Figure 1. DORA vs NIS2 at a glance — scope, timing, and core obligations across both EU cyber resilience regimes.
On 18 March 2026, BaFin — Germany’s financial supervisor — closed its submission window for the DORA Register of Information. Within 48 hours, a mid-sized Frankfurt asset manager received its first formal DORA supervisory letter: three contract clauses missing the mandatory ICT third-party termination rights, and two outsourcing arrangements wrongly classified as non-critical.
A week later, the same firm received a separate request from the German Federal Office for Information Security (BSI) under the newly transposed NIS2UmsuCG — asking whether it had reported a February cloud outage as a “significant incident.” Two supervisors. Two laws. One event. The firm’s compliance lead had six business days to answer both.
| Key Takeaways — DORA vs NIS2 |
| DORA vs NIS2 is not an either/or choice. DORA is a direct-effect regulation covering 20 categories of EU financial entities; NIS2 is a directive covering 18 critical sectors — many organizations touch both, but DORA prevails for financial-sector ICT risk under the lex specialis principle (DORA Article 1(2)). |
| DORA vs NIS2 diverge sharply on incident reporting: DORA requires a 4-hour initial notification for major ICT incidents, while NIS2 allows 24 hours for an early warning. A financial entity that meets DORA timelines automatically satisfies NIS2. |
| Fines differ in structure, not severity. NIS2 sets harmonized caps — up to €10M or 2% of global turnover for essential entities, €7M or 1.4% for important entities. DORA defers to national regimes but allows periodic penalties up to 1% of average daily worldwide turnover per day of non-compliance for up to six months. |
| DORA vs NIS2 share a common backbone: ICT risk management, incident response, supply-chain oversight, and board-level accountability. An ISO 27001 or NIST CSF 2.0 control baseline covers roughly 70–80% of both frameworks. |
| By Q1 2026, only 14 of 27 EU member states have fully transposed NIS2; the European Commission issued reasoned opinions to 19 states in May 2025. DORA, by contrast, applies uniformly since 17 January 2025 — no transposition gap. |
| Critical ICT Third-Party Providers (CTPPs) under DORA face direct oversight from the European Supervisory Authorities (ESAs). NIS2 regulates supply-chain risk indirectly through entity obligations. For dual-scope firms, build one unified ICT third-party register and map controls once. |
| Board members of essential NIS2 entities can be personally liable and temporarily banned from management roles. DORA places equivalent accountability on the management body of financial entities. Governance, not just tooling, is the 2026 enforcement flashpoint. |
That scenario is the new reality of DORA vs NIS2 compliance in 2026. The Digital Operational Resilience Act (DORA) has applied directly across all 27 EU Member States since 17 January 2025, while the NIS2 Directive is still being transposed into national law in several jurisdictions.
For any EU-facing organization — and for US firms with EU subsidiaries or critical vendor relationships — understanding how DORA vs NIS2 differ and where they overlap has moved from a legal-team problem to a board-level enterprise risk management priority.
This guide unpacks the DORA vs NIS2 comparison across seven practical dimensions: legal nature, scope, ICT risk management, incident reporting, third-party oversight, governance, and enforcement.
It draws on official texts, ENISA guidance, the European Supervisory Authorities’ joint technical standards, and the ISACA 2025 white paper on resilience in critical sectors.
The goal is a working compliance map a compliance risk assessment lead can hand to a program team on Monday morning.
DORA vs NIS2: Legal Nature and How Each Applies
The first DORA vs NIS2 distinction is the most often overlooked. DORA is a regulation under Article 288 of the Treaty on the Functioning of the EU — it is binding in its entirety and directly applicable in every Member State without national transposition.
NIS2 is a directive. Directives set an outcome Member States must achieve, but each government chooses the statutory vehicle. That is why a Spanish bank and a French bank read the identical DORA text, but a Spanish hospital and a French hospital read two different national NIS2 laws.
DORA vs NIS2: Why the Regulation-Directive Split Matters
For compliance leaders, the practical consequence is uniformity. DORA’s Level 1 text and its dozen Level 2 Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) — drafted by the European Supervisory Authorities — apply identically in Dublin, Milan, and Warsaw.
NIS2 obligations shift between jurisdictions. Germany’s NIS2UmsuCG (enacted early 2026), Belgium’s 2024 transposition, and Italy’s Legislative Decree 138/2024 each implement the directive with local deviations on registration, sectoral scope, and penalty ranges.
