In the fast-paced world of cybersecurity, 2025 is shaping up to be a crucial year for the implementation of new regulations aimed at strengthening the European Union’s digital resilience. From the transposition of the NIS2 Directive to the entry into force of the DORA Regulation and the National 5G Network and Service Security Scheme, both private companies and public entities face an increasingly demanding regulatory landscape, and it is essential to understand and anticipate the challenges and opportunities that this new legislation presents.
Transposition of the NIS2 Directive: a new horizon
Directive 2022/2555, better known as NIS2, establishes a common framework for cybersecurity in the European Union, aiming to achieve a high and uniform level of security across all member states. The preliminary draft Law on Cybersecurity Coordination and Governance (AL-LCGC) will be the norm that transposes this directive in Spain, albeit with some delay, as the transposition deadline was 17 October 2024.
The TRIS procedure, established by Directive 2015/1535, requires member states to notify the Commission of draft technical regulations relating to information products and services, in order to ensure that new regulatory texts do not create unjustified obstacles to the proper functioning of the internal market. From the date of notification, a three-month standstill period begins during which both the European Commission and the member states may examine the text and make any contributions they deem relevant. Furthermore, during this period, the member state that notified the draft regulation cannot approve it.
The current content of the AL-LCGC covers a significant number of strategic sectors and eliminates the possibility, as contemplated in NIS1, for member states to introduce individual identification criteria. These changes result in a stricter and more uniform classification of affected entities into the categories of “essential” and “important,” based on their size and economic and social impact. Companies will have to comply with more rigorous security requirements, proactively manage risks, thoroughly assess third-party providers, and implement mandatory cybersecurity measures.
Incident reporting obligations will also be tightened, with stricter deadlines and a greater degree of coordination with the competent authorities at national and European levels. Requirements for both supervision and sanctions are increased, and the possibility of periodic inspections by the authority and mandatory audits is established.
DORA Regulation: digital operational resilience in the financial sector
Regulation 2022/2554 (DORA) focuses on increasing the “Digital Operational Resilience” of financial institutions. Approved on 14 December 2022, DORA seeks to strengthen the security and robustness of financial sector entities’ information systems, with the aim of reducing technological risks and cyberthreats.
As mentioned, DORA is applicable to a wide range of entities within the financial sector, including banks, investment services firms, fund managers, and insurers, as well as their critical ICT services providers. The short-term obligations posed by DORA include the assessment and reinforcement of internal management of ICT-related risks, the formalization of a digital resilience strategy overseen at the highest level, and the preparation of contingency plans in the event of cybersecurity incidents.
In the medium term, entities must conduct periodic digital resilience tests, develop exit strategies (if they outsource essential functions to third-party companies), and ensure continuity and recovery plans that meet DORA requirements. Penalties for non-compliance can be severe, including fines or the obligation to terminate contracts with ICT service providers that do not comply with the requirements of this regulation.
eIDAS2 Regulation: towards a European digital identity
The eIDAS2 (Regulation 2024/1183) was recently approved with the main objective of establishing a European regulatory framework for digital identity. The adoption of this regulation seeks to increase trust in electronic transactions and promote the use of technologies that facilitate digital identity in the EU, taking electronic identification and trust services as a starting point.
eIDAS2 introduces more stringent requirements for user identification and authentication, with the aim of reducing the risks of fraud or identity theft when using electronic means. To this end, new trust services are incorporated, such as digital identity wallets (eWallets), and certain aspects related to the use of electronic time stamps are refined. Entities affected by eIDAS2 must assess their risks, analyze the compliance of the services they provide with the regulation’s requirements, and dedicate the necessary financial and human resources to its proper implementation.
National 5G network and service security scheme: a new paradigm
Royal Decree 443/2024 establishes the National 5G Network and Services Security Scheme (ENS5G) for Spain. Undeniably, 5G is a technology that has the potential to digitally transform key sectors such as medicine, transportation, logistics, and energy. However, the technical complexity of its architecture and the massive interconnection of devices and services in which a considerable number of companies and public institutions interact present significant cybersecurity risks.
Among the most notable new features, ENS5G requires operators, suppliers, and corporate users with their own 5G networks to identify and protect critical network elements, diversify their suppliers, and also submit periodic security reports to the Ministry for Digital Transformation. Actions to be implemented in the medium and long term include the continuous updating of risk analyses, the possible requirement for third-party certifications, and the conduct of periodic audits.
New regulatory changes in 2025
In January 2025, two new regulatory changes regarding cybersecurity were enacted within the European Union.
On the one hand, Regulation 2025/37, which adjusts the European cybersecurity certification framework for MSS (Managed Security Services) providers to prevent fragmentation of the internal market in relation to cybersecurity certification schemes.
On the other hand, the European Regulation 2025/38 restructures the European Cybersecurity Alert System and the Cybersecurity Emergency Mechanism, with the ultimate goal of improving the coordination and resilience of those affected by significant or large-scale incidents throughout the European Union.
Compliance makes European companies more competitive
Without a doubt, 2025 marks a turning point for cybersecurity in the European Union. Therefore, companies and public entities affected by the aforementioned regulations will be forced to consider the economic costs of adapting to them in their budgets, as well as to plan the introduction of structural changes in areas as diverse as technology, suppliers, and human resources.
Cybersecurity has become a “strategic priority” for European companies and institutions. This endeavor can only be achieved with guaranteed effectiveness if it is approached with a high degree of proactivity and a multidisciplinary and integrative methodology.
In an increasingly turbulent geopolitical environment, coordination and collaboration between European Union institutions and economic stakeholders is key to effectively responding to cyberthreats. Ultimately, we must convince ourselves that compliance with these standards is not only a legal imperative, but also a factor that makes European companies more competitive and generates confidence among both citizens and global financial investors.
Rafael García del Poyo is a lawyer and managing partner of the IT/IP Law Department at Osborne Clarke, in Madrid, Spain.