From DORA to NIS2: Fortinet's guide to European cybersecurity regulations in 2025
"As organisations move into implementation mode, the focus will shift from compliance as a checkbox exercise to a collaborative and strategic effort."
As we approach 2025, the regulatory landscape in Europe is shifting from drafting broad cybersecurity frameworks to the challenging process of implementation. This transition marks a critical moment for organizations across Europe as they navigate compliance and the wider impact on their operations and digital strategies.
As Fortinet's Regulatory Affairs Lead for Europe, I’ve had the privilege of working with policymakers, businesses, and partners across the region to understand their challenges and collaborate on solutions. Here are my predictions for how regulatory priorities in 2025 will reshape cybersecurity in Europe and how organizations can prepare.
1) Harmonization will take centre stage
One of the key themes I see for 2025 is the drive toward harmonization. The European Commission has committed to a "one in, one out" principle to limit the introduction of new regulations, signaling that the focus will shift to implementing and aligning recent frameworks like the Directive on measures of high common level of cybersecurity (NIS2), the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), and the EU Data Act across member states.
Harmonization isn’t just a regulatory goal—it’s a necessity for businesses. Operating across borders is already complex, and inconsistent regulations add another layer of difficulty. Starting in 2025, I anticipate a stronger push for uniform compliance requirements. This would make it easier for supplier organizations to streamline their efforts and reduce inefficiencies and for customers to benefit from a more open and competitive market.
2) Bridging the cybersecurity skills gap
The success of any regulation depends on the people who implement it. However, the cybersecurity skills gap remains one of the greatest challenges to compliance and security resilience. While the European Cybersecurity Skills Academy Pledge and similar initiatives are steps in the right direction, progress will require a collaborative effort between the public and private sectors.
In 2025, I expect to see more partnerships between industry leaders, governments, and academic institutions to build the next generation of cybersecurity talent (we’re already seeing a strong push from the European Commission, ENISA, and other institutions). These efforts will be critical to successfully implementing regulatory frameworks and the overall resilience of Europe’s cybersecurity ecosystem.
3) Transparency and collaboration will be key
These are becoming non-negotiable elements of compliance. New regulations emphasize the need for information sharing among vendors, partners, customers, and public authorities to improve threat detection and response. Stronger cross-border cooperation among regulators will also have to be developed. However, balancing transparency with protecting sensitive data will remain a challenge that needs to be managed.
Efficient frameworks for secure information sharing will likely start to become more clearly defined in 2025 as NIS2 implementation takes shape. Public and private organizations must embrace compliance frameworks that facilitate collaboration while ensuring robust data protection.
4) Data sovereignty and European innovation
Europe’s commitment to data sovereignty and fostering innovation will only accelerate in 2025. As the EU pushes to close the innovation gap and position itself as a leader in data and cloud services, I anticipate clearer definitions around data sovereignty and cloud infrastructure requirements. This isn’t just about regulation—it’s about opportunity. By promoting domestic champions in data and cloud services, the EU is attempting to foster an environment that encourages regional competition and innovation.
Fortinet’s Role in Supporting Compliance and Innovation
At Fortinet, we’ve been deeply engaged in helping organizations navigate the complexities of EMEA’s regulatory environment. Here’s how we’re making a difference:
- Collaboration with policymakers: We will continue to work closely with European authorities to share insights on how regulations impact businesses and to advocate for practical, effective solutions.
- Engaging customers and partners: We are committed to helping organizations navigate this evolving regulatory landscape and ensure their compliance strategies are as seamless and efficient as possible. Our tailored solutions and experienced insights simplify compliance and enhance security.
- Training and workforce development: Through initiatives like our European Commission Cybersecurity Skills Academy pledge, we’re addressing the skills gap with robust training programs. We also offer accessible training and certifications through our Fortinet Training Institute. Upskilling isn’t just about filling immediate gaps—it’s about creating a workforce ready to meet the demands of today’s increasingly complex threat landscape.
- Data privacy leadership: Our certification under the US-EU Data Privacy Framework demonstrates our commitment to upholding the highest standards of data protection.
Preparing for 2025 and beyond
2025 is shaping up to be a pivotal year for cybersecurity in Europe. As new regulations enter into effect and organizations move into implementation mode, the focus will shift from compliance as a checkbox exercise to a more collaborative and strategic effort.
Collaboration will be the key to success in 2025. We are committed to collaborating across industries, sectors, and borders to create a secure, innovative, and compliant digital future. From navigating regulatory requirements to building resilient cybersecurity frameworks, we’re committed to helping organizations thrive in this evolving landscape.
Have you got a story to share? Get in touch and let us know.
