Last Updated on February 16, 2026 by Narendra Sahoo
By January 2025, over 160,000 EU organizations became subject to new cybersecurity regulations—NIS2, DORA, or both. If you operate in the EU or serve EU clients, you’re likely affected.
This guide clarifies which regulations apply to you and what you must do to comply.
| Quick Facts | |
|---|---|
| NIS2: | Broad cybersecurity directive covering 18 critical sectors |
| DORA: | Financial sector operational resilience regulation |
| Timeline: | DORA active since January 17, 2025 | NIS2 by October 2026 |
| Penalties: | Up to €10M or 2% of global revenue |
| Overlap: | Financial entities often need both |
At-a-Glance Comparison
| Aspect | NIS2 | DORA |
|---|---|---|
| Applies To | 18 sectors, 160,000+ entities | Financial sector, 22,000+ entities |
| Main Goal | Prevent cyber incidents | Ensure business continuity |
| Focus | Cybersecurity | Operational resilience |
| Testing | Risk-based assessments | Mandatory TLPT every 3 years |
| Penalties | Up to €10M or 2% revenue | Fines + operational restrictions |
| Active Since | October 2024 (varies by country) | January 17, 2025 |
Is Your Organization Affected?
Question 1: Where Do You Operate?
✓ In the EU
✓ Serve EU customers
✓ Part of EU supply chains
Question 2: What Sector Are You In?
• Financial services → DORA applies
• Critical infrastructure (energy, healthcare, transport) → NIS2 applies
• ICT services (cloud, hosting, software) → Likely both
• Manufacturing, logistics, postal → NIS2 applies
Question 3: What’s Your Company Size?
• 50+ employees OR €10M+ revenue → In scope
• Small but critical services → May be in scope
• Enterprise financial/infrastructure → Definitely both
Result: If you answered yes to Q1 and any part of Q2-Q3, keep reading.
What is NIS2?
NIS2 (Network and Information Systems Directive 2) is the EU’s updated cybersecurity law covering critical sectors. Member states transposed it by October 2024, with organizations required to comply by October 2026.
Who Must Comply: 160,000+ Entities
Essential Entities (Higher Tier):
• Energy, transport, banking, healthcare
• Water, digital infrastructure, space
• Public administration, critical manufacturing
Important Entities (Standard Tier):
• Postal services, waste management
• Food production, manufacturing
• Digital service providers
Size Threshold: 50+ employees OR €10M+ annual revenue
Key NIS2 Requirements
Governance:
• Board-level cybersecurity oversight
• Designated responsible person
• Regular management reporting
Risk Management:
• Risk-based cybersecurity measures
• Security controls proportional to risk
• Business continuity plans
Supply Chain Security:
• Vendor security assessments
• Contracts with security requirements
• Third-party risk monitoring
Incident Response:
• 24-hour early warning
• Significant incidents to CSIRT
• Final report within one month
Reporting:
• Notify national authorities
• Public disclosure if needed
• Cooperation with regulators
What is DORA?
DORA (Digital Operational Resilience Act) is EU regulation focusing on financial sector operational resilience. Active since January 17, 2025, it harmonizes cybersecurity and ICT risk management across all EU financial entities.
Who Must Comply: 22,000+ Financial Entities
• Banks and credit institutions
• Investment firms and trading platforms
• Insurance and reinsurance companies
• Payment institutions and e-money providers
• Crypto-asset service providers
• Critical ICT third-party providers
DORA’s Five Pillars
Pillar 1: ICT Risk Management
• Comprehensive ICT risk framework
• Governance, policies, procedures
• Continuous monitoring and improvement
Pillar 2: Incident Management
• Classification and reporting systems
• Major incidents to regulators within 4 hours
• Root cause analysis and lessons learned
Pillar 3: Testing
• Annual security testing
• Threat-led penetration testing (TLPT) every 3 years for large entities
• Scenario-based testing
Pillar 4: Third-Party Risk
• Due diligence on ICT providers
• Contractual requirements
• Exit strategies and continuity plans
Pillar 5: Information Sharing
• Share threat intelligence
• Participate in industry forums
• Cyber threat information exchange
Key Differences: NIS2 vs DORA
| Aspect | NIS2 | DORA |
|---|---|---|
| Scope | 18 sectors, 160,000+ entities | Financial sector only |
| Legal Nature | Directive (member states implement) | Regulation (directly applicable) |
| Governance | Board oversight required | Extensive governance framework |
| Testing | Risk-based assessments | Mandatory TLPT every 3 years |
| Third Parties | Vendor assessments | Stringent contracts + oversight |
| Reporting | National CSIRT | Financial supervisors |
Overlap: When You Need Both
Approximately 40% of DORA entities also fall under NIS2:
• Large banks (essential entities under NIS2)
• Payment processors
• Financial market infrastructures
• Insurance giants
• Critical ICT providers serving both sectors
Which Takes Priority?
