Dots
Dots
Gartner Report
Dots
Join the hub
/ news / CYBER_REGULATION_IN_EUROPE

Cyber Regulation in Europe

Published on June 23, 2025

Navigating cyber regulations in France and Europe / 2025 edition


The implementation of the European cybersecurity framework is gaining momentum in France.

Following the adoption of the AI Act in 2024, its application phase began in 2025, introducing the first obligations for large AI models. In parallel, the DORA regulation, which entered into force at the start of 2025, is being progressively implemented by financial entities. Meanwhile, since March 2025, a bill has been under examination to transpose three key directives: NIS 2, REC, and the directive associated with DORA.

Against this backdrop, this article aims to highlight the main challenges and key developments anticipated throughout 2025.


Operational Resilience and Artificial Intelligence: The Dual European Regulatory Challenge

DORA

DORA, the European regulation adopted on November 10, 2022, aims to strengthen the digital operational resilience of financial entities by imposing strict ICT risk management requirements.

While DORA officially came into effect on January 17, 2025, the regulatory framework continues to evolve:

  1. Throughout 2024, various technical standards projects (RTS/ITS) were developed to clarify the regulation.
  2. The ACPR provides support through explanatory notices, reporting tools, and FAQs that are regularly updated as the framework progresses.

The key date for 2025 was April 15, marking the deadline for the first submission of the Register of Information (RoI).

Neverhack's insight

Our clients, after a gap analysis phase and development of customized roadmaps, are now actively engaged in deploying DORA compliance measures.

Critical challenges identified by NeverHack

In-depth examination of our clients highlights several critical challenges:

Challenge 1: contracts management with ICT services providers

  1. Not all providers feel directly concerned by DORA requirements.
  2. Contractual clauses, especially regarding exit strategies, often need to be rewritten a time consuming task.
  3. Operational teams require ongoing support and awareness to ensure compliance.
  4. Maintaining the required register is resource intensive.

Challenge 2: restructuring outsourcing processes

  1. Outsourcing frameworks need to be completely reviewed to align with DORA.
  2. Each outsourced service must be supported by a risk analysis, often handled by the CISO team.
  3. This highlights the need for a robust Third-Party Risk Management (TPRM) process to ensure consistent evaluation, monitoring, and governance of external providers across the organization.

Challenge 3: resources disparities within financial groups

  1. DORA implementation demands significant resources, especially for critical services requiring more frequent testing and updates.
  2. Smaller entities within a group are disproportionately affected and rely on group-level coordination to meet obligations.
  3. Independently operating small entities face even greater challenges, as they often lack the human resources needed to implement DORA while maintaining day-to-day operations. In some cases, a single individual (e.g., the CISO) is responsible for both regulatory compliance and operational security, significantly increasing the implementation burden.

Challenge 4: governance and internal coordination

  1. Organizations must choose between developing in-house information security expertise or hiring external professionals, sometimes in contradiction with their HR policies.
  2. Collaboration across multiple internal departments proves difficult to manage and coordinate effectively, highlighting the necessity of obtaining validation from top-level management to legitimize and facilitate this cross-departmental collaboration.

AI ACT

The AI Act, adopted on August 1, 2024, balances security, fundamental rights, and innovation in the field of artificial intelligence. Its application follows a progressive schedule :

  1. February 2, 2025: Prohibition of high-risk AI uses (subliminal manipulation, exploitation of vulnerabilities, social scoring)
  2. August 2, 2025: Obligations for large AI models, implementation of supervisory authorities and sanctions regime
  3. August 2, 2026: Full application including cybersecurity measures

If you use AI (recruitment, solvency assessment, chatbots, content generation), by August 2025 you will need to (non-exhaustive list):

  1. Designate AI managers
  2. Document all use cases
  3. Establish acceptable use policies
  4. Implement a risk management framework

To prepare for full application and cybersecurity measures, we recommend the following actions:

  1. Assess cybersecurity vulnerabilities specific to your AI systems
  2. Train technical teams on AI-related cybersecurity requirements
  3. Integrate cybersecurity into your future risk management framework


From European Triptych to National Compliance


On October 15, 2024, the French government submitted a bill aimed at strengthening critical infrastructure resilience and cybersecurity. Initially planned for early 2024, this project was delayed due to the dissolution of the National Assembly a few months earlier. This text transposes three major European directives :

  1. NIS 2: strengthening the general level of cybersecurity.
  2. REC: reducing vulnerabilities and strengthening the physical resilience of critical entities.
  3. The directive associated with DORA: it aligns several existing sectoral directives with the new framework created by the regulation of the same name.

Adopted on first reading by the Senate on March 12, 2025, the bill was transmitted to the National Assembly on March 13, 2025, where it is being examined by a dedicated special commission. Subject to an accelerated procedure since October 15, 2024, the text will either be definitively adopted if not modified by the Assembly or sent to a Joint Mixed Committee to resolve disagreements between the two chambers.

After the law is adopted, implementation decrees will specify the implementation procedures.


Conclusion


2025 marks the concrete application of the European cybersecurity framework in France with DORA, the AI Act, and the evolving legislative landscape. Organizations must swiftly adapt their governance, review outsourcing practices, and prepare for AI system supervision to meet new digital resilience requirements. The cybersecurity landscape will continue to evolve, with the Cyber Resilience Act (CRA) set to apply from 2026, introducing new obligations for digital product and software providers.

Our related offers

GRC center

    Learn more

    Discover our offers

    View all offers

    You can also read

    All the latest news

    Your cyber
    performance
    partner

    NEVERHACK is a cybersecurity group offering a full range of consulting, training, quotation, and artificial intelligence products. The mission of NEVERHACK is to create a safer digital world by providing innovative and ethical solutions. NEVERHACK encourages companies to hold the keys to the success of their projects.

    PressNAS24 France
    WhistleblowerLegal NoticeGeneral Terms
    PressR&D

    NEVERHACK is a cybersecurity group offering a full range of consulting, training, quotation, and artificial intelligence products. The mission of NEVERHACK is to create a safer digital world by providing innovative and ethical solutions. NEVERHACK encourages companies to hold the keys to the success of their projects.

    WhistleblowerLegal NoticeGeneral Terms

    NEVERHACK ©2025 All rights reserved

    Tailor-made by Makepill & 60fps