2025 was marked by tightened legislation and new standards frameworks for information security and privacy. Organizations had to deal with higher requirements, more responsibility and stricter enforcement. In this retrospective, we highlight the most important developments of the past year.
Cybersecurity Act
In the Netherlands, the European NIS2 Directive has been translated into the Cyber Security Act. This law imposes stricter requirements on essential and key entities. The law is expected to go into effect in Q2 of 2026. Key obligations:
- Duty of Care: An organization must be able to demonstrate that it has taken measures to prevent cyber attacks and mitigate their impact.
- Reporting requirement: An organization is required to report significant incidents to the appropriate authority. Incidents must be reported within 24 hours.
- Registration requirement: Any organization covered by the NIS2 directive must be registered with the appropriate authority, the NCSC.
- Administrative responsibility and supervision by the RDI. Fines can be as high as €10 million or 2% of global turnover.
AI ACT
Since Aug. 2, 2025, the first parts of the European AI Act have been in force. This act sets clear requirements for organizations that develop, provide or use AI. The focus is on responsible and verifiable AI use. Key obligations for organizations:
- Governance & oversight: clear rules, human supervision inclusive, risk management & data transparency
- Risk Management: insight into AI used and continuous monitoring of risks
- Cybersecurity & reliability: safe, accurate and reliable AI systems
- Quality Management: monitor strict quality standards throughout the AI life cycle
- Impact Assessments: focus on human rights, ethics and law
- Roles & responsibilities: clear division of labor around AI within the organization
BIO2
2025 introduced the BIO2 for government organizations: the updated Government Information Security Baseline. This further development aligns better with current laws and regulations and strengthens administrative accountability. What's New.
- Alignment with Cybersecurity Act (NIS2): thus BIO2 directly aligns with European obligations for essential and important entities.
- In line with NEN-EN-ISO/IEC 27002:2022: emphasis on an explicitly risk-driven approach and working with an ISMS is made mandatory.
- Operationalization of the duty of care: this allows regulators to objectively test whether an organization is compliant.
- More managerial responsibility: directors explicitly responsible for policy, reporting and roles such as the CISO
EU Data ACT
As of Sept. 12, 2025, the European Data Act will apply. This regulation changes how organizations handle data created from digital products and services, such as smart devices and vehicles. The act empowers users and promotes fair data sharing. Key starting points:
- Right to own data: users get access to the data they generate themselves
- Protection of SMEs: safeguards against unfair contract terms
- Simple switching: lower barriers to switching cloud or software vendors
- Government access: only in exceptional emergencies
- Security & data sovereignty: data remains protected and within EU frameworks
DORA
The Digital Operational Resilience Act (DORA) is a European regulation that strengthens the digital resilience of the financial sector. The focus is on managing ICT risks and increasing the cyber resilience of both financial institutions and their suppliers. Key obligations:
- Mandatory and periodic pentesting of digital resilience.
- Incident Report: mandatory reporting of serious IT incidents to regulators
- Oversight of IT vendors: large, critical service providers such as cloud providers come under direct European supervision
- Understanding chain risks: overview and assessment of IT suppliers used
- Information sharing: Ability to securely share IT incident information within the industry