Resilience and Security

in Critical Sectors:
Navigating NIS2 and DORA
Requirements

Risk © 2025 ISACA. All Rights Reserved.

2 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

CONTENTS

4 Introduction
5 Scope
6 Risk Management, Business Continuity, and
Disaster Recovery
8 Information and Cybersecurity
8 / Audits
9 Incident Reporting
11 Testing Obligations
12 Third-Party Service Provider Requirements
12 Governance and Accountability
13 Information Sharing
14 Noncompliance
14 Conclusion
16 Acknowledgments

© 2025 ISACA. All Rights Reserved.

 3 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

ABSTRACT
Given the significant consequences resulting from incidents, some jurisdictions have enacted laws and regulations
to address resilience and incident response. The interconnectedness of European member states led to a need to
harmonize incident response requirements and reporting across the European Union. The Digital Operational Resilience
Act (DORA) and the Network and Information Systems (NIS2) Directive provide guidance to enterprises in certain key
sectors. They cover areas such as risk management, information security, and cybersecurity, with new requirements
on incident reporting, plans and testing, third-party and supply chain security evaluation, cross-border collaboration,
information sharing, and periodic testing.

This white paper compares DORA and NIS2 across several topic areas. It includes the consequences of
noncompliance, incident reporting timelines, and the role of third-party service requirements. It is important to note
that enterprises located outside the European Union may be subject to NIS2 and/or DORA, so familiarity with their
requirements is valuable for enterprises worldwide.

© 2025 ISACA. All Rights Reserved.

 4 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

Introduction
Many essential, important, and critical services, such goals.1 Note that DORA also has some supplementary
as energy, water, finance, and entities providing domain EU Commission-delegated regulatory technical standards
name registration services leverage information and (RTS) and supporting guidance, and these are legally
communication technology (ICT). The resilience of this binding.2 NIS2 has one implementation regulation relating
technology is essential to ensure uninterrupted provision to technical and methodological requirements.3
of essential services. Outages and cybersecurity incidents
NIS2 replaced the original NIS1 directive. NIS2 has a
in these sectors can lead to significant health, safety,
broader scope than its predecessor, incorporating public
financial, legal, reputational, and operational harm for
electronic communications services, digital services,
affected individuals and enterprises.
critical product manufacturers, postal services, and public
To address the continuity of vital services, some administration.4
jurisdictions have enacted directives and regulations
Another important European directive, the Payment
applicable to certain entities. In the European Union,
Services Directive (PSD), is aimed at electronic payments.
two key pieces of guidance in this area are the Digital
While this directive has an impact on many enterprises
Operational Resilience Act (DORA) and the Network and
across the European Union and enterprises could be
Information Systems (NIS2) Directive.
subject to PSD in addition to NIS2 and/or DORA, the latest
DORA applies to the financial sector, while NIS2 is version, PSD3, is currently in draft form5 and is out of
not limited to the financial sector and is aimed at scope for this white paper.
essential and important entities. Enterprises may be
NIS2 and DORA compliance can support resilience,
subject to DORA, NIS2, neither, or both. Because it is
continuity, and risk management activities. Enterprises
a regulation, DORA is more prescriptive than NIS2. It
covered by NIS2 and DORA should learn their obligations
outlines specific obligations for enterprises. In contrast,
to ensure resiliency, maintain customer access to their
NIS2 is a directive, which means it provides goals that
services, and avoid potential penalties for noncompliance.
EU countries must achieve, but it is the responsibility of
EU member states to create laws that help achieve these

1 European Union, “Types of legislation,” https://european-union.europa.eu/institutions-law-budget/law/types-legislation_en

2 Official Journal of the European Union, RTS 2024/1772, RTS 2024/1773, RTS 2024/1774, RTS 2025/295, RTS 2025/301, ITS 2024/2956, and ITS
2025/302, https://european-union.europa.eu/index_en
3 Official Journal of the European Union, “Commission Implementing Regulation (EU) 2024/2690,” 17 October 2024, https://eur-lex.europa.eu/eli/
reg_impl/2024/2690/oj/eng
4 European Commission, “NIS2 Directive: new rules on cybersecurity of network and information systems,” https://digital-strategy.ec.europa.eu/en/
policies/nis2-directive
5 European Union, “Modernising payment services and opening financial services data: new opportunities for consumers and businesses,” 27 June
2023, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3543

© 2025 ISACA. All Rights Reserved.

