Two major EU cybersecurity regulations are reshaping operational requirements for tech companies: the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2). With DORA’s January 17, 2025 deadline and NIS2’s October 17, 2024 implementation already passed, CTOs at growing tech companies face urgent compliance decisions.
These regulations introduce comprehensive ICT risk management frameworks, third-party oversight requirements, and significant penalties for non-compliance. Understanding which regulation applies to your company—and how they potentially overlap—is critical for maintaining operations while avoiding substantial fines. This article is part of our comprehensive guide to DORA and NIS2 compliance, providing detailed regulatory requirements for CTOs.
What is DORA regulation and what does it require?
DORA is the EU’s Digital Operational Resilience Act targeting financial sector entities. It mandates comprehensive ICT risk management through five key pillars: governance frameworks, third-party risk management, operational resilience testing, incident reporting, and information sharing protocols. Financial entities must implement systematic controls by January 17, 2025.
The regulation establishes five pillars that financial institutions must integrate into their operations. The first requires financial institutions to have a solid ICT risk management plan that serves as a roadmap for identifying, assessing, and managing risks. This requires active governance with dedicated control functions that continuously monitor and assess ICT risks.
Operational resilience testing goes beyond standard penetration testing. DORA requires threat-led penetration testing (TLPT) at least once every two years using approved frameworks on live production systems. This testing simulates real-world attack scenarios and validates that critical business functions can continue during cyber incidents.
The incident management pillar requires documented incident response programs that encompass detection, containment, resolution, and notification. Third-party risk management requires financial entities to maintain comprehensive oversight of ICT service providers, with critical ICT third-party providers under Article 31 must be fully compliant with DORA requirements.
DORA allows entities to exchange cyber threat information with other organisations in the financial sector to increase readiness and transparency, helping the entire financial sector become more resilient against emerging threats.
What is NIS2 directive and how does it differ from NIS1?
NIS2 expands cybersecurity requirements beyond the original NIS1 directive to cover essential and important entities across critical sectors. It introduces harmonised security measures, stricter penalties, and broader sectoral coverage including medium-sized companies. Member states have transposed NIS2 into national law with implementation deadline October 17, 2024.
The original NIS directive had limited scope and lacked prescriptive guidance. NIS2 addresses these gaps with specific requirements rather than high-level principles. The expanded scope covers more sectors and applies to organisations inside and outside the EU providing critical services.
The directive introduces a two-tier classification system determining compliance obligations and penalty structures. Organisations are classified as Essential entities (250+ employees, €50M annual turnover, or €43M balance sheet) or Important entities (50+ employees, €10M annual turnover, or €10M balance sheet). This classification directly impacts supervision levels and potential penalties.
NIS2 places greater emphasis on supply chain security compared to its predecessor. While NIS1 focused primarily on immediate cybersecurity posture, NIS2 recognises that modern cyber threats often exploit vulnerabilities in interconnected supply chains and third-party relationships.
The practical requirements are more comprehensive under NIS2. Organisations must conduct risk assessments, maintain system security, build incident response plans, enforce multi-factor authentication, and implement reporting mechanisms. These requirements create a baseline cybersecurity framework that organisations must implement and maintain.
Which companies need to comply with DORA vs NIS2?
DORA applies to financial entities including banks, payment processors, and investment firms regardless of size. NIS2 covers essential and important entities across critical sectors including digital infrastructure providers, software companies above size thresholds, and managed service providers. Tech companies may fall under NIS2 if they provide critical digital services.
DORA’s scope is sector-specific but comprehensive within financial services. It applies to EU-based financial entities including credit institutions, trading venues, credit rating agencies, crypto asset service providers, banks, investment firms, insurance companies, payment service providers, and fintech companies.
DORA’s reach extends beyond direct financial entities to ICT services supporting critical or important functions, including cloud services, network security service providers, VoIP providers, managed security service providers, outsourced IT services, and data centres. If your tech company provides services to regulated financial entities, you may fall under DORA’s requirements.
NIS2 takes a broader sectoral approach with specific size thresholds. Companies with 50+ employees and €10M annual turnover may qualify as Important entities, while those with 250+ employees and €50M turnover may be classified as Essential entities.
For companies operating across multiple jurisdictions, the extraterritorial application is crucial. Both DORA and NIS2 may apply to organisations domiciled outside the EU if they provide services to entities within Member States. This means American, Asian, or other non-EU tech companies cannot ignore these regulations if they serve EU customers or provide services to regulated EU entities.
Fintech companies may fall under DORA for financial services activities while also being subject to NIS2 requirements if they provide broader ICT services. Financial entities and their ICT service providers should prioritise DORA, as it takes precedence over NIS2 under lex specialis.
What are the main differences between DORA and NIS2?
DORA focuses specifically on operational resilience in financial services with mandatory testing and third-party oversight. NIS2 provides broader cybersecurity requirements across multiple sectors with emphasis on supply chain security. DORA has unified EU enforcement through ESAs, while NIS2 implementation varies by member state.