The European Commission’s transposition tracker — and the Commission’s May 2025 reasoned opinions to 19 Member States for non-notification — tell the story of NIS2 fragmentation.
DORA vs NIS2 therefore creates a direct tension: financial entities need ONE playbook, while multi-sector conglomerates need 27.
DORA vs NIS2: The Lex Specialis Principle for Financial Entities
Article 1(2) of DORA provides that DORA is sector-specific in relation to financial entities covered by NIS2, mirrored by recital 28 of NIS2. Translation: where DORA regulates an ICT risk area, DORA prevails — NIS2 does not double-apply.
This is the lex specialis derogat legi generali principle. A bank follows DORA for ICT risk management, incident reporting, third-party risk, and operational resilience testing; NIS2 provisions outside DORA’s remit (for example, certain cross-sectoral cooperation duties) may still reach it.
| DORA vs NIS2 Applicability | DORA | NIS2 |
| Legal instrument | Regulation (Reg. 2022/2554) — direct effect | Directive (Dir. 2022/2555) — national transposition |
| Effective date | Applied from 17 January 2025 | Transposition deadline 17 October 2024; enforcement ramping through 2026 |
| Geographic uniformity | Identical across EU-27 | Varies — 27 national laws |
| Supervisory model | National Competent Authorities + European Supervisory Authorities (EBA, EIOPA, ESMA) | National authorities (ANSSI, BSI, ACN, NCSC-NL, etc.) plus ENISA coordination |
| Relationship | Lex specialis for financial entities | Lex generalis for critical/important entities |
| Register of Information | Mandatory ICT contractual register, annual submission | No centralized ICT contractual register — supply-chain risk handled entity-by-entity |
DORA vs NIS2: Scope and Who Must Comply
Scope is where the DORA vs NIS2 map gets busy. DORA applies to 20 categories of financial entities — credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central counterparties, trading venues, trade repositories, credit rating agencies, insurance and reinsurance undertakings, pension funds, and more — plus the Critical ICT Third-Party Providers (CTPPs) designated by the ESAs.
NIS2, by contrast, covers 18 sectors split into Essential and Important entities, typically medium-sized (50+ staff or €10M turnover) or large firms.
The Tenable cyber exposure comparison of DORA and NIS2 and the activeMind legal guide to NIS2 vs DORA both flag a common trap: dual-scope firms.
A pan-European insurance group whose Dutch cloud provider is designated a CTPP will see DORA supervision land on the provider and NIS2 obligations (as a digital infrastructure provider) land on the provider in parallel.
DORA vs NIS2: Financial Sector Coverage
DORA’s Article 2 lists all 20 entity types in scope. This includes payment institutions under PSD2, insurance intermediaries of a certain size, and crypto-asset service providers under MiCA.
The reach is extraterritorial in effect — any third-country firm serving EU financial entities through an EU subsidiary, branch, or cross-border provision falls into DORA’s orbit through contractual pass-through.
That is how US cloud hyperscalers, SaaS risk platforms, and outsourced operations centers ended up restructuring EU master service agreements in 2024 and 2025.
DORA vs NIS2: Critical Infrastructure Sectors Under NIS2
NIS2 splits its 18 sectors into Essential entities (energy, transport, banking, financial-market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space) and Important entities (postal and courier, waste management, chemicals, food, manufacturing, digital providers, research).
Supply chain security is a horizontal NIS2 obligation. For a large operational risk management team running a multi-sector group, the DORA vs NIS2 scope analysis is often the single longest section of the compliance charter.
| Dimension | DORA — Financial Entities | NIS2 — Essential + Important |
| Entity categories | 20 defined types (Art. 2) | 18 sectors (Annex I + II) |
| Size threshold | Proportionality-based, most apply regardless of size | Generally medium and large (50+ staff or €10M turnover) |
| Extraterritorial reach | Through CTPP designation and EU-facing contracts | Digital infrastructure providers with EU operations |
| Supervisor model | NCA + ESAs (joint oversight of CTPPs) | National authorities + ENISA coordination |
| Sectoral examples | Banks, insurers, investment firms, CSDs, crypto-asset service providers | Hospitals, utilities, rail, postal, manufacturing, digital services |
DORA vs NIS2: ICT Risk Management Requirements Compared
At the technical-control layer, DORA vs NIS2 look more similar than different. Both require a documented ICT risk management framework, continuous identification and assessment of risks, protective measures aligned with international standards, detection and monitoring capabilities, response and recovery plans, business continuity, and testing.
The divergence is in depth and prescription.
DORA vs NIS2: DORA’s ICT Risk Management Pillars
DORA Chapter II requires a board-approved ICT risk management framework covering identification, protection, detection, response, recovery, learning, and communication — mapped explicitly to the NIST Cybersecurity Framework functions.
DORA Chapter IV mandates an advanced digital operational resilience testing program with Threat-Led Penetration Testing (TLPT) for significant financial entities every three years, drawing heavily on TIBER-EU. That testing depth has no direct NIS2 equivalent.
DORA vs NIS2: NIS2 Article 21 Risk Management Measures
NIS2 Article 21 lists ten baseline cybersecurity risk management measures: policies on risk analysis and security, incident handling, business continuity, supply chain security, security in network and information system acquisition and development, policies to assess effectiveness, cyber hygiene and training, cryptography, HR security and access control, MFA and secured communications.
The list is prescriptive but leaves detail to national implementation and ENISA guidance. Compared to DORA’s 300+ pages of Level 2 technical standards, NIS2 is a framework statement, not a specification.
A practical way to read the DORA vs NIS2 overlap: start from ISO 27001 as the control baseline, add ISO 22301 for continuity, layer NIST CSF 2.0 for governance, and you have covered an estimated 70–80% of both regimes.
The residual 20–30% is DORA-specific (TLPT, ICT register, pooled cyber incident reporting) and NIS2-specific (board training duty, national CSIRT interaction).
DORA vs NIS2: Incident Reporting Timelines and Thresholds
Figure 2. Incident reporting under DORA vs NIS2 — initial notifications diverge sharply, later milestones converge.
Incident reporting is where the DORA vs NIS2 operational gap is widest. DORA’s final RTS on classification and reporting of major ICT-related incidents require a 4-hour initial notification once an incident is classified as “major”, an intermediate report within 72 hours, and a final report within one month.
NIS2 Article 23 is gentler at the front end: a 24-hour early warning, 72-hour incident notification, and one-month final report.
The deeper gap: DORA classification is triggered by quantitative thresholds (clients affected, data lost, economic impact, geographic spread, duration) set in the RTS; NIS2 significance tests vary by Member State.
DORA vs NIS2: Major Incident Classification Criteria
DORA’s joint ESA RTS defines a major incident by combining primary criteria — clients, financial counterparts and transactions affected — with secondary criteria such as data losses, reputational impact, service downtime, geographical spread, and economic cost.
A classification matrix converts numeric thresholds into a single major/non-major verdict. The Risk Publishing DORA incident classification and reporting guide walks through each threshold and the downstream template obligations.
For a financial entity, building this classification logic into the SIEM and incident response plan is a practical prerequisite to meeting the 4-hour clock.
DORA vs NIS2: Significant Incident Thresholds Under NIS2
NIS2 defines a significant incident as one that has caused or is capable of causing “severe operational disruption” or affecting other legal or natural persons through “considerable material or non-material damage.”
The ENISA Technical Implementation Guidance on the NIS2 significance threshold landed in late 2024, but national supervisors retain room.
For DORA vs NIS2 dual-scope firms, best practice is to report under DORA first — meeting a 4-hour DORA deadline automatically satisfies the 24-hour NIS2 window, and national supervisors generally accept the DORA submission as inclusive.
| Stage | DORA | NIS2 | Who Receives It |
| Initial notification | 4 hours | 24 hours (early warning) | NCA + ESAs (DORA); CSIRT / competent authority (NIS2) |
| Intermediate / notification | 72 hours | 72 hours | Same recipients |
| Final report | 1 month | 1 month | Same recipients |
| Content requirements | RTS-prescribed templates | ENISA guidance, national templates | Standardized fields emerging |
| Trigger | Major ICT incident (quantitative RTS) | Significant incident (qualitative + national rules) | |
| Cyber threat reports | Voluntary but recommended (DORA Art. 19) | Voluntary (NIS2 Art. 30) |
DORA vs NIS2: Third-Party and Supply Chain Risk
Third-party risk is the most operationally demanding area of DORA vs NIS2 overlap, and the one where most program leaders under-budget time.