 5 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

Scope
NIS2 and DORA were enacted in the European Union, enterprise size determine whether an entity is considered
but they may have impacts for enterprises around the essential or important, but these are not the only factors
world. This is especially true for third parties working with in the decision. Other factors include if an entity is the
entities in the European Union that are subject to NIS2 or sole provider of a service or if a disruption to the entity’s
DORA. service could have a significant impact on public order,
public security, or public health, among other factors.
NIS2, which impacts enterprises that provide their
services or conduct activities in the European Union, may Figure 1 shows which sectors are considered high
apply to some enterprises in the financial sector, but criticality and which are critical according to the NIS2
its scope is larger than DORA’s. NIS2 applies to entities directive.7
that are considered essential and important.6 Sector and

FIGURE 1: NIS2 Sectors

Transport
Energy Banking

Public Wastewater
administration

Other Critical
Sectors
Postal and courier services
Waste management
Manufacturing, production,
High and distribution of
chemicals
Criticality
Production, processing,
Space and distribution of food
Manufacturing
Digital providers
Research

Financial market
infrastructures ICT service
management
(business-to-business)

Health Digital
Drinking water infrastructure

6 Essential entities are typically large enterprises that operate in one of the 11 critical sectors: energy, transport, banking, financial market
infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, and
space. Important entities are all other organizations that are not categorized as essential entities but still fall under the general criteria of location, size,
and industry.
7 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

© 2025 ISACA. All Rights Reserved.

 6 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

DORA applies to entities in the financial sector, including Figure 2 shows the financial institutions in the scope of
credit institutions, payment institutions, and investment DORA. Note that some micro and small- or medium-sized
firms.8 enterprises are not subject to all aspects of DORA or may
have different obligations.9

FIGURE 2: DORA Scope

Credit institutions; payment Investment firms; managers Cryptoasset service providers

institutions; account information of alternative investment funds; and issuers of asset-referenced
service providers; electronic management companies tokens
money institutions

Central securities depositories; Data reporting service providers;

central counterparties; Trading venues and credit rating agencies;
securitization trade repositories administrators of
repositories critical benchmarks

Insurance and reinsurance Institutions for occupational

undertakings; insurance retirement provision ICT third-party
intermediaries, reinsurance and crowdfunding service providers
intermediaries, and ancillary service providers
insurance intermediaries

Risk Management, Business

Continuity, and Disaster Recovery
To promote a harmonized approach to risk management includes developing policies related to risk analysis and
across the European Union, NIS2 and DORA have certain assessing the efficacy of cybersecurity risk management
requirements related to risk management. NIS2 calls measures.10
for putting adequate measures in place to address
risk to network and information system security. This

8 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 2, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
9 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
10 European Union, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level
of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148
(NIS2 Directive),” Article 21, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

© 2025 ISACA. All Rights Reserved.

 7 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

In contrast, DORA has several specific requirements Employee training is a vital part of risk management,
related to establishing and maintaining an ICT risk as humans are often the weakest security link.
management framework. This framework must, at a Tailoring security-related training based on roles and
minimum, include strategies, policies, procedures, ICT responsibilities is vital to ensure all staff understand
protocols, and tools needed to protect information how they can support enterprise security. DORA
and ICT assets. The framework must ensure ICT requires organizations to develop ICT security awareness
management, control, and internal audit functions are programs and digital operational resilience training as
adequately segregated, and the ICT risk framework must part of the employee training program. All employees and
be: 11
senior management must complete this training, which
should contain content appropriate to their roles.14 NIS2
• Documented
also requires essential and important entities to offer
• Reviewed at least annually12 and after major ICT-related
training related to cybersecurity risk management.15
incidents

• Subject to internal audit Tailoring security-related training based on roles and

responsibilities is vital to ensure all staff understand
The ICT risk management framework must incorporate a how they can support enterprise security.
digital operational resilience strategy that establishes how
the framework will be implemented. This strategy must DORA calls for continuous monitoring of ICT systems
include:13 and tools in an effort to minimize ICT risk.16 It also
requires having mechanisms to detect anomalies and
• An explanation of how the framework can support the
ICT-related incidents and that these mechanisms are
enterprise’s business strategy and objectives
tested regularly.17 Business continuity is a key element
• The ICT risk tolerance level
of operational resilience, and DORA has requirements
• Information security objectives, including key performance
around response and recovery. ICT business continuity
indicators (KPIs) and key risk indicators (KRIs)
plans and procedures must:18
• The ICT reference architecture
• Provide for the continuity of critical or important functions
• The methods in place to detect, prevent, and protect in the event
• Respond to ICT-related incidents in a timely manner to limit
of an ICT-related incident
damage and facilitate resumption of activities and recovery
• The current state of digital operational resilience
• Activate containment measures, processes, and technologies
• Digital operational resilience testing
• Estimate initial impacts, damages, and losses
• A strategy for communicating and disclosing ICT-related
• Communicate and conduct crisis management actions
incidents

11 Official Journal of the European Union, “Regulation (Eu) 2022/255 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 6, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
12 Microenterprises only need to review this framework periodically.
13 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 6, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
14 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 13, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
15 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 20, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
16 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 9, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
17 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 10, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
18 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 11, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng

© 2025 ISACA. All Rights Reserved.

 8 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

Financial entities subject to DORA must establish an DORA also emphasizes the importance of backups, which
ICT business continuity policy and an associated ICT are critical in the event of an incident. DORA requires
disaster recovery plan. For enterprises that are not financial entities to create a backup policy. This policy
microenterprises, this plan is subject to independent should include which data is subject to being backed up
audit reviews. To validate ICT efforts, the ICT business as well as the minimum frequency of the backup. This
continuity policy and ICT disaster recovery plan must be frequency should be determined based on the criticality
tested. of the information or the sensitivity of the data. Financial
entities must also develop recovery methods.
Financial entities subject to DORA must establish an
ICT business continuity policy and an associated ICT
disaster recovery plan.

Information and Cybersecurity

NIS2 and DORA both contain provisions about the DORA has multiple requirements related to the security of
security of network and information systems. Security ICT systems and tools. These systems and tools must be
is vital to ensuring customers can have uninterrupted continuously monitored, which can help identify potential
access to service and have their information protected. service interruptions. Financial entities must define alert
To that end, NIS2 and DORA both have security-related thresholds and criteria that would trigger ICT incident
obligations. detection and response processes. Multiple layers of
control must be enabled.
NIS2 requires enterprises to address security in a way that
can prevent or minimize the impact of incidents. Per NIS2, DORA requires that financial entities develop policies
enterprises must have: 19
and protocols for strong authentication mechanisms. At
a minimum, they must annually review the adequacy
• Risk analysis and information system security policies
of classification of information assets as well as any
• Incident handling procedures
relevant documentation.
• Business continuity measures

• Supply chain security

Audits
• Security in network and system acquisition, development, and

maintenance Audits can help ensure that enacted measures achieve

• Assessments of cybersecurity risk management measures desired outcomes. NIS2 and DORA address audits
pertaining to security and third parties. Enterprises that
• Cybersecurity training and cyberhygiene
are considered essential entities under NIS2 are subject to
• Encryption and cryptography policies and procedures
regular, targeted, and ad hoc security audits. These audits
• Human resources security
may be conducted by an independent body or competent
• Multifactor authentication (MFA) or continuous authentication
authority, and results must be made available to the
competent authority.20 Important entities are also subject

19 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 21, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
20 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 32, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

© 2025 ISACA. All Rights Reserved.

 9 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

to targeted security audits by an independent body or upon any critical ICT audit findings. DORA requires that
competent authority, with results being made available to audit functions have the appropriate knowledge, skills,
the competent authority.21 and expertise in ICT risk and that they are independent.
ICT audit frequency and focus will vary based on the
DORA allows financial entities and competent authorities
enterprise’s ICT risk. Note that microenterprises are
to audit ICT third-party service providers.22 This is critical,
exempt from many of these internal audit requirements.
as third-party issues could impact the financial entity,
which, in turn, impacts their customers. Additionally, the
DORA requires that audit functions have the appropriate
ICT risk management framework is subject to internal knowledge, skills, and expertise in ICT risk and that they
audit. There must be a formal follow-up process to act are independent.

Incident Reporting
Reporting an incident to the appropriate authorities and NIS1 required member states to create one or
affected people is a core component of operational more computer security incident response teams
resilience and supports transparency. Authorities may (CSIRTs). CSIRTs should participate in deploying secure
need to act to protect people and ensure vital services can information-sharing tools and, as appropriate, share
still be provided, and it is crucial for them to know about relevant information with communities of essential and
incidents in the event of an adversarial state-sponsored important entities.23 CSIRTs play a vital role in incident
attack. Incident details may also help others in the same reporting.
industry prepare for or address these incidents should
If a significant incident occurs, enterprises subject to
they experience them.
NIS2 must notify the CSIRT or competent authority of the
NIS2 and DORA both have requirements around incident incident. NIS2 defines a significant incident as one that
reporting as well as specific time frames by which certain causes or could cause severe operational disruption of
information must be provided to designated authorities. services or financial loss and has affected or could affect
natural or legal persons by causing considerable damage
The requirements in this directive and regulation help
(material or nonmaterial).24
harmonize reporting obligations across the European
Union, which could vary considerably from member state Figure 3 contains the significant incident reporting
to member state. timeline under NIS2.

21 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 33, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
22 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 28, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
23 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 10, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
24 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 23, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

© 2025 ISACA. All Rights Reserved.

 10 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

FIGURE 3: NIS2 Significant Incident Timeline

Without undue delay and in any event No later than one month after the incident
within 24 hours of becoming aware of the notification is provided: Entities must
significant incident: Entities must submit submit a final report to CSIRT/competent
an early warning to CSIRT/competent authority, including a detailed description
authority, including if the incident is of the incident, its impact and severity,
suspected to be the result of an unlawful the root cause or threat that triggered it,
or malicious act or if it could have mitigation measures applied and in use,
cross-border ramifications. and the cross-border impact of the
incident (if any).

Without undue delay and in any event within 72

hours of becoming aware of the significant incident:
Entities must submit an incident notification to
CSIRT/competent authority with updates to the
information provided previously, as well as provide
an initial assessment of the incident’s severity,
impact, and indicators of compromise.

* Entities must provide intermediate reports/status updates if requested by CSIRT/competent authority.

** If the incident is ongoing when the final report is due, entities must provide a progress report, and the final report is
due within one month of handling the incident.

DORA defines major ICT-related incidents as those with incidents. To promote resilience across the finance sector,
“a high adverse impact on the network and information financial entities may share significant cyberthreats with
systems that support critical or important functions of the relevant competent authority.26
the financial entity.”25 Financial entities must notify the
Figure 4 contains a DORA incident notification timeline for
relevant competent authority of any major ICT-related
major ICT-related incidents.27

FIGURE 4: DORA Notification Timeline

Within four hours of being classified as a No later than one month after the submission
major ICT-related incident and no later of the intermediate report/after the latest
than 24 hours after becoming aware of the updated intermediate report: Entities must
incident: Entities must provide an initial provide a final report with information about
report with information such as a the root cause, when the incident was
description of the incident, how it was resolved and how it was resolved, costs and
discovered, its origin, if a business losses related to the ICT-related incident, and
continuity plan has been activated, and information about any recurring ICT-related
any other relevant information. incidents.

Within 72 hours of submitting the initial report:

Entities must provide an intermediate report that
includes information about the occurrence of the
ICT-related incident, when regular activities were
recovered, the threats and techniques used, the
impacted processes, the impact to clients’ financial
interests, the steps taken or intended to be taken to
recover, and indicators of compromise.

25 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 3, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
26 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 19, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
27 European Commission, “Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the
European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification
of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats,” 23
October 2024, https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng

© 2025 ISACA. All Rights Reserved.

 11 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

A one-day time frame to notify authorities about for reporting obligations, and everyone involved with
significant incidents may be challenging for some incident response should be aware of the content to
enterprises. Comprehensive and regularly updated report and reporting deadlines. Incident response testing
incident response plans are critical for compliance and simulations can help enterprises identify areas for
and resilience. Incident response plans must account improvement and gauge their response capabilities.

Testing Obligations
Because proactive testing can help enterprises identify that, given the potential risk associated with testing on
weaknesses and address them before they are exploited live production systems, the scope of such testing be
and result in system outages or harm to customers, some carefully defined and managed to minimize any impact on
regulations include testing requirements. NIS2 does not ongoing operations.
specify testing measures that should be put in place.
In addition to TLPT, DORA also requires financial entities
In contrast, DORA requires financial entities to conduct
to test their operational resilience. Pen testing and
threat-led penetration testing (TLPT) every three years, at
operational resilience go hand in hand, and pen testing
a minimum, and the scope of this testing may include
can provide valuable insights into operational resilience.