The fundamental difference lies in their regulatory structure. NIS2 is a directive allowing Member States flexibility in implementation details, while DORA is a regulation universally applicable across the EU without implementation leeway. This means DORA requirements are consistent across all EU member states, while NIS2 requirements may vary by country.
Their sectoral focus creates different compliance landscapes. DORA focuses specifically on ICT-related cybersecurity risks for the financial sector, while NIS2 has broader focus aimed at strengthening overall cybersecurity posture beyond ICT risks.
The enforcement mechanisms reflect these structural differences. DORA enforcement is handled by European Supervisory Authorities (ESAs), creating unified oversight across the EU. NIS2 enforcement varies by member state, with national competent authorities responsible for implementation and oversight.
Testing requirements illustrate another key difference. DORA mandates specific threat-led penetration testing requirements that simulate real-world attack scenarios on live production systems. NIS2 requires resilience testing but doesn’t specify the same level of detail for methodologies.
Third-party risk management approaches also differ. NIS2 places stronger emphasis on supply chain security, while DORA ensures robust third-party risk management covering broader range of external service providers. DORA requires registration of critical ICT third-party providers with ESAs, creating centralised oversight that doesn’t exist under NIS2.
Despite their differences, both regulations share the overarching goal of increasing security transparency in their respective sectors, recognising that modern cyber threats require comprehensive approaches extending beyond individual organisations.
What are the penalties for non-compliance with DORA and NIS2?
DORA penalties reach €10 million or 1% of annual turnover for major violations. NIS2 distinguishes between essential entities (€10 million or 2% of global turnover) and important entities (€7 million or 1.4% of turnover). Both regulations include operational sanctions like suspension of services and increased supervision.
Under DORA, penalties include fines of up to 2% of total annual worldwide turnover or up to €1,000,000 for individuals. These individual penalties can apply to senior management found responsible for compliance failures. For ICT service providers under DORA, penalties stand at €5,000,000 or up to €500,000 for individuals.
NIS2 penalties follow a tiered approach based on entity classification. Essential entities face maximum fines of at least €10,000,000 or 2% of global annual revenue, whichever is higher. Important entities face maximum fines of at least €7,000,000 or 1.4% of global annual revenue, whichever is higher.
Both regulations include provisions for personal liability. Management can be held personally liable for cases of gross negligence and wilful misconduct, creating direct accountability for senior leadership.
Beyond monetary penalties, both include operational sanctions that can severely impact business operations: cease and desist orders, operational sanctions, and criminal sanctions for C-level executives. These can include suspension of services, increased regulatory supervision, and mandatory remediation under regulatory oversight.
Essential entities face more stringent supervision than Important entities, with proactive versus reactive oversight approaches. Essential entities are subject to ex-ante supervision where regulators proactively monitor compliance, while Important entities face ex-post supervision where regulators respond to incidents or complaints.
What is third-party risk management under DORA and NIS2?
Both regulations require comprehensive third-party ICT risk management including due diligence, ongoing monitoring, and contractual risk allocation. DORA mandates registration of critical ICT third-party providers with ESAs. NIS2 emphasises supply chain security extending beyond direct vendors to entire technology supply chains.
Under DORA, third-party risk management follows a structured approach requiring robust frameworks that simplify detection and mitigation of third-party ICT risks. This requires active, ongoing management throughout relationship lifecycles.
Due diligence requirements are comprehensive. Organisations must perform due diligence before signing with third-party providers to ensure they meet security standards, including assessing cybersecurity capabilities, operational resilience, and ability to meet regulatory requirements.
DORA’s approach extends to ongoing oversight throughout relationships with mandated monitoring to regularly assess risks and stay ahead of vulnerabilities. This means organisations cannot conduct initial due diligence and rely on periodic reviews—they need continuous monitoring capabilities.
Critical ICT third-party providers face special requirements under DORA, including registration with European Supervisory Authorities, creating direct regulatory oversight of major ICT providers serving the financial sector.
NIS2 takes a broader approach to supply chain security, placing stronger emphasis on entire supply chains rather than just direct vendors. This means NIS2-regulated entities must consider not just immediate vendors, but the entire supply chain supporting their operations.
Both regulations require contractual risk allocation ensuring risks are appropriately assigned and managed through formal agreements rather than informal arrangements. For financial sector organisations, third-party management is particularly important given dependence on external services including cloud providers, payment processors, and other technology services integral to operations.
How do member states implement NIS2 differently?
NIS2 allows member states flexibility in transposition, creating variations in national implementation approaches, supervisory authorities, and enforcement mechanisms. This affects compliance requirements for companies operating across multiple EU markets, requiring jurisdiction-specific understanding of national cybersecurity strategies and regulatory interpretations.
The directive structure inherently creates implementation variation. NIS2 leaves room for Member States to specify implementation details, with controls and obligations varying as long as jurisdictions develop enforceable frameworks aligned with broad requirements.
Each member state has established its own supervisory authority structure for enforcement. Some countries have designated single national authorities, while others have distributed responsibilities across multiple agencies depending on sector expertise. These different organisational approaches affect decision-making speed and requirement interpretation consistency.
Enforcement approaches vary significantly across jurisdictions. Some member states have taken more aggressive enforcement stances, while others have focused on guidance and gradual implementation, creating different compliance environments for companies operating across multiple EU markets.
Cross-border compliance becomes complex when companies operate in multiple member states. Companies need to understand not just base NIS2 requirements, but how each relevant jurisdiction has implemented and interpreted those requirements.
When do DORA and NIS2 compliance deadlines take effect?
NIS2’s October 17, 2024 implementation deadline has passed, with member states having transposed requirements into national law. DORA’s January 17, 2025 deadline is approaching rapidly, requiring financial entities to have all systems operational. Late compliance exposes companies to immediate penalty risk and operational sanctions.
The NIS2 timeline is now in active enforcement phase. NIS2 came into effect in October 2024, meaning regulated entities should already have compliance programs operational and any gaps expose them to immediate penalty risk.
DORA’s implementation timeline requires urgent attention for affected organisations. DORA was enacted on January 16, 2023, with 24 months for implementation, making compliance mandatory as of January 17, 2025. European Supervisory Authorities have already started their DORA activities as of the deadline. For detailed implementation timelines and cost planning, see our DORA and NIS2 implementation planning guide.
For organisations behind on compliance, risk exposure is immediate. Late compliance exposes companies to immediate penalty risk and operational sanctions with no explicit grace periods built into either regulation.
Priority should be given to critical compliance elements. For DORA-regulated entities, this includes establishing ICT risk management frameworks, implementing incident response procedures, and ensuring third-party risk management processes are operational. For NIS2-regulated entities, focus should be on risk assessments, incident response capabilities, and supply chain security measures.
Documentation requirements are immediate and ongoing. Both regulations require organisations to maintain comprehensive documentation of compliance efforts, risk assessments, and incident response activities essential for demonstrating compliance and supporting ongoing risk management.
For a complete overview of compliance strategies including platform selection and implementation planning, see our CTO’s guide to EU compliance.
FAQ Section
How much will DORA and NIS2 compliance cost my mid-sized tech company?
Implementation costs vary significantly by company size and existing security maturity, typically ranging from €50,000-€500,000 annually for mid-sized companies including staff training, technology upgrades, third-party assessments, and ongoing monitoring systems.
Can American tech companies ignore DORA and NIS2 requirements?
No, non-EU companies serving EU customers or providing services to regulated EU entities must comply with applicable requirements. This includes cloud providers, software vendors, and managed service providers with EU business operations.
What happens if my company doesn’t comply with NIS2 by the deadline?
Non-compliance exposes companies to penalties up to €10 million or 2% of global turnover for essential entities, plus operational sanctions including service suspension and mandatory remediation under regulatory supervision.
Is my 200-employee software company affected by European cybersecurity regulations?
Possibly, if your company provides digital infrastructure services, operates in critical sectors, or serves regulated EU entities. Companies with 50+ employees and €10M annual turnover may qualify as Important entities under NIS2.
What’s the difference between essential and important entities under NIS2?
Essential entities face higher maximum penalties (€10 million or 2% of turnover) and ex-ante supervision, while important entities have lower penalties (€7 million or 1.4%) and ex-post supervision, but both must meet core cybersecurity requirements.
Do I need separate compliance programs for DORA and NIS2?
Companies subject to both regulations can integrate many requirements through unified ICT risk management frameworks, but must address regulation-specific elements like DORA’s operational resilience testing and NIS2’s supply chain security separately.
How often must companies report incidents under DORA vs NIS2?
DORA requires initial incident notification within 2 hours for major incidents, with detailed reports within 72 hours. NIS2 mandates initial reporting within 24 hours and detailed reports within 72 hours, with different reporting authorities and criteria.
Conclusion
DORA and NIS2 represent a fundamental shift in how the EU approaches cybersecurity regulation, moving from high-level principles to specific, measurable requirements with substantial penalties for non-compliance. For CTOs at mid-sized tech companies, understanding which regulation applies to your organisation and implementing appropriate compliance measures is no longer optional—it’s a business necessity.
The key to successful compliance lies in taking a systematic approach that begins with accurate scope determination, followed by gap analysis against current capabilities, and implementation of comprehensive ICT risk management frameworks. Whether your company falls under DORA, NIS2, or both, the core requirements centre around establishing robust governance, implementing effective third-party risk management, developing incident response capabilities, and maintaining continuous monitoring and improvement processes.
Given the immediate penalty exposure for late compliance and the complexity of these regulations, organisations should prioritise getting their fundamental compliance frameworks operational as quickly as possible while building toward full regulatory alignment over time.
