NIS2 and DORA: The EU's Cybersecurity and Resilience Regulations

Directive (EU) 2022/2555, known as NIS2, is the revised Network and Information Security Directive. It replaces the original NIS Directive (2016) and substantially expands the scope of EU cybersecurity regulation, nearly tripling the number of sectors covered and significantly tightening the obligations placed on organisations.

NIS2 applies to medium and large organisations operating in sectors designated as "essential" or "important" by the directive. Member states were required to transpose NIS2 into national law by 17 October 2024, and enforcement is now active across the EU.

The original NIS Directive (2016/1148) was adopted in 2016 as the EU's first legislation specifically targeting cybersecurity. It required member states to achieve a common minimum level of network and information security and introduced notification requirements for significant incidents.

A 2020 review found significant weaknesses: inconsistent implementation across member states, limited scope (covering only a narrow set of "operators of essential services"), insufficient incident notification requirements, and inadequate supervisory powers for national authorities.

NIS2 was adopted in December 2022 and entered into force in January 2023. Its expanded scope, stronger enforcement powers (including management liability), and higher fine levels reflect the EU's recognition that the cybersecurity threat landscape had fundamentally changed since 2016.

NIS2 classifies entities into two categories:

• Essential entitiesLarge organisations in highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (internet exchange points, DNS, TLD registries, cloud, datacentres), ICT service management, and public administration.
• Important entitiesMedium and large organisations in additional sectors: postal services, waste management, chemicals, food, manufacturing (medical devices, vehicles, electronics), digital providers (online marketplaces, search engines, social networks), and research institutions.

Size thresholds generally apply: organisations with fewer than 50 employees and annual turnover below €10 million are exempt unless they operate in a particularly critical sub-sector.

NIS2 mandates four categories of obligation:

• —Risk management: Implementing technical and organisational cybersecurity measures proportionate to risk, including policies on risk analysis, incident handling, business continuity, supply chain security, access control, and cryptography.
• —Corporate accountability: Management bodies must approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable for non-compliance. Management must receive regular cybersecurity training.
• —Incident reporting: Significant incidents must be reported to the national CSIRT/competent authority within 24 hours (early warning), 72 hours (incident notification), and one month (final report).
• —Supply chain security: Entities must assess cybersecurity risks in their supply chain and require appropriate security measures from direct suppliers and service providers.

Fines for non-compliance can reach €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% of global annual turnover for important entities.

Regulation (EU) 2022/2554, known as DORA, is a sector-specific operational resilience regulation for the EU financial services industry. It entered into application on 17 January 2025 and is already binding on all in-scope entities.

DORA creates a unified framework for ICT (information and communications technology) risk management in financial services, replacing a fragmented patchwork of national rules and sector-specific guidelines. It applies directly as a regulation — unlike NIS2, which required national transposition.

Financial institutions depend critically on digital infrastructure, yet the regulatory landscape for ICT risk in financial services was inconsistent across member states and across sectors within the same state. A bank, an insurance company, and an investment firm might face entirely different ICT risk management requirements despite similar exposures.

The 2018 and 2020 EBA, EIOPA, and ESMA guidelines on ICT risk management provided soft-law guidance, but lacked enforcement teeth. DORA consolidated and hardened these guidelines into binding regulation, reflecting the European Systemic Risk Board's view that ICT incidents in financial services represent a systemic risk to financial stability.

DORA applies to a broad range of financial entities including: credit institutions (banks), payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, asset management companies, crypto-asset service providers, central securities depositories, and central counterparties.

Critically, DORA also applies to ICT third-party service providers that provide services to financial entities — including cloud providers, software vendors, and managed service providers. Providers designated as "critical" by European Supervisory Authorities face direct oversight by those authorities.

• ICT risk managementFinancial entities must implement a comprehensive ICT risk management framework, approved by the management body, covering identification, protection, detection, response, recovery, and learning from ICT incidents.
• ICT incident management and reportingA classification and reporting framework for ICT incidents. Major ICT incidents must be reported to competent authorities within prescribed timelines (initial notification within 4 hours of classification, intermediate report within 72 hours, final report within one month).
• Digital operational resilience testingFinancial entities must test their ICT systems and tools regularly. Large institutions must conduct Threat-Led Penetration Testing (TLPT) at least every three years.
• Third-party ICT riskFinancial entities must manage ICT concentration risk in their supply chain. Contracts with third-party ICT service providers must include mandatory provisions covering service levels, audit rights, sub-contracting, termination rights, and data portability.
• Information sharingFinancial entities may participate in information-sharing arrangements on cyber threats, subject to regulatory oversight.

Financial entities subject to DORA are exempted from the equivalent NIS2 requirements for ICT risk management — the lex specialis principle means the more specific regulation governs. However, the two frameworks interact in practice: DORA's supply chain provisions may require financial entities to ensure their NIS2-regulated suppliers meet NIS2 obligations.

Non-financial entities that provide ICT services to financial entities (i.e. cloud providers, SaaS vendors) may be subject to both NIS2 in their capacity as operators of digital infrastructure, and to DORA's third-party risk provisions through their financial entity customers.