The NIS2 transposition first anniversary has come and gone — Friday the 17th of October was the year-marker. The post-deadline operational regime has been continuous since 2024, but the first formal enforcement decisions have started landing across multiple EU jurisdictions through Q3 and into Q4. The aggregate enforcement picture is settling into a comparable structural shape to the post-GDPR-2018 first-eighteen-months pattern — graduated supervisory engagement initially focused on the most material non-compliance cases, with the substantive financial-penalty decisions emerging through year-two and beyond.
The early enforcement-decision pattern. The decisions that have landed so far have been predominantly administrative — formal notices of non-compliance, mandated remediation programmes with supervisory-monitoring oversight, modest financial penalties at the lower end of the maximum-fine framework. The substantive multi-million-Euro decisions that the maximum-fine framework permits will, on the post-GDPR pattern, emerge through 2026 and beyond once the supervisory authorities have completed the more complex investigation-cycles. The customer-portfolio organisations are operationally settled against the enforcement-environment risk; the attestable position from the October 2024 deadline has been sustained through the year.
The DORA first-three-quarters operational picture (DORA having been applicable since the 17th of January 2025). The financial-services customer-organisation in our portfolio has been operationally settled into the DORA-required regime; the supervisory-authority engagement has been substantive but operationally manageable. The TLPT cycle is on the planned 2026 schedule. The aggregate operational-cost of DORA compliance has been, on the customer-organisation-internal accounting, slightly below the 2024 pre-deadline planning estimates, which is a useful data point for the broader customer-organisation conversations about cost-of-regulatory-compliance investment.
The wider regulatory environment continues to develop. The EU AI Act compliance progression continues with the next staged-compliance deadline (general-purpose-AI-model obligations) on the 2nd of August 2025 — completed without substantive customer-portfolio operational impact. The UK Cyber Resilience Act legislative progression has continued through the year with substantive consultation output produced; the legislation is expected to be introduced through 2026. The continuing post-Brexit regulatory-divergence between UK and EU frameworks remains operationally manageable but the customer-portfolio programme work for cross-jurisdictional customer organisations is sustained.
For the customer-portfolio briefings. The post-NIS2-first-year enforcement environment has been substantively informative for the customer-organisation strategic conversations. The customer-organisation programme work that has been continuous since the 2022 NIS2 adoption has produced operational-and-financial-cost benefit measurable against the alternative posture. The customer-portfolio Q4 strategic conversations are pivoting to the 2026 regulatory deadlines and the longer-arc regulatory-environment progression.
I will return to this. The post-NIS2 enforcement-environment will continue to develop substantively through 2026 and beyond.