. We support clients across EU within our key service offerings: - Digital Compliance - Identity Security; and - Digital Fraud and Financial Crime.

DISCLAIMER Confidentiality & Use This document is provided for general informational purposes only and does not constitute legal advice. Regulatory interpretations may vary by Member State and sector. Readers should consult qualified legal counsel regarding obligations applicable to their organization. Copyright © NCG 2025. All rights reserved. No part of this publication may be reproduced without prior written permission.