← Blog
cybersecurity 2026-03-05 8 min read

NIS2 and DORA: The EU's New Cybersecurity Compliance Landscape

The EU's NIS2 Directive and DORA regulation are reshaping cybersecurity compliance across Europe. Here's what they require, who they apply to, and how they differ.

By AuditDSS Team

The European Union has fundamentally restructured its cybersecurity compliance landscape with two major instruments: the NIS2 Directive and the Digital Operational Resilience Act (DORA). Together, they impose cybersecurity obligations on a vastly expanded set of organisations — from critical infrastructure operators to financial institutions and their ICT suppliers.

If you operate in the EU or serve EU-based clients, these regulations likely apply to you. This guide covers what each requires, who falls within scope, and how to navigate the overlap between them.

NIS2: the broad cybersecurity directive

The Network and Information Security Directive 2 (NIS2) replaced the original NIS Directive and took effect on 17 October 2024, with member states required to transpose it into national law by that date. NIS2 dramatically expanded the scope of EU cybersecurity regulation.

Who NIS2 applies to

NIS2 divides in-scope entities into two categories:

Essential entities — sectors where disruption would have severe consequences:

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructures
  • Health (hospitals, laboratories, medical device manufacturers)
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLD registries, cloud providers, data centres, CDNs, trust service providers)
  • ICT service management (B2B managed service and security providers)
  • Public administration
  • Space

Important entities — sectors with significant but less critical impact:

  • Postal and courier services
  • Waste management
  • Chemical manufacturing and distribution
  • Food production and distribution
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations

Size thresholds

NIS2 applies to medium and large enterprises in the listed sectors: organisations with 50+ employees or annual turnover exceeding EUR 10 million. Some entities are caught regardless of size, including DNS providers, TLD registries, and entities identified as critical by member states.

Core NIS2 obligations

NIS2 imposes four categories of obligation:

1. Cybersecurity risk management measures (Article 21)

Entities must implement appropriate and proportionate technical, operational, and organisational measures. The directive specifies minimum requirements:

  • Risk analysis and information system security policies
  • Incident handling procedures
  • Business continuity and crisis management
  • Supply chain security, including assessment of each direct supplier
  • Security in network and information system acquisition, development, and maintenance
  • Policies and procedures for assessing cybersecurity risk management effectiveness
  • Basic cyber hygiene practices and cybersecurity training
  • Cryptography and encryption policies
  • Human resources security, access control, and asset management
  • Multi-factor authentication and secured communications

2. Incident reporting (Article 23)

A strict multi-stage reporting timeline:

  • Early warning: Within 24 hours of becoming aware of a significant incident
  • Incident notification: Within 72 hours, including initial assessment of severity
  • Final report: Within one month, including root cause analysis and cross-border impact

3. Governance and accountability (Article 20)

Management bodies must approve cybersecurity risk management measures and oversee their implementation. Directors can be held personally liable for non-compliance.

4. Registration and information sharing

Entities must register with their national competent authority and participate in information-sharing arrangements as required.

NIS2 penalties

Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of global turnover. Member states can also impose non-monetary penalties including compliance orders and temporary management bans.

DORA: financial sector resilience

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies specifically to the financial sector and has been directly applicable since 17 January 2025. Unlike NIS2, which is a directive requiring national transposition, DORA is a regulation — it applies uniformly across all EU member states.

Who DORA applies to

DORA covers virtually the entire EU financial sector:

  • Credit institutions (banks)
  • Payment institutions and e-money institutions
  • Investment firms and trading venues
  • Insurance and reinsurance undertakings
  • Central counterparties and central securities depositories
  • Crypto-asset service providers (authorised under MiCA)
  • Crowdfunding service providers
  • Credit rating agencies
  • Administrators of critical benchmarks
  • Critical ICT third-party service providers (designated by ESAs)

The inclusion of ICT service providers is significant. Cloud providers, data analytics firms, and software vendors serving financial institutions can be designated as “critical” and brought directly under DORA supervision.

