The probability of an organisation being affected by a cyber incident grows annually. The damage caused is not only financial, but also impacts operational continuity and trust in digital services. With the introduction of European regulations DORA and NIS2, the pressure on organisations to take measures is only increasing.
Organisations operating within the EU face two important legal frameworks designed to enhance digital resilience: the Digital Operational Resilience Act (DORA) and the Network and Information Security 2 (NIS2) Directive. Both frameworks have similar objectives but differ in scope and specific requirements. For many organisations, however, it remains unclear which regulations apply to them and what exactly is expected of them.
During a recent SANS webcast, Jurgita Skritaite, Senior Cybersecurity Policy Expert at the European Union Agency for Network and Information Security (ENISA), shared practical insights on both regulations. Her message was clear: "If you haven't started implementing measures yet, you're already late."
The Fundamental Differences Between DORA and NIS2
DORA and NIS2 differ fundamentally in their legal character. NIS2 is a directive that each EU country must transpose into national legislation, whilst DORA is a regulation that directly applies to all EU member states. "DORA shares similar objectives with NIS2 but focuses specifically on the financial sector," Skritaite clarifies. "While NIS2 provides a broad horizontal framework, DORA builds upon it with tailored requirements to address unique risks and dependencies within the financial sector."
DORA takes precedence as sector-specific legislation for organisations falling under both regulations, such as certain financial institutions. If you are a bank or defined as a credit institution, or if you operate a financial market infrastructure such as a trading venue or central counterparty, then NIS2 does not apply, only DORA.
However, the story is more complex for ICT service providers. Some may fall under both frameworks and face conflicting communication obligations. This dual regime presents unique challenges, particularly regarding incident reporting and supervision.
Who Falls Under DORA and NIS2?
DORA specifically targets the financial sector and encompasses approximately 20 different types of financial entities, including banks, insurers, payment institutions, electronic money institutions, and crypto-asset service providers. Additionally, ICT service providers upon which the financial sector relies, such as data centres and cloud providers, fall under this regulation.
NIS2 has a broader scope covering various critical sectors, including energy, health, and transport. During the webcast, SANS Director Brian Correia emphasised that these regulations ultimately aim to protect citizens and crucial infrastructure.
Under NIS2, organisations are classified based on both sector and size:
- 'Essential entities': Large organisations (250+ employees or €50M+ turnover) in critical sectors
- 'Important entities': Medium-sized organisations (50+ employees or €10M+ turnover) in critical sectors, or medium/large organisations in supportive sectors like digital providers or food
Unlike DORA, which applies regardless of company size, NIS2 uses these size thresholds to determine applicability. However, Skritaite notes that "member states may also include smaller entities if they provide critical services."
An organisation is considered 'large' based on the following criteria:
- A minimum of 250 employees, or
- Annual turnover of €50 million or more and a balance sheet total of €43 million or more.
An organisation is considered 'medium-sized' based on:
- 50 or more employees, or
- Annual turnover and balance sheet total of €10 million or more.
Territorial Scope: When Are You Required to Comply?
A frequently asked question is whether organisations outside the EU must also comply with DORA and NIS2. The answer is yes, if they provide services to EU entities or operate within the EU.
"Both frameworks, DORA and NIS2, apply to the entire European Union and impact all member states," says Skritaite. For most organisations, jurisdiction is determined by the member state where the organisation is established and where it provides services. For ICT service providers, however, specific rules apply. "Under the NIS2 directive, telecom providers, for example, are regulated based on where services are delivered. It doesn't matter where you are established, but if you deliver services in another country, you fall under the jurisdiction of that country."
For cloud, data centre, and managed service providers, jurisdiction is determined by the member state where the main EU establishment is located. "The main EU establishment is defined as the place where key decisions regarding cybersecurity are made, where cybersecurity operations are carried out, or where the organisation employs the most people in the EU," Skritaite clarifies.
If a cloud or data centre service provider is not established in the EU but provides services within the EU, it must designate a representative within the EU in one of the member states where their services are offered.
The State of Cybersecurity in Europe: Not All Sectors Are Equally Resilient
ENISA has conducted extensive research into the cybersecurity maturity and criticality of various sectors covered by NIS2. The ultimate goal is to increase the level of cybersecurity across all sectors, including the financial services sector.
The research shows that the banking sector is one of the three most critical and mature sectors. This sector scores relatively high because it has long been under regulation. It is one that invests the most in cybersecurity and has a solid public-private partnership. Correia notes that this is not surprising: "In the financial sector, cybersecurity can determine whether you stay in business or not. If customers don't have confidence in the cybersecurity you provide, they have plenty of other options." This market pressure drives financial institutions towards higher maturity.
The Financial Market Infrastructure (FMI) sector scores slightly lower than the banking sector, particularly in the areas of collaboration, information sharing, and operational readiness. "Banks indicate that they feel sufficiently mature and have detection and response capabilities to manage advanced threats in most parts of their infrastructures. FMIs, on the other hand, report lower levels of these capabilities and are primarily able to detect simpler attacks," says Skritaite.
