Two major EU regulations addressing cybersecurity and operational resilience entered their enforcement phases in late 2024 and early 2025. NIS2 was transposed by member states from October 2024; DORA became fully applicable on 17 January 2025. Both are actively enforced. This guide covers what each regulation requires, who it applies to, and how they interact.
Part 1: NIS2
What NIS2 is and why it replaced NIS1
Directive (EU) 2022/2555 — NIS2 — is the revised Network and Information Security Directive. The original NIS Directive (2016) was the EU's first cybersecurity legislation, but a 2020 review found it had underdelivered: implementation was fragmented across member states, scope was too narrow, incident reporting requirements were inconsistent, and national supervisory authorities lacked adequate enforcement powers.
NIS2 substantially expanded all of these dimensions. The number of covered sectors nearly tripled. Incident reporting timelines were tightened to three stages. Management liability was introduced explicitly. Maximum fines were increased. And national authorities were given enhanced supervisory powers including the ability to issue temporary bans on management functions.
Who NIS2 applies to
NIS2 covers two categories of entity, defined by sector and size:
Essential entities are large organisations (generally: 250+ employees OR €50m+ turnover AND €43m+ balance sheet) in: energy (electricity, oil, gas, hydrogen, district heating and cooling), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD registries, cloud, data centres, content delivery networks, trust service providers, electronic communications), ICT service management (managed service providers, managed security service providers), public administration (central government, and certain regional/local government), and space.
Important entities are medium organisations (generally: 50+ employees OR €10m+ turnover) in: postal and courier services, waste management, manufacture/production and distribution of chemicals, food production, processing, and distribution, manufacturing of medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, and other transport equipment, digital providers (online marketplaces, search engines, social networks with 45 million+ EU monthly users), and research organisations.
Member states can extend scope to smaller organisations in critical sectors. Germany, Belgium, and the Netherlands have indicated they intend to do so.
The four obligation categories
Risk management measures (Art. 21): Entities must implement technical and organisational measures proportionate to their risk exposure. These must address: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; network and information systems acquisition, development, and maintenance; policies and procedures for assessing the effectiveness of security measures; basic cyber hygiene practices and cybersecurity training; policies on use of cryptography and encryption; human resources security, access control policies, and asset management; and multi-factor authentication where technically feasible.
Corporate accountability (Art. 20): Management bodies must approve the cybersecurity risk management measures, oversee their implementation, and are personally liable for non-compliance. Management body members must follow training on cybersecurity risks and encourage staff to do so on a regular basis. Competent authorities may hold management members personally liable and — for essential entities — may prohibit them from exercising management functions temporarily.
Incident reporting (Art. 23): Significant incidents must be reported in three stages: early warning within 24 hours (awareness of incident); incident notification within 72 hours (initial assessment and indicators of compromise); final report within one month (full description, root cause, mitigation measures, cross-border impact). A "significant" incident is one causing or potentially causing severe operational disruption or considerable material or non-material damage to others.
Supply chain security (Art. 21(2)(d)): Entities must assess the security of their supply chain, including the cybersecurity practices of direct ICT suppliers and service providers, and incorporate security requirements into supplier contracts. This effectively pushes NIS2 obligations downstream into the supply chain.
Fines
Essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. Important entities: up to €7 million or 1.4% of global annual turnover. In addition, competent authorities may issue orders to comply, to remedy deficiencies, or to implement specific security measures.
Part 2: DORA
What DORA is
Regulation (EU) 2022/2554 — DORA, the Digital Operational Resilience Act — is a sector-specific operational resilience framework for EU financial services. It became fully applicable on 17 January 2025. Unlike NIS2, DORA is a regulation, not a directive: it applies directly across all member states without national transposition, creating a single harmonised framework.
DORA was created to address the fragmented ICT risk management landscape in financial services, where banks, insurers, and investment firms faced different national rules and inconsistent guidance from the European Supervisory Authorities. It consolidates and hardens several years of ESA guidelines on ICT risk management into binding law.
Who DORA applies to
DORA applies to a broad range of financial entities: credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, insurance and reinsurance undertakings, insurance intermediaries, occupational pension funds, credit rating agencies, statutory auditors, and administrators of critical benchmarks. It also applies to ICT third-party service providers designated as "critical" by the European Supervisory Authorities.
DORA's five pillars
ICT risk management (Art. 5–16): Financial entities must implement a comprehensive ICT risk management framework approved by the management body. It must cover identification and classification of ICT assets, threat and vulnerability analysis, protection measures (access controls, encryption, patch management), detection systems, response and recovery plans, and communication and learning processes. The framework must be audited by an independent function annually.
ICT incident management and reporting (Art. 17–23): Financial entities must classify ICT incidents according to a standardised methodology and report major ICT incidents to competent authorities in three stages: initial notification within 4 hours of classification; intermediate report within 72 hours; and final report within one month. Significant cyber threats must be notified voluntarily where they could have resulted in a major incident.
Digital operational resilience testing (Art. 24–27): All in-scope entities must conduct resilience testing, including vulnerability assessments and scenario-based tests. Significant and large entities must conduct Threat-Led Penetration Testing (TLPT) every three years, coordinating with competent authorities and conducted by independent testers against live production systems.
Third-party ICT risk management (Art. 28–44): Financial entities must maintain an information register of all ICT third-party arrangements, identify critical or important functions, and ensure all contracts with ICT providers contain mandatory provisions (as specified in Article 30). ICT concentration risk must be assessed at entity and group level. Exit strategies must be documented and tested for critical providers.
Information sharing (Art. 45): Financial entities may participate in voluntary cyber threat information-sharing arrangements, subject to supervisory oversight and appropriate confidentiality protections.
The contractual requirements problem
The most operationally challenging aspect of DORA for most financial entities is Article 30: the mandatory contractual content for ICT third-party arrangements. Every contract with a third-party ICT provider must contain specific provisions covering: service description and sub-contracting conditions; data processing locations; availability and security standards; service level agreements; notice requirements for material changes; audit rights; and exit provisions including data portability.
Most pre-DORA contracts lack several of these provisions. Renegotiating large cloud or core banking contracts takes months and requires vendor cooperation. Financial entities that have not yet audited their ICT contract register against Article 30 requirements are already non-compliant.
How NIS2 and DORA interact
Financial entities subject to DORA are generally exempt from NIS2's equivalent ICT risk management requirements — the lex specialis principle means the more specific regulation governs for overlapping obligations. However, the regulations interact in several ways:
- ICT service providers (cloud, SaaS, managed services) may be subject to NIS2 in their capacity as digital infrastructure operators and also face DORA's third-party risk requirements from their financial entity customers.
- DORA's supply chain provisions may require financial entities to verify that their NIS2-regulated suppliers are actually compliant with NIS2.
- Incident reporting obligations under both regulations may need to be filed concurrently for ICT incidents affecting financial entities that also constitute NIS2-covered infrastructure disruptions.
NIS2 and DORA represent a significant step-change in EU cybersecurity regulation. Unlike earlier frameworks, both carry real enforcement consequences — including personal liability for management — and are backed by supervisory authorities with meaningful investigative capacity. Treating them as checkbox exercises rather than operational programmes is the category error most likely to result in enforcement.