Core DORA requirements

DORA imposes five pillars of obligation:

1. ICT risk management (Articles 5-16)

Financial entities must maintain a comprehensive ICT risk management framework including:

  • Identification and classification of all ICT assets, risks, and dependencies
  • Protection and prevention measures proportionate to risk
  • Detection mechanisms for anomalous activities
  • Response and recovery procedures with defined RTOs and RPOs
  • Learning and evolving processes incorporating lessons from incidents and testing

2. ICT-related incident reporting (Articles 17-23)

Financial entities must classify and report major ICT-related incidents to their competent authority using standardised templates. The reporting timeline mirrors NIS2:

  • Initial notification within 4 hours of classification (and within 24 hours of detection)
  • Intermediate report within 72 hours
  • Final report within one month

3. Digital operational resilience testing (Articles 24-27)

All in-scope entities must conduct regular testing of ICT tools and systems. Entities identified as significant must conduct Threat-Led Penetration Testing (TLPT) at least every three years, following the TIBER-EU framework.

4. ICT third-party risk management (Articles 28-44)

Financial entities must manage risks from ICT third-party service providers through:

  • Maintaining a register of all ICT third-party arrangements
  • Conducting pre-contractual risk assessments
  • Including mandatory contractual provisions (data access, audit rights, exit strategies)
  • Monitoring and oversight of outsourced ICT services

5. Information sharing (Article 45)

Financial entities may participate in voluntary cyber threat intelligence sharing arrangements within trusted communities.

DORA penalties

Penalties are determined by national competent authorities, but DORA provides for administrative penalties and remedial measures. For critical ICT third-party providers, the ESAs can impose periodic penalty payments of up to 1% of average daily worldwide turnover per day for up to six months.

NIS2 vs DORA: key differences

Financial sector entities need to understand how NIS2 and DORA interact. The key distinction:

DORA is lex specialis — it takes precedence over NIS2 for financial sector entities. Where DORA provides specific cybersecurity requirements for financial entities, those requirements apply instead of the corresponding NIS2 provisions.

However, the relationship isn’t simple exclusion:

AspectNIS2DORA
Legal formDirective (national transposition)Regulation (directly applicable)
Scope18 sectors, broad economyFinancial sector + critical ICT providers
Incident reporting24h / 72h / 1 month4h classification + 24h / 72h / 1 month
TestingRequired but not prescriptiveTLPT every 3 years for significant entities
Third-party riskSupply chain security requiredDetailed ICT third-party framework with oversight
PenaltiesUp to EUR 10M or 2% turnoverNational authority discretion + ESA penalties

Financial entities comply with DORA for cybersecurity requirements. But NIS2 may still apply for obligations DORA doesn’t cover, particularly around supply chain security for non-ICT suppliers.

Practical compliance considerations

For financial institutions

If you’re a financial entity, DORA is your primary framework. Key priorities:

  • ICT risk management framework: Document your framework, ensure management body approval, and assign clear accountability
  • Third-party register: Build and maintain a complete register of ICT third-party service providers, including sub-outsourcing chains
  • Incident classification: Implement the incident classification criteria from the Regulatory Technical Standards and ensure your 4-hour notification capability
  • TLPT readiness: If you’re a significant entity, plan your Threat-Led Penetration Testing programme — the three-year cycle means you should already be scheduling your first test

For non-financial critical infrastructure

If you’re in another NIS2 sector, focus on:

  • Scope determination: Confirm whether you’re an essential or important entity under your national transposition
  • Article 21 measures: Implement the minimum cybersecurity measures, paying particular attention to supply chain security — this is a new and heavily emphasised requirement
  • Incident reporting capability: Build the operational capability for 24-hour early warnings — this requires detection, escalation, and reporting processes that work outside business hours

For ICT service providers

If you serve financial institutions, you may be caught by both frameworks:

  • DORA: As a potential critical ICT third-party provider, you may face direct ESA oversight and must accept contractual provisions including audit rights and exit assistance
  • NIS2: As a digital infrastructure or ICT service management provider, you may independently fall within NIS2 scope

The obligation landscape

NIS2 and DORA together represent a substantial expansion of EU cybersecurity obligations. NIS2 alone contains hundreds of specific requirements across its articles, recitals, and associated Implementing Regulations. DORA adds hundreds more through its articles, Regulatory Technical Standards, and Implementing Technical Standards.

The challenge isn’t understanding the high-level requirements — it’s tracking every specific obligation, mapping overlaps between the two frameworks, and ensuring nothing falls through the gaps where one framework defers to the other.

AuditDSS covers both NIS2 and DORA with obligation-level decomposition, cross-framework mapping, and gap analysis. Identify exactly where your cybersecurity programme meets requirements and where gaps exist — across both frameworks simultaneously. Start your assessment.

Ready to score your compliance?

Upload your compliance document and get a risk-scored gap analysis in under 5 minutes.

Get started