DORA is “lex specialis” (specific law) for financial entities:
• DORA supersedes NIS2 on ICT risk management, testing, third-party risk, incident reporting
• NIS2 still applies for broader cybersecurity coordination and CSIRT reporting
Practical result: Build ICT program to DORA standards, add NIS2 CSIRT reporting.
5-Phase Implementation Roadmap
Phase 1: Assessment (Weeks 1-4)
• Confirm your scope
• Appoint compliance owner
• Inventory critical systems
• Gap analysis vs requirements
Phase 2: Governance (Weeks 5-8)
• Establish board oversight
• Create incident response procedures
• Document current controls
• Review vendor contracts
Phase 3: Technical Controls (Weeks 9-16)
• Implement security measures
• Deploy monitoring tools
• Establish backup/recovery
• Configure logging and alerts
Phase 4: Testing & Validation (Weeks 17-20)
• Conduct risk assessments
• Run tabletop exercises
• Perform vendor reviews
• Test incident procedures
Phase 5: Continuous Compliance (Ongoing)
• Monitor security controls
• Review incidents
• Update risk register
• Quarterly board reporting
• Annual full risk assessment
Common Mistakes to Avoid
Mistake 1: Treating It as One-Time Project
❌ Wrong: “Let’s get compliant and we’re done”
✅ Right: Continuous compliance with ongoing monitoring
Mistake 2: Separate NIS2 and DORA Programs
❌ Wrong: Two teams, duplicate effort
✅ Right: Unified framework saves 50% cost
Mistake 3: Ignoring Supply Chain
❌ Wrong: “Vendors handle their own security”
✅ Right: You’re responsible for third-party risks
Mistake 4: Weak Governance
❌ Wrong: Delegating to IT only
✅ Right: Board-level ownership mandatory
Mistake 5: No Testing
❌ Wrong: Plan exists but never tested
✅ Right: Regular drills and simulations
Mistake 6: Missing Deadlines
❌ Wrong: “We’ll figure out reporting when incident happens”
✅ Right: Pre-built templates, tested workflows
Mistake 7: Poor Documentation
❌ Wrong: “We do security but don’t document well”
✅ Right: If not documented, it doesn’t exist for auditors
Penalties & Enforcement
NIS2 Penalties
Financial:
• Essential: €10M or 2% revenue (whichever higher)
• Important: €7M or 1.4% revenue (whichever higher)
Other Consequences:
• Public warnings
• Business suspension orders
• Personal liability for executives
Enforcement Trends:
• Focus on governance failures
• Late incident reporting
• Poor supply chain oversight
• Average penalties: €500K-€5M
DORA Sanctions
Financial:
• Not fixed—based on severity and systemic risk
Operational Restrictions:
• Temporary ban on activities
• Withdrawal of authorization
• Restrictions on new products
• Public statements of non-compliance
What Triggers Penalties:
• Failure to conduct TLPT
• Inadequate third-party oversight
• Missing incident reports
• Insufficient business continuity
Quick Wins: Start Now
Week 1:
1. Confirm your scope
2. Appoint compliance owner
3. Inventory critical systems
4. List all ICT providers
Weeks 2-4:
5. Create basic incident response procedure
6. Establish reporting workflows
7. Document current controls
8. Review vendor contracts
Month 2:
9. Lightweight risk assessment
10. Formalize governance structure
11. Start security training
12. Implement basic monitoring
Month 3:
13. Detailed gap analysis
14. Engage consultants (if needed)
15. Create compliance roadmap
16. Secure budget approval
Conclusion
NIS2 and DORA represent the EU’s most significant cybersecurity shift in decades. Over 180,000 organizations now face strict requirements, mandatory reporting, and severe penalties for non-compliance.
Key Takeaways:
✓ Both regulations are active—compliance isn’t optional
✓ Financial entities often need both (DORA takes priority)
✓ Penalties reach €10M or 2% revenue
✓ Full compliance takes 6-12 months
The question isn’t whether to comply, but how quickly and effectively you can build a program that satisfies regulators while improving your actual cyber resilience.
Organizations that succeed:
• Start early
• Invest appropriately
• Build unified frameworks
• Test relentlessly
• Document everything
• Improve continuously
Need Expert Help?
VistaInfosec specializes in EU cybersecurity compliance for critical infrastructure, financial entities, and ICT providers.
Our Services:
✓ NIS2 & DORA Gap Assessments
✓ Unified Governance Framework Design
✓ Third-Party Risk Management Programs
✓ Incident Response Playbook Development
✓ TLPT Preparation and Testing
✓ Independent Compliance Audits
✓ Ongoing Compliance Support
Why VistaInfosec:
• CREST certified, vendor-neutral
• Deep EU regulatory expertise
• Proven track record with financial and infrastructure clients
• Unified compliance approach (no duplication)
• Support from scoping to ongoing monitoring
Get Started:
Schedule Consultation: https://vistainfosec.com/contact-us/
Email: info@vistainfosec.com
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
