Table of contents
- What are DORA and NIS2?
- How companies can comply
- Scope verification
- Risk assessment and planning
- Implementation of advanced security measures
- Operational continuity and emergency plans
- Continuous monitoring and audits
- Awareness and training
- ICT vendor management
With the entry into force of the NIS2 Directive (EU Directive 2022/2555) and the DORA Regulation, the European Union introduces a new regulatory framework to enhance cyber security and digital operational resilience.
These measures are essential to protect critical digital infrastructures and services, which are increasingly vulnerable to cyberattacks. Companies must take concrete steps to comply with the new provisions by October 17, 2024, for NIS2 and January 17, 2025, for DORA.
What are DORA and NIS2?
The NIS2 Directive
The NIS2 Directive updates and expands the scope of the previous NIS Directive, including new critical sectors such as digital providers, postal services, and research organizations. Among its main innovations, it introduces:
- Reporting obligations for significant cyber security incidents;
- Stricter risk management measures;
- A system of penalties for non-compliance.
NIS2 promotes a risk-based security approach, focusing on network security and protection against cyber threats.
The DORA Regulation
The DORA Regulation (Digital Operational Resilience Act) focuses on financial sector companies and their ICT service providers, imposing:
- Digital operational resilience requirements.
- Risk assessments extended to external providers.
- Obligations to maintain operational continuity during cyber incidents.
DORA represents a key step in creating a secure and reliable digital ecosystem.
How companies can comply
Adapting to NIS2 and DORA requires an integrated and strategic approach. It is not just about adhering to the rules but also about fostering a company culture geared towards enhancing digital operational resilience and preventing cyber incidents. Let’s examine the key actions companies must take to comply with the new provisions.
Scope verification
The first step is to determine whether your business is among those required to comply with NIS2 and DORA. This verification process includes:
- Sector analysis
NIS2 applies to a wide range of critical sectors such as energy, transport, healthcare, digital infrastructure, and online service providers. DORA, on the other hand, is specific to financial companies and ICT service providers.
- Business impact assessment
Identifying whether your processes or services play a strategic role in the operational continuity of the EU’s critical infrastructures.
A clear understanding of the scope of application allows companies to tailor measures to specific regulatory requirements.
Risk assessment and planning
Risk management is at the core of both regulations. Companies must implement a risk-based approach, which includes:
- Cyber threat mapping
Identifying potential sources of cyberattacks or internal vulnerabilities, such as system flaws or human errors.
- Risk assessment
Calculating the likelihood of an incident and its impact using standardized methodologies like ISO/IEC 27005 or NIST frameworks.
- Prioritization
Allocating resources and interventions to areas with the highest risk levels.
Effective risk planning helps anticipate problems and act before severe incidents occur.
Implementation of advanced security measures
Security measures must be tailored to the specific needs of the business context. Key measures include:
- Data encryption
Protecting data at rest (stored) and in transit (communications) using advanced techniques like AES-256 encryption or secure protocols like HTTPS and VPN.
- Corporate network protection
Using firewalls, IDS/IPS systems to monitor and block suspicious traffic, and segmenting networks to limit the spread of attacks.
- Access management
Adopting access policies based on the principle of least privilege and implementing two-factor authentication (2FA) for all employees and external partners.
These measures strengthen cyber security and reduce the risk of system compromise.

Operational continuity and emergency plan
The ability to respond quickly to cyber incidents is essential to minimize damage and ensure business continuity. Key plans include:
- Business Continuity Plan (BCP)
Establishing clear protocols to keep essential business functions operational during an attack or disruption.
- Disaster Recovery Plan (DRP)
Defining technical actions to quickly restore data, systems, and infrastructures. This includes using backup sites (cold, warm, or hot sites) and data replication tools.
Periodic simulation of crisis scenarios helps test the effectiveness of these plans and improve preparedness.
Continuous monitoring and audits
Compliance with NIS2 and DORA is not a static goal but an ongoing process. It requires:
- Monitoring systems
Using Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) solutions to detect suspicious activities and analyze events in real time.
- Periodic audits
Regularly assessing the adequacy of implemented measures against regulatory requirements.
- Technological updates
Ensuring that infrastructures are always protected against emerging threats by applying software updates and security patches.
Awareness and training
Human errors remain one of the main causes of cyber incidents. Therefore, investing in personnel training is crucial. Companies should organize:
- Periodic training sessions
Educating employees on cyber security risks and preventive measures, such as recognizing phishing emails.
- Attack simulations
Testing staff responses to realistic scenarios to improve their ability to respond effectively.
- Awareness initiatives
Promoting a company culture focused on security, involving management levels as well.
A trained workforce is the first line of defense against cyber threats.
ICT vendor management
Both NIS2 and DORA emphasize managing the digital supply chain. Companies must ensure that their vendors meet adequate security standards through:
- Binding contracts
Including specific clauses on ICT security requirements.
- Periodic assessments
Verifying the security measures adopted by vendors and requesting regular performance reports.
- Joint emergency plans
Collaborating with vendors to define response strategies for incidents affecting critical services.
Questions and answers
- What does the NIS2 Directive entail?
The NIS2 Directive introduces risk management and reporting obligations to improve network security in critical sectors. - What is the goal of the DORA Regulation?
To ensure the digital operational resilience of financial companies and their ICT vendors against cyber threats. - Who must comply with NIS2 and DORA?
Companies in critical sectors, digital providers, financial organizations, and their ICT service providers. - When does the NIS2 Directive take effect?
NIS2 will apply from October 17, 2024. - When will the DORA Regulation be applicable?
The DORA Regulation will take effect on January 17, 2025. - What measures must companies adopt?
Risk analysis, network protection, operational continuity plans, and personnel training. - What are Business Continuity and Disaster Recovery?
They are operational plans to ensure continuity and recovery of activities in case of cyber incidents. - What is the difference between NIS2 and DORA?
NIS2 applies to critical sectors and includes reporting obligations, while DORA focuses on digital resilience in the financial sector. - What penalties are provided for non-compliance?
Penalties proportional to the severity of the violation, defined at the national level. - How can companies monitor ICT vendors?
Through binding contracts and periodic risk assessments of external vendors.