New business obligations in 2025 – DORA and NIS 2

As of 2025, companies across the European Union must comply with two major legislative changes aimed at strengthening cybersecurity and digital resilience: the DORA regulation and the NIS 2 directive. These measures introduce unified standards for ICT risk management and require organizations to report security incidents more rigorously. Their purpose is clear — to improve resilience to cyber threats and ensure consistent oversight of entities vital to the functioning of the internal market.

What is DORA — and why does it matter to your business?

The Digital Operational Resilience Act (DORA) establishes a harmonized framework for managing ICT risks in the financial sector. In force since January 17, 2025, it applies not only to banks, insurers, and investment firms, but also to technology providers that support financial institutions — including cloud service providers, software vendors, and ICT infrastructure operators.

Under DORA, organizations must adopt a comprehensive set of measures. These include continuous monitoring of ICT systems, clear incident response protocols, and regular resilience testing — such as simulated cyberattacks. Importantly, the regulation places a strong emphasis on third-party oversight, requiring companies to evaluate and often renegotiate contracts with external ICT providers to meet new compliance standards.

NIS 2 — a broader cybersecurity framework for critical sectors

While DORA targets the financial ecosystem, NIS 2 takes a broader approach. This updated directive, adopted at the EU level in January 2023, was required to be transposed into national law by October 17, 2024. As of June 2025, most Member States have introduced legislation to enforce it.

NIS 2 expands the scope of the original directive by covering 18 critical sectors, including energy, transport, healthcare, pharmaceuticals, food production, chemicals, digital infrastructure, and computer manufacturing. Unlike its predecessor, NIS 2 applies not just to large companies but also to medium and small-sized enterprises with at least 50 employees and either an annual turnover or total assets exceeding €10 million.

In some cases, company size doesn’t matter. Providers of essential digital services — such as DNS, domain registries, cloud platforms, or trusted digital identity providers — are automatically covered by the directive, regardless of their scale.

What are the key requirements?

Although DORA and NIS 2 differ in scope and target sectors, their objectives overlap. Both are designed to raise cybersecurity standards and increase accountability for how organizations respond to threats.

Under DORA, companies must:

• implement a robust ICT risk management framework,

• report significant ICT incidents,

• carry out regular digital resilience tests (including attack simulations),

• closely supervise external ICT providers and update outsourcing arrangements where needed.

NIS 2, on the other hand, requires organizations to:

• develop security policies based on comprehensive risk assessments,

• ensure business continuity and rapid system recovery after disruptions,

• report cybersecurity incidents to national authorities,

• self-assess whether they fall under the directive and, if so, register with a designated national registry.

Two categories of entities under NIS 2

NIS 2 introduces a two-tier classification: essential entities and important entities. While both groups must meet the same cybersecurity standards, the oversight mechanisms and potential penalties differ.

• Essential entities face proactive (ex ante) supervision and may be fined up to €10 million or 2% of annual turnover.

• Important entities are subject to reactive (ex post) oversight and may face penalties of up to €7 million or 1.4% of annual turnover.

Meanwhile, DORA sets a uniform penalty threshold of up to 2% of annual turnover, reinforcing the urgency of compliance in the financial sector.

How to prepare — steps companies should take now

Compliance starts with a thorough readiness assessment. Organizations should evaluate not only their IT infrastructure but also their existing policies, incident response capabilities, and employee awareness.

Next, companies should:

• determine whether they fall under DORA or NIS 2 by analyzing their business model and size,

• if subject to NIS 2, register in the national database of in-scope entities,

• review and revise risk management and continuity plans to meet new standards,

• establish formal incident response procedures that align with regulatory expectations,

• audit relationships with ICT providers and implement oversight mechanisms where required.

Why ignoring these rules isn’t an option?

Non-compliance carries more than just financial risk. Failure to meet DORA or NIS 2 requirements could result in operational disruptions, regulatory investigations, reputational damage, and lost business opportunities. For companies operating in multiple EU countries, the risk multiplies — regulatory fragmentation means that requirements may differ by jurisdiction, even within the same group.

In sectors covered by DORA, regulators are expected to enforce rules with increasing scrutiny, especially following major cyber events. Time is no longer on the side of late adopters.

Conclusion

As of June 2025, DORA and NIS 2 are no longer distant policy goals — they are active regulations shaping how companies operate. These frameworks require real action: revised contracts, updated policies, system-wide reviews, and new lines of responsibility. Passive compliance is no longer enough.

Organizations that failed to prepare by the transposition deadline must now move quickly to catch up. Those that act decisively will not only avoid penalties but also gain a competitive edge by demonstrating operational integrity, resilience, and regulatory alignment.