KG LEGAL \ INFO
BLOG

Blog home > IT, NEW TECHNOLOGIES, MEDIA AND COMMUNICATION TECHNOLOGY LAW > Cybersecurity and GDPR Compliance in 2025

Cybersecurity and GDPR Compliance in 2025

Publication date: August 20, 2025

In an era of dynamic digital technology development and a growing number of cyberthreats, cybersecurity and personal data protection are becoming key aspects of how organizations operate in the European Union. New regulations, such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the current GDPR, create a comprehensive security system aimed at raising protection standards and ensuring greater transparency in data processing.

NIS2 and GDPR: Strengthening Data Protection and Incident Response

The Network and Information Security Directive (NIS2) is another step towards increasing the cyber resilience of entities operating in key economic sectors. In 2025, its implementation will require organizations to take a number of actions, including:

  • Expanding security measures against cyberattacks,
  • Introducing more rigorous incident reporting procedures,
  • Strengthening cooperation between supervisory authorities and the private sector.

NIS2, in conjunction with GDPR (Regulation 2016/679), means that businesses will not only have to protect personal data more effectively, but also implement new procedures for risk management and auditing of IT security activities.

5 Things You Need to Know About NIS2

01 – Fines up to €10 million or 2% of total annual global turnover

02 Expanded scope compared to NIS1, changing the way companies are classified and requiring more of them to comply with the directives

03 – Management staff is liable for violations and the authorities may suspend activities or functions

04 – Broad security risk management measures and shift to a risk-based approach

05 – Initial reporting of security incidents within 24 hours, further action within 72 hours, and final summary within 1 month

DORA: Cyber Resilience and Personal Data Security in Finance

DORA is the Regulation of the European Parliament and of the Council (EU) of 14 December 2022 on the digital operational resilience of the financial sector. This is another of many recent regulations concerning cybersecurity and the broadly defined security of information technology.

The Digital Operational Resilience Act (DORA) focuses on the financial sector, which is particularly vulnerable to cyberattacks. Key requirements imposed by DORA include:

  • Testing the operational resilience of IT systems,
  • Implementing risk management strategies based on threat analysis,
  • Obligation to monitor and report digital incidents.

DORA applies to:

  1. credit institutions;
  2. payment institutions, including payment institutions exempted under Directive (EU) 2015/2366;
  3. providers of account information access services;
  4. electronic money institutions, including electronic money institutions exempted under Directive 2009/110/EC;
  5. investment companies;
  6. crypto-asset service providers,
  7. central securities depositories;
  8. central counterparties;
  9. trading systems;
  10. transaction repositories;
  11. alternative investment fund managers;
  12. management companies;
  13. information sharing service providers;
  14. insurance and reinsurance undertakings;
  15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
  16. institutions of occupational pension programs;
  17. rating agencies;
  18. administrators of critical benchmarks;
  19. crowdfunding service providers;
  20. securitization repositories;
  21. external ICT service providers.

In the context of GDPR compliance, financial institutions must ensure adequate security measures to protect customer data against unauthorized access and information leakage. GDPR also mandates cooperation with cloud service providers and external IT operators, which requires thorough verification of their security standards.

Article 33 of the DORA Directive requires personal data breaches to be reported without undue delay, and within 72 hours where possible. In the event of a delay, an explanation of the reason for the delay must be included.

AI Act and GDPR: Managing Artificial Intelligence and Data Protection

The AI Act regulations classify AI systems according to risk level and impose obligations on entities that implement them. In the context of data protection, the AI Act requires:

  • Transparency of artificial intelligence algorithms and mechanisms,
  • Possibilities of controlling and auditing decisions made by AI,
  • Compliance with the principles of data minimization and limitation of the processing purpose.

Companies that use AI to process personal data will have to meet stringent GDPR requirements, giving users greater control over their information and minimizing the risk of abuse.

CRA: Cyber Resilience Act – Security of Digital Products

The Cyber Resilience Act (CRA) introduces obligations related to the security of digital software and hardware. Its key requirements include:

  • Designing secure digital products,
  • Monitoring vulnerabilities and updating them regularly,
  • Manufacturers’ responsibility to ensure continued safety throughout the product life cycle.

CRA aims to increase cybersecurity across the entire digital ecosystem, minimizing the risk of attacks based on device and application vulnerabilities.

eIDAS 2.0: Strengthening digital identification

The amendment to the eIDAS (electronic IDentification, Authentication and trust Services) regulation – known as eIDAS 2.0 – introduces a European digital identity wallet that:

  • Allows citizens to securely store and share their identity data,
  • It enables public and private institutions to provide secure online services,
  • Strengthens authentication standards in digital transactions.

In conjunction with GDPR, eIDAS 2.0 improves users’ control over their identity data and increases the security of online transactions.

Challenges and benefits of new regulations

Adapting to new regulations poses numerous challenges for companies, including:

  • The need to invest in modern security systems,
  • Employee training in cybersecurity and data protection,
  • Implementation of effective incident monitoring and reporting mechanisms.

However, the new regulations also bring numerous benefits, such as:

  • Better protection of customer data and greater trust in the organization,
  • Increased resistance to cyber attacks,
  • Possibility to avoid high fines for violating data protection regulations.

The impact of new regulations on small and medium-sized enterprises (SMEs)

New regulations such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0 can pose challenges for small and medium-sized enterprises (SMEs). Implementing these regulations requires investment in modern security systems and employee training in cybersecurity and data protection. SMEs may face challenges related to limited financial and human resources, which can make it difficult to fully comply with the new requirements.

However, compliance with these regulations also brings benefits, such as better protection of customer data, increased trust in the organization, and the ability to avoid significant fines for violating data protection regulations. Therefore, it is worthwhile for SMEs to consider partnering with external IT service providers and cybersecurity specialists to effectively implement the required security measures.

The future of cybersecurity in the EU

In the coming years, we can expect further development of regulations regarding cybersecurity and personal data protection. The European Union will continue to work on strengthening the legal framework to address growing cyber threats and ensure a high level of data protection. Organizations will need to be prepared to continuously adapt to new requirements and invest in modern security technologies and procedures.

Summary

In 2025, organizations will have to comply with a range of regulations regarding cybersecurity and personal data protection. NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the GDPR, create a modern legal framework aimed at improving data protection and increasing resilience to cyber threats across various economic sectors. Implementing these regulations will be a challenge, but also an opportunity, to build a more secure and digitally resilient business environment in the EU.

UP