DORA Chapter V mandates a full ICT third-party risk management framework: pre-contractual due diligence, mandatory contract clauses, a Register of Information submitted annually to competent authorities, and an EU-wide oversight regime for Critical ICT Third-Party Providers (CTPPs).
NIS2 Article 21(2)(d) requires “supply chain security” as part of the Article 21 baseline, but leaves implementation to entity discretion plus national supervisor expectation.
DORA vs NIS2: DORA’s Contractual and Register Obligations
DORA contracts must include — among other clauses — service descriptions, data location, security and access rights, audit rights, termination rights on default and force majeure, performance obligations, reporting duties, insolvency provisions, and exit plans.
The Register of Information is a line-by-line inventory of every ICT contractual arrangement, with distinct treatment of services supporting critical or important functions.
For the 2026 cycle, Dutch, German, and French supervisors have each published their own submission portals and timing, layering third-party risk management deadlines onto DORA’s baseline.
CTPPs — typically large cloud providers, core banking system vendors, and market-data firms crossing a concentration threshold — will receive designation decisions from the ESAs.
Once designated, a CTPP is directly supervised by a lead overseer (EBA, EIOPA, or ESMA) with powers to conduct inspections, issue recommendations, and impose periodic penalties up to 1% of average daily worldwide turnover for up to six months.
DORA vs NIS2: Supply Chain Security Under NIS2
NIS2 treats supply-chain security through the entity’s own risk management obligation: an essential or important entity must consider the vulnerabilities of its direct suppliers and service providers, their secure development practices, and their overall cybersecurity posture.
ENISA and the Cooperation Group have issued sectoral supply-chain risk guidance, but NIS2 does not create an entity-level contractual template or a shared EU register. Where DORA institutionalizes the supply-chain view, NIS2 deputizes it.
| Third-Party Risk Element | DORA | NIS2 |
| Pre-contract due diligence | Mandatory; documented decision record | Implicit in Art. 21(2)(d) |
| Contractual minimum clauses | Specified in DORA Art. 30 | Not prescribed |
| Register of Information | Mandatory, ESA-aligned taxonomy | Not required |
| Direct supervision of providers | CTPP oversight regime (ESA lead overseer) | None; supplier supervised only via entity |
| Exit and substitutability | Mandatory exit plans for critical functions | Implicit in BCM obligation |
| Concentration risk | Explicit governance and monitoring obligation | Not explicit |
DORA vs NIS2: Governance, Accountability, and Penalties
Both DORA vs NIS2 take aim at the board table. DORA Article 5 makes the management body of a financial entity ultimately responsible for ICT risk management, approval of policies, and sign-off on recovery strategies; specific training duties apply.
NIS2 Article 20 introduces an unprecedented governance hook for cybersecurity directives: the management bodies of essential and important entities must approve cybersecurity risk management measures and oversee implementation — and natural persons holding management responsibility in essential entities can be temporarily prohibited from exercising managerial functions for non-compliance.
DORA vs NIS2: DORA Supervisory Powers and Fines
DORA itself does not set harmonized fines; each Member State calibrates administrative and criminal penalties through its national financial services enforcement regime.
The harmonized lever is the periodic penalty payment the ESAs can levy on a CTPP that does not comply with oversight recommendations — up to 1% of average daily worldwide turnover, per day, for up to six months.
For financial entities themselves, fines come via Banking Act, Markets in Financial Instruments Directive, Insurance Distribution Directive, or MiCA transpositions. A risk management lifecycle that includes legal exposure modeling is the right home for this analysis.
DORA vs NIS2: NIS2 Fines and Management Liability
NIS2 harmonizes penalty ceilings. For essential entities, Member States must provide administrative fines of at least €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities the cap is €7 million or 1.4%.
Supervisors also hold soft powers: binding instructions, audit orders, compliance warnings, and temporary bans from managerial functions.
Combined with DORA’s penalty architecture, DORA vs NIS2 create the most muscular EU cybersecurity enforcement regime to date.
| Dimension | DORA | NIS2 Essential | NIS2 Important |
| Governance anchor | Mgmt body approval & training (Art. 5) | Mgmt body approval + oversight (Art. 20) | Same as Essential |
| Harmonized fine ceiling | Not set at EU level | €10M or 2% global turnover | €7M or 1.4% global turnover |
| Periodic penalty on CTPPs | Up to 1% daily avg worldwide turnover, max 6 months | N/A | N/A |
| Mgr. temporary ban | Via national regime | Yes — direct legal basis | Generally no |
| Supervisor inspections | NCA + ESAs for CTPPs | National authority + CSIRT | National authority |
DORA vs NIS2: Dual-Scope Firms and Operational Playbook
Figure 3. Transposition patchiness explains why DORA vs NIS2 program design requires jurisdictional mapping.
