Overview of EU Regulations and Directives

Cybersecurity – EU Regulations, Directives, and Penalties

Below is an overview of the most recent relevant EU legislation, including a brief description and the potential penalties for non-compliance that may be relevant for your organization.

It is important to note that while some EU regulations are directly applicable in all member states, EU directives often require national legislation to address specific aspects and align them with the national context.

EU Directive: General Data Protection Regulation (GDPR)

Privacy legislation through which the EU aims to protect the privacy of its citizens.

  • Effective date of EU regulation: 25 May 2018
  • Dutch legislation: Algemene verordening gegevensbescherming (AVG)
  • Penalties: Up to €20 million or 4% of global annual turnover for serious violations; up to €10 million or 2% for less serious violations.

Relevant links:

Compliance Standards / Frameworks:

  • ISO/IEC 27701 (Privacy Information Management System), an extension of ISO/IEC 27001, specifically for privacy management and with mappings to the GDPR ISOWikipedia.
  • ISO/IEC 27001 (general ISMS).

  • BC 5701 – Dutch certification standard for GDPR/AVG compliance brandcompliance.comCertificeringsAdvies Nederland.

EU Directive: NIS2

Directive aimed at creating a higher common level of cybersecurity in the Union (NIS2) and enhancing the cyber resilience of critical infrastructures and digital service providers.

  • Effective date of EU directive: 17 October 2024
  • Dutch implementation: Cybersecurity Act (Cbw), Q3 2025
  • Penalties: Up to €10 million or 2% of global annual turnover.

Relevant links:

Compliance Standards / Frameworks:

  • ISO/IEC 27001 – widely used by organizations as a basis for NIS2 compliance

  • ISO/IEC 22301 (Business Continuity)

  • IEC 62443 (industrial cybersecurity)

  • Cyfun (Belgian maturity framework), including Cyfun 2.0 with integration of NIST CSF 2.0 and ISO 27001, specifically focused on NIS2 maturity and governance

  • NIS2 QualityMarks – European / national quality labels (where available)

EU CER Directive:

Directive aimed at enhancing the physical resilience of organizations providing essential services against various threats, such as natural disasters, terrorist attacks, and sabotage.

  • Effective date of EU directive: 17 October 2024
  • Dutch implementation: Critical Entities Resilience Act (Wwke)
  • Status: Implementation delayed; expected entry into force in the Netherlands in Q3 2025.
  • Penalties: The amount of the penalty depends on the specific violation.

  • Violation of Articles 15 and 17: The fine is up to €10,000,000 or 2% of the total global annual turnover of the company to which the critical entity belongs, whichever is higher.

  • Other violations: The fine is up to €1,000,000.

Relevant links:

NCSC – guidelines for physical resilience and continuity.


Compliance Standards / Frameworks:

  • ISO/IEC 27001 (general information security)

  • ISO/IEC 22301 (continuity management)

  • IEC 62443 (industrial systems)

  • Sector-specific resilience or critical infrastructure frameworks

Digital Services Act (DSA):

EU Regulation: Regulation (EU) 2022/2065 on a Single Market for Digital Services (DSA). It concerns online platforms and search engines such as Apple, Google, Meta (Facebook and Instagram), X (formerly Twitter), as well as platforms like AliExpress, Booking.com, and Snapchat, ensuring they do not facilitate the dissemination of illegal goods or content and the spread of disinformation through their services. The regulation also imposes controls on the algorithms they use.

The DSA also applies to online marketplaces, social networks, search engines, cloud providers, internet service providers, and content-sharing platforms such as video platforms and online travel and accommodation platforms.

  • Effective date of EU regulation: 17 February 2024
  • Dutch implementation: Still under development; specific Dutch legislation is currently being prepared.
  • Penalties: In case of violations, the European Commission, as the sole supervisory authority, may impose fines of up to 6% of global annual turnover or interim penalties of up to 5% of average daily revenue.

Relevant links:

Compliance Standards / Frameworks:

  • Online content moderation and governance standards (such as ENISA guidance)

  • Transparency and accountability frameworks (e.g., certification schemes where developed)

  • ISO/IEC 27001 (for platform security)

  • Specific compliance tooling (self-assessment frameworks)

Digital Markets Act (DMA):

EU Regulation aimed at ensuring fair competition among digital platforms, increasing consumer choice, and creating new opportunities for businesses. The DMA sets out clear rules (obligations and prohibitions) for large platforms designated as gatekeepers by the European Commission, offering “core platform services” (e.g., online search engines, advertising services, and social networking services).

  • Effective date of EU regulation: 1 November 2022
  • Dutch implementation: The Dutch implementing legislation for the DMA is currently in the legislative process.
  • Penalties: In case of violations, the European Commission, as the sole supervisory authority, may impose fines of up to 10% of the gatekeeper’s total global turnover. For repeated violations, fines of up to 20% of global turnover may be imposed.

Relevant links:

Compliance Standards / Frameworks:

  • Governance and compliance programs focused on platform gatekeepers

  • ISO/IEC 37001 (Anti-corruption)

  • ISO/IEC 27001 (general security)

  • Transparency and audit frameworks for data and advertising management

Data Governance Act (DGA):

EU Regulation on European data governance (DGA).

