DORA Regulation: digital operational resilience in the financial sector: Regulation 2022/2554 (DORA) focuses on increasing the “Digital Operational Resilience” of financial institutions. Approved on 14 December 2022, DORA seeks to strengthen the security and robustness of financial sector entities’ information systems, with the aim of reducing technological risks and cyberthreats.As mentioned, DORA is applicable to a wide range of entities within the financial sector, including banks, investment services firms, fund managers, and insurers, as well as their critical ICT services providers. The short-term obligations posed by DORA include the assessment and reinforcement of internal management of ICT-related risks, the formalization of a digital resilience strategy overseen at the highest level, and the preparation of contingency plans in the event of cybersecurity incidents.In the medium term, entities must conduct periodic digital resilience tests, develop exit strategies (if they outsource essential functions to third-party companies), and ensure continuity and recovery plans that meet DORA requirements. Penalties for non-compliance can be severe, including fines or the obligation to terminate contracts with ICT service providers that do not comply with the requirements of this regulation.
eIDAS2 Regulation: towards a European digital identity: The eIDAS2 (Regulation 2024/1183) was recently approved with the main objective of establishing a European regulatory framework for digital identity. The adoption of this regulation seeks to increase trust in electronic transactions and promote the use of technologies that facilitate digital identity in the EU, taking electronic identification and trust services as a starting point.eIDAS2 introduces more stringent requirements for user identification and authentication, with the aim of reducing the risks of fraud or identity theft when using electronic means. To this end, new trust services are incorporated, such as digital identity wallets (eWallets), and certain aspects related to the use of electronic time stamps are refined. Entities affected by eIDAS2 must assess their risks, analyze the compliance of the services they provide with the regulation’s requirements, and dedicate the necessary financial and human resources to its proper implementation.
National 5G network and service security scheme: a new paradigm: Royal Decree 443/2024 establishes the National 5G Network and Services Security Scheme (ENS5G) for Spain. Undeniably, 5G is a technology that has the potential to digitally transform key sectors such as medicine, transportation, logistics, and energy. However, the technical complexity of its architecture and the massive interconnection of devices and services in which a considerable number of companies and public institutions interact present significant cybersecurity risks.Among the most notable new features, ENS5G requires operators, suppliers, and corporate users with their own 5G networks to identify and protect critical network elements, diversify their suppliers, and also submit periodic security reports to the Ministry for Digital Transformation. Actions to be implemented in the medium and long term include the continuous updating of risk analyses, the possible requirement for third-party certifications, and the conduct of periodic audits.
New regulatory changes in 2025: In January 2025, two new regulatory changes regarding cybersecurity were enacted within the European Union.On the one hand, Regulation 2025/37, which adjusts the European cybersecurity certification framework for MSS (Managed Security Services) providers to prevent fragmentation of the internal market in relation to cybersecurity certification schemes.On the other hand, the European Regulation 2025/38 restructures the European Cybersecurity Alert System and the Cybersecurity Emergency Mechanism, with the ultimate goal of improving the coordination and resilience of those affected by significant or large-scale incidents throughout the European Union.
Compliance makes European companies more competitive: Without a doubt, 2025 marks a turning point for cybersecurity in the European Union. Therefore, companies and public entities affected by the aforementioned regulations will be forced to consider the economic costs of adapting to them in their budgets, as well as to plan the introduction of structural changes in areas as diverse as technology, suppliers, and human resources.Cybersecurity has become a “strategic priority” for European companies and institutions. This endeavor can only be achieved with guaranteed effectiveness if it is approached with a high degree of proactivity and a multidisciplinary and integrative methodology.In an increasingly turbulent geopolitical environment, coordination and collaboration between European Union institutions and economic stakeholders is key to effectively responding to cyberthreats. Ultimately, we must convince ourselves that compliance with these standards is not only a legal imperative, but also a factor that makes European companies more competitive and generates confidence among both citizens and global financial investors.Rafael GarcÃa del Poyo is a lawyer and managing partner of the IT/IP Law Department at Osborne Clarke, in Madrid, Spain.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3853199/legal-impact-on-cybersecurity-in-2025-new-developments-and-challenges-in-the-eu.html