For the ~3,500 EU financial groups that sit inside DORA’s scope while operating subsidiaries in NIS2 sectors (payments infrastructure, digital infrastructure, cloud), the DORA vs NIS2 operational playbook is consolidation, not duplication.
DORA vs NIS2: One Unified ICT Third-Party Register
Build one ICT contract register aligned to the DORA Register of Information taxonomy — supplier, service, criticality, data location, subcontracting chain, exit plan, SLA — and extend it to NIS2-scoped entities.
The DORA taxonomy is richer; using it for NIS2 adds marginal cost but reduces duplication. Treat the vendor risk mitigation process as a single pipeline with DORA-level rigor for financial entities and NIS2-level rigor for the rest.
DORA vs NIS2: Mapped Incident Response Runbook
Write one incident response runbook with a dual classification trigger. The moment major-incident criteria fire, the 4-hour DORA clock starts; the 24-hour NIS2 clock starts in parallel.
A single playbook, one tooling stack, one joint incident retrospective. Business continuity plan risk assessment and disaster recovery vs business continuity integrate naturally.
DORA vs NIS2: Governance and Board Reporting Cadence
Consolidate DORA vs NIS2 reporting into the quarterly risk pack. Include: ICT risk heat map with DORA critical/important function tags; top five incidents and root causes; NIS2 compliance status per jurisdiction; CTPP and key supplier concentration; outstanding regulatory findings. A single key risk indicators dashboard drives both conversations.
DORA vs NIS2: Frequently Asked Questions
Does DORA vs NIS2 apply to non-EU companies?
Yes, indirectly and sometimes directly. DORA vs NIS2 both reach non-EU firms through contractual flow-down and through the CTPP designation regime (DORA) or digital-infrastructure provider rules (NIS2).
A US SaaS vendor serving EU banks will see DORA-compliant clauses in customer contracts even if not itself in direct scope. A US cloud provider with EU operations may be designated a CTPP.
DORA vs NIS2: Which regulation takes precedence for a bank?
DORA takes precedence for ICT risk matters under the lex specialis principle enshrined in DORA Article 1(2) and NIS2 recital 28.
A bank meeting DORA requirements does not need to apply NIS2 ICT risk provisions twice. NIS2 obligations outside DORA’s perimeter (for example, certain Cooperation Group duties) may still apply.
How does DORA vs NIS2 handle incident reporting if both apply?
Report under DORA first. DORA’s 4-hour initial notification is stricter than NIS2’s 24-hour early warning, so meeting DORA timelines automatically satisfies NIS2.
National supervisors generally accept the DORA submission as sufficient for NIS2 purposes, but confirm locally — some Member States still require a parallel CSIRT notification.
DORA vs NIS2: What are the minimum board-level actions?
Board approval of the ICT risk management framework, documented cybersecurity training for senior management and directors, sign-off on the Register of Information (DORA) and the NIS2 cybersecurity policy, approval of incident response and recovery plans, and receipt of a standing quarterly DORA vs NIS2 compliance report. NIS2 adds a direct liability hook; DORA adds specific training duties.
Can ISO 27001 help with DORA vs NIS2 compliance?
ISO 27001 covers an estimated 60–70% of both regimes’ security control expectations, especially when extended with ISO 22301 (continuity) and ISO 27701 (privacy).
Neither regulator explicitly recognizes certification as a compliance shortcut, but certification is practically useful when demonstrating maturity. An information security risk management program built on ISO is a strong DORA vs NIS2 foundation.
What happens if a Member State has not transposed NIS2 by 2026?
Companies based there are in a gray zone: the directive’s horizontal direct-effect doctrine gives public-sector entities some NIS2 protections but does not create enforceable duties on private firms until the national law is in place.
The European Commission has already issued reasoned opinions; Court of Justice referrals are likely in 2026. Pragmatic compliance leaders are running a “gap parallel” track based on draft national texts.
DORA vs NIS2: How do I build one compliance program for both?
Start with a shared control library mapped to ISO 27001, ISO 22301, and NIST CSF 2.0. Layer DORA-specific requirements (Register of Information, TLPT, CTPP clauses) and NIS2-specific items (board training record, CSIRT liaison).
Consolidate ICT third-party governance, incident response, and board reporting into single workflows with regulator-specific outputs. Use the ERM framework as the reporting backbone.
DORA vs NIS2: Common Implementation Pitfalls
| Pitfall | Root Cause | Remedy |
| Running DORA vs NIS2 as parallel programs | Separate legal, security, and compliance owners | Single accountable DORA vs NIS2 program lead; shared control library |
| Missing the 4-hour DORA clock | Classification logic not embedded in SIEM or SOC runbook | Automate major-incident criteria (DORA RTS) inside ticketing/SOAR tooling |
| Incomplete Register of Information | Shadow IT; subcontract chains under-mapped | Quarterly reconciliation with procurement, finance, and TPRM platform data |
| Over-relying on NIS2 to cover finance | Failing to read lex specialis | Confirm DORA applicability first; NIS2 residual only |
| CTPP concentration ignored | Historic cloud vendor lock-in | Concentration KRI in risk appetite; exit plan rehearsal annually |
| Board training as a tick-box | Delegated to corporate secretariat | Scenario-based tabletop with NED participation once per year |
| Jurisdictional blind spots | Treating NIS2 as uniform | Per-country transposition matrix maintained with external counsel |
DORA vs NIS2: Looking Ahead to 2026 and 2027
DORA vs NIS2 enforcement will intensify through 2026. The first full-cycle Register of Information submissions, the initial wave of CTPP designations by the ESAs, and national NIS2 supervisors moving from registration to inspection will generate a new corpus of precedent.
Expect the first headline DORA enforcement actions from Germany, France, and Ireland — jurisdictions with aggressive financial regulators — during the second half of 2026.
Expect heavier convergence pressure between DORA vs NIS2 and adjacent EU frameworks: the Cyber Resilience Act (CRA) for connected products, the AI Act for AI-adjacent ICT risk, the Data Act for cloud portability, and GDPR Article 32 for personal-data security.
A 2027 trend to watch: an ESA-coordinated “one-stop” reporting interface that accepts DORA and NIS2 incident data in a single submission, reducing duplicated work for dual-scope firms.
For US-headquartered groups, the DORA vs NIS2 shape is increasingly familiar. The SEC’s 2023 cybersecurity disclosure rule, NYDFS 23 NYCRR 500 amendments, CIRCIA’s federal incident reporting regime, and the FDIC’s 36-hour notification rule map to a similar risk philosophy, if not identical mechanics.
An EU-first DORA and NIS2 control set is close to a US-ready control set, with targeted enhancements.
Finally, watch Threat-Led Penetration Testing diffusion. DORA’s TLPT is unique in cybersecurity regulation for prescribing realistic red-team exercises against significant financial entities.
As CTPPs inherit TLPT participation, expect the methodology to become the de facto resilience test for European critical infrastructure, blurring DORA vs NIS2 operationally even where the law remains distinct.
Ready to Build a Unified DORA vs NIS2 Compliance Program?
At riskpublishing.com we help regulated firms design integrated DORA vs NIS2 compliance programs — from ICT risk frameworks and Register of Information builds to incident response runbooks and board-level reporting cadences grounded in ISO 31000, ISO 22301, and NIST CSF 2.0.
Explore our risk advisory services — or contact us to discuss a DORA vs NIS2 readiness review tailored to your entity type and jurisdictional footprint.
DORA vs NIS2: Authoritative References
1. European Commission — NIS2 Directive page
2. EIOPA — Digital Operational Resilience Act (DORA)
3. ESMA — DORA activities and technical standards
4. ENISA — NIS2 implementation guidance
5. European Commission — NIS transposition tracker
6. ISACA — Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements (2025)
7. ISO 27001:2022 — Information Security Management
8. ISO 22301:2019 — Business Continuity Management Systems
9. NIST Cybersecurity Framework 2.0
10. ECB — TIBER-EU Framework for Threat-Led Penetration Testing
11. Jones Day — DORA Now in Effect for Financial Entities and ICT Service Providers (2025)
12. DLA Piper — Application of DORA: Key Considerations (2025)
13. White & Case — NIS 2: One Year Later
14. Tenable — Comparisons Between DORA and NIS2
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.