Regulatory Framework
Regulatory frameworks, obligations, and timelines driving the need for an SCIA. Understand the accelerating European normative landscape.
Key Regulations Driving SCIA
| Regulatory Framework | Reference | Scope | Applicability | Key Timeline |
|---|---|---|---|---|
| NIS2 Network and Information Systems Security Directive |
Dir. 2022/2555 | Cybersecurity and digital resilience; essential and critical importance entities | Sectors: Energy, Transport, Health, Water, Food, Infrastructure, Telecommunications, Financial Services, Digital | 17 October 2024 |
| DORA Digital Operational Resilience Regulation |
Reg. 2022/2554 | Digital operational resilience in financial institutions | Banks, Insurers, Pension Funds, Asset Managers | 17 January 2025 |
| AI Act European AI Regulation |
Reg. 2024/1689 | High-risk AI systems; transparency and compliance | AI providers and users in high-risk contexts | 2 February 2025 (prohibitions); 13 June 2025 (general obligations) |
| GDPR General Data Protection Regulation |
Reg. 2016/679 | Personal data protection; data subject rights | All organizations processing personal data of EU residents | Ongoing since 25 May 2018 |
| ESG/CSRD Corporate Sustainability Reporting Directive |
Dir. 2022/2464 | ESG transparency; environmental, social, and governance compliance | Large enterprises (>250 people) and listed SMEs | 1 January 2024 (large); 1 January 2025 (SMEs); 1 January 2028 (2027 reporting) |
| CER Critical Entity Resilience Directive |
Dir. 2022/2557 | Essential entity resilience; contingency planning | Critical infrastructure operators in Energy, Transport, Water, Telecommunications | 23 November 2024 |
| CRA Credit Risk Regulation |
Under development | Credit risk management in digital transition and ESG context | Financial institutions and credit entities | TBD |
| MiCA Cryptoassets Regulation |
Reg. 2023/1114 | Cryptoasset activities; authentication and consumer protection | Cryptoasset service providers in EU | 30 December 2023 |
| PSD2/PSD3 Payment Services Directive |
Dir. 2015/2366; Dir. 2024/1748 | Payment security; strong authentication; open banking | Credit institutions, Payment Service Providers | Ongoing (PSD2); 13 June 2025 (PSD3 transposition) |
| eIDAS 2.0 Electronic Identification and Trust Services |
Reg. 2014/910; Reg. 2023/1525 | Digital identities; electronic signatures and seals | Organizations offering digital services and authentication | 13 June 2025 |
Regulatory Timeline: 2024-2027
October 2024
NIS2 - Enters into Force
Compliance obligations for essential and critical importance entities in key sectors.
November 2024
CER - Transposition Deadline
Member states transpose Critical Entity Resilience Directive into national law.
January 2025
DORA - Enters into Force
Financial institutions implement digital operational resilience controls.
February 2025
AI Act - Initial Prohibitions
Prohibitions on unacceptable-risk AI practices take effect.
June 2025
AI Act, PSD3, eIDAS 2.0 - Enters into Force
General AI Act obligations, PSD3, and eIDAS 2.0 digital identities.
2026-2027
Full Compliance
Final implementation phases and compliance assurance for all regulations.
Sanctions and Consequences of Non-Compliance
🚨 NIS2
Fines up to EUR 10 million or 2% of annual global turnover
Applicable to essential and critical importance entities failing to meet security and resilience requirements.
🚨 DORA
Sector-specific sanctions up to 4% of turnover
Administrative and reputational fines for financial institutions failing operational resilience testing.
🚨 AI Act
Fines up to EUR 35 million or 7% of annual global turnover
Severe sanctions for violations of high-risk requirements and transparency in AI systems.
🚨 GDPR
Fines up to EUR 20 million or 4% of annual global turnover
Sanctions for data subject rights violations and privacy protection failures.
🚨 ESG/CSRD
Reputational and compliance sanctions; market exclusion and investment
Market penalties, ESG index exclusion, and loss of access to sustainable financing.
🚨 CER
Sector-specific administrative sanctions up to 2% of turnover
Penalties for critical infrastructure operators failing resilience standards.
Sectoral Convergence: Impact by Sector
Different sectors face unique combinations of regulatory frameworks. A sectoral SCIA maps these sector-specific convergences:
🏦 Financial Services
NIS2 + DORA + GDPR + PSD2/PSD3 + MiCA + eIDAS 2.0 + ESG
🏥 Healthcare
NIS2 + GDPR + AI Act + ESG + CER
⚡ Energy
NIS2 + DORA (sectoral) + CER + ESG + AI Act
📡 Telecommunications
NIS2 + GDPR + AI Act + PSD2/PSD3 + eIDAS 2.0
🚗 Transport
NIS2 + CER + GDPR + AI Act (autonomous vehicles) + ESG
🏢 Public Administration
NIS2 + GDPR + AI Act + eIDAS 2.0 + ESG
Understand Your Specific Regulatory Framework
Each sector and organization faces a unique set of obligations. Request a personalized analysis of your framework.