An Unprecedented Regulatory Stacking
In just a few years, the information system has become the subject of an unprecedented density of rules. Built on the General Data Protection Regulation (GDPR), which has been in force since 2018, the security landscape has welcomed the NIS2 directive on cybersecurity, the DORA regulation for the financial sector, and the AI Act governing artificial intelligence. These three major European texts now structure the continent’s cybersecurity framework through 2028.
The timetable has been tightened into a relatively short window. The DORA regulation has applied directly across the entire EU financial sector since January 17, 2025. The NIS2 directive is being transposed into France through the resilience bill, adopted by the Senate in March 2025, with a practical implementation expected in 2026. As for the AI Act, its first prohibitions came into effect as early as February 2025.
This accumulation creates a practical challenge: these texts are not managed in isolation. A single measure—for example logging, access management, or a continuity plan—often serves several obligations at once. Hence the need to treat compliance as a combined project rather than a sequence of siloed regulatory updates.
Beyond this European bedrock, there are sector-specific texts such as the Cyber Resilience Act (CRA), whose initial obligations begin in 2026, or sectoral frameworks tailored to health, energy, or critical operators via the REC directive. For leadership, the risk isn’t so much the complexity of each text taken individually as the cumulative effect: without a holistic view, one ends up pursuing redundant projects and missing out on synergies.
Sanctions that Scale Up
The tightening of penalties explains why the topic climbs to the executive committee level. The NIS2 directive provides fines that can reach €10 million or 2% of global turnover for entities deemed essential. The AI Act goes even further, with fines up to €35 million or 7% of global turnover for violations of prohibited practices—caps that exceed those of the GDPR.
Beyond the amount, it is the nature of accountability that evolves. NIS2 introduces personal liability for executives: members of the board must validate risk management measures and can be held responsible for lapses. Compliance ceases to be a technical delegation and becomes a governance issue assumed at the highest level.
The risk is not purely financial. The ANSSI, whose mandate has expanded significantly, can issue public warnings and binding instructions. A publicly disclosed non-compliance directly affects a company’s reputation and the trust of its customers and partners.
Why Compliance Now Affects a Much Larger Pool of Enterprises
The most structural change lies in the expansion of the scope. Under NIS1, about 500 entities in France were covered, mainly essential operators. With NIS2, the ANSSI estimates that between 10,000 and 15,000 entities are now subject to obligations, spread across 18 sectors—meaning a scope expanded roughly thirtyfold. To support this increased workload, the agency has launched a dedicated portal, “MonEspaceNIS2,” for reporting the entities concerned.
In practical terms, many SMEs and mid-sized companies that previously went “under the regulatory radar” are now within the scope. The criteria combine size (50 employees or €10 million in turnover) and sector. Local authorities are also affected, even though they are exempt from financial penalties.
Adding to this is a ripple effect through the supply chain: a company subject to NIS2 must ensure the security of its suppliers, which inherently propagates the requirements to subcontractors that might not be directly covered. Compliance becomes a contractual prerequisite, including for organizations that believed they were outside the field.
That cascade transforms compliance into a commercial issue. More and more calls for tenders and contracts include security clauses and require evidence—ISO 27001 certification, security questionnaires, attestations. A non-compliant SME can thus be excluded from markets, not by a regulator’s decision, but by customers seeking to safeguard their own supply chains.
Turning Constraint into a Structured Approach
Faced with this stacking, the right approach is not to endure the text-by-text regime but to build a single, unified compliance foundation. A few core practices help launch the effort:
- Map your exposure: identify which texts apply based on size, sector, and the data processing activities involved.
- Identify overlaps across regulations to avoid duplicating work—an ISO 27001 management system already covers a large portion of expectations.
- Appoint a program owner and involve leadership, now legally implicated.
- Document continuously: compliance is demonstrated through records, audits, and traces—not just intentions.
- Leverage official resources: the ANSSI, the CNIL, and sector-specific guides publish referentials and free tools that chart the path and prevent starting from a blank page.
Organizations that have navigated the GDPR journey know that a well-led compliance program quickly becomes an organizational reflex. Better yet, it turns into a competitive advantage. Demonstrating compliance reassures clients, secures bids, and structurally strengthens the governance of the information system. The question is no longer whether to undertake it, but how to organize to do it efficiently and without rushing as deadlines approach.
One final point merits executive attention: the cost of inaction almost always exceeds the cost of bringing things into compliance. Between potential fines, the cost of a preventable incident, losing market access, and reputational harm, investing in a solid compliance foundation behaves like an insurance whose return is measured mainly in avoided risk. Addressing the topic early, calmly, and in a structured manner remains the most economical way to achieve compliance.
This content is published by Mentioned