Providers must ensure that users can extract their data from the product or share it with another. Additionally, cloud service providers must ensure that users are not hindered when switching services and that services can be interconnected.

  • Effective date of EU regulation: 24 September 2023
  • Dutch implementation: Since November 2024, the ACM (Authority for Consumers & Markets) is the supervisory authority for the DGA. Companies, organizations, and institutions active in data intermediation must register with the ACM. The Data Act will apply from 12 September 2025.
  • Penalties: In case of violations, the ACM or AP (Dutch Data Protection Authority) may impose an administrative fine or an enforcement order.

Relevant links:

  • European Commission – DGA information.
  • ACM – DGA supervision, registration, and guidance.

Compliance Standards / Frameworks:

  • ISO/IEC 27001 (information security)

  • ISO/IEC 29100 (privacy framework)

  • Data governance frameworks such as DAMA DMBOK

  • Nanos- or certification initiatives on data sharing

Digital Operational Resilience Act (DORA):

EU Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)

  • Effective date of EU regulation: 17 January 2025
  • Dutch implementation: Still under development; specific Dutch legislation is currently being prepared.
  • Penalties for financial institutions:
    No fixed maximum fines, but European supervisory authorities (EBA, EIOPA, and ESMA) can impose significant sanctions. National supervisory authorities may determine financial penalties based on the severity and impact of the violation.
  • Penalties for ICT service providers:
    Potential restrictions or bans on providing services if they fail to comply with DORA requirements.
  • Other sanctions:
    Enforcement measures such as mandatory recovery plans and increased supervision.

Relevant links:

Compliance Standards / Frameworks:

  • ISO/IEC 27001 (ISMS)

  • ISO/IEC 22301 (continuity)

  • ICT third-party risk frameworks (ICT TPRM)

  • Realistic recovery plans and resilience frameworks, GRC tools

eIDAS 2.0:

EU Regulation (EU) 2022/2066 on electronic identification and trust services for electronic transactions in the internal market (eIDAS 2.0), aimed at increasing trust in online transactions for businesses and consumers. Examples include electronic signatures, authenticity seals, and timestamps such as DigiD.

  • Effective date of EU regulation: 20 May 2024
  • Dutch implementation: Still under development; specific Dutch legislation is currently being prepared.
  • Penalties: In case of violations of the eIDAS regulation, supervisory authorities, such as the National Digital Infrastructure Inspectorate (RDI) in the Netherlands, may impose administrative fines, with a base amount equal to 1% of the offender’s global net annual turnover. The amount of the fines may vary depending on the specific circumstances and severity of the violation.

Relevant links:

  • EU – eIDAS 2.0 regulation

  • RDI – supervision and fines

 

Compliance Standards / Frameworks:

  • ETSI standards for trust services

  • ISO/IEC 27001 (general security of trust services)

  • Specific trust service certification schemes, such as the eIDAS certification framework

Cyber Resilience Act (CRA):

EU Regulation (EU) 2022/2554 – The CRA ensures that digital products must meet strict cybersecurity requirements before being placed on the European market. Both consumers and business users should be able to trust that digital products are secure, from smart doorbells to accounting software.

The responsibility lies with the manufacturer. If you are a manufacturer of digital products, you must ensure that your products are secure. Additionally, as a manufacturer, you are required to provide free security updates throughout the product’s lifecycle and report digital vulnerabilities and incidents.

Effective date of EU regulation: 17 January 2025
Dutch implementation: Still under development; specific Dutch legislation is currently being prepared.
Penalties: Up to €10 million or 2% of global annual turnover.

Relevant links:

 

Compliance Standards / Frameworks:

  • IEC 62443 (security for embedded/IoT products)

  • ISO/IEC 27001 (general product security)

  • Product cybersecurity design standards (Secure SDLC, vulnerability disclosure, patch management)

Artificial Intelligence Act (AI Act)

EU Regulation (EU) 2024/1684

The AI Act ensures that AI systems within the EU are developed and used in a reliable, transparent, and safe manner. Both citizens and businesses should be able to trust AI that respects their rights and does not pose unnecessary risks.

The law imposes obligations on developers, distributors, and users of AI systems. If you are involved in the development, sale, or use of AI, you must assess whether your AI system is considered high-risk and comply with strict requirements regarding transparency, oversight, data quality, and safety.

For generative AI and foundation models, additional obligations apply, such as mandatory documentation, risk management, and transparency regarding generated content.

Effective date of EU regulation: Phased from 2025

  • Prohibited AI systems: mid-2025

  • From August 2025, personnel involved in developing or using AI systems must receive adequate training. These trainings must raise awareness of risks, responsibilities, and correct handling of AI applications.

  • Obligations for high-risk AI: mid-2026
    Most obligations apply from 2026, with some earlier (such as prohibited AI applications and transparency requirements).

  • Other obligations: mid-2027

Penalties: Up to €35 million or 7% of global annual turnover, depending on the severity of the violation.

Relevant links:

EU – AI Act regulation and updates
Dutch authorities (such as RDI or AI Coordination Point) – guidance and supervision

 

Compliance Standards / Frameworks:

  • ISO/IEC TR 24028 (trustworthiness in AI) and related ISO AI standards

  • IEEE, OECD AI principles

  • Transparency and risk management frameworks (e.g., generative AI logs)

  • Governance frameworks for high-risk AI (audits, documentation, training)