More worryingly, some sectors on which the financial sector depends, such as ICT service providers, fall within the ‘risk zone’. This means that their criticality exceeds their maturity. "The financial sector depends on ICT service providers, including ICT service management. And the ICT service management sector falls within the risk zone due to its cross-border complexity, highlighting the need for targeted improvements."
Incident Reporting: A Complex Process with Strict Deadlines
One key aspect of both DORA and NIS2 is the obligation to report cybersecurity incidents. While both frameworks follow a similar three-step approach, organisations should be aware of important differences.
"First, there is the definition of reportable incidents," Skritaite explains. "Under DORA, the definition of a 'major ICT-related incident' focuses on the technical and operational impact on the critical or important functions within the financial sector. Under NIS2, the definition of a 'significant incident' is somewhat broader."
The reporting timelines also differ. Skritaite: "With DORA, the deadline for the interim report of 72 hours is calculated from the time the initial report is submitted. You have 24 hours to submit the initial report and then 72 hours for the interim report. With NIS2, the timeline starts from the moment the entity becomes aware of the incident, making the window for follow-up reporting shorter in practice."
The expert warns that this can be particularly challenging for ICT service providers covered by both regulations, as the reporting templates and required level of detail also differ between DORA and NIS2.
Practical Steps to Become Compliant
Given the complexity of the regulations and the strict deadlines, the question arises: what should organisations concretely do to become compliant? During the webcast, five essential steps were emphasised for preparing for a cyber incident:
- Develop an incident response plan that includes procedures, escalation paths, and key contacts.
- Identify the most critical assets and assess the risks associated with them to understand what requires the highest level of protection.
- Implement monitoring and detection systems to identify incidents as early as possible.
- Clearly assign roles and responsibilities, both internally and for external service providers.
- Conduct regular staff training and simulation exercises to build awareness and readiness.
"Having an incident response plan is important, but it's not enough. It must be tested in practice," Skritaite emphasises during the webcast. Correia adds that it should be clear beforehand who has which role during an incident, from the cybersecurity teams to the C-suite and the board of directors.
For organisations concerned about the costs of compliance, such as setting up a Security Operations Centre (SOC), Skritaite points to possible solutions: "It is not necessary for a public administration to have an individual SOC. Multiple public administrations can set up one SOC together and share resources."
Moreover, organisations can make use of existing international standards. Both NIS2 and DORA align with established international standards such as the ISO 27000 series, the NIST Cybersecurity Framework, or the CIS Critical Controls. This means that organisations already following these standards will find it easier to become compliant.
The Timeline for Compliance and the Threat of Fines
For many organisations, the question is not whether they need to comply with DORA and NIS2, but when. "If you haven't started yet, you're already late," warns Skritaite. "DORA and NIS2 are already applicable. The deadline for DORA compliance was 17 January 2025."
For NIS2, the situation is more complex, as not all member states have transposed the directive into national legislation. "If I'm not mistaken, nine member states already have, and some other member states are behind."
Regarding fines, the good news is that member states do not immediately plan to penalise entities that are not yet fully compliant. "In conversations with member states, I know they don't plan to penalise now. They will give time, and NIS2 is not about penalising entities. It's more about building trust and resilience and the willingness to do something to improve cybersecurity," says Skritaite.
The Human Factor: Addressing the Personnel Shortage
Cybersecurity is not just a technical issue but also a human one. One of the biggest challenges for organisations is finding and retaining qualified personnel.
ENISA has conducted an investment study and asked various sectors about their recruitment plans. On average, companies plan to hire two FTEs, and the banking sector plans four FTEs. However, they have difficulty recruiting people.
Interestingly, the number of ICT and cybersecurity personnel in relation to the total workforce in companies is slightly declining. There may be different reasons: it is difficult to recruit people, but automation also plays a role. Many companies are now implementing machine learning and AI for certain tasks that were previously performed by humans, especially within security operations.
SANS has also recently conducted a workforce study in which ENISA participated. Correia shared during the webcast that for the first time, the main problem was not seen as a shortage of personnel, but rather a lack of the right skills. Technical capabilities now top the list when hiring personnel, while work experience has dropped to fourth place.
What's even more interesting is that more than 50 per cent of European organisations indicated that regulations such as DORA and NIS2 influence their recruitment policy—a percentage that is expected to grow as these regulations become more established.
Risk Management as a Foundation
ENISA expert Skritaite emphasises the importance of a well-defined risk management framework supported by top management as the most important advice for organisations wanting to become compliant. This ensures that cybersecurity and compliance are aligned with the actual risks and priorities of organisations and that responsibilities are clearly assigned and monitored.
The risk management framework forms the basis for meeting the requirements of both horizontal tools, such as NIS2, and sector-specific ones, such as DORA. With the right approach, organisations can not only comply with the regulations but also improve their overall cybersecurity posture and contribute to a safer digital ecosystem in Europe.
Ultimately, compliance with DORA and NIS2 is not just about ticking boxes, but about strengthening digital resilience – and thereby trust. Organisations that know their risks and anticipate them are not only better protected but also better positioned to provide certainty to their customers, partners, and shareholders in an increasingly complex digital landscape.
Additional Resources
For more information about DORA and NIS2 and how your organisation can become compliant, you can consult the following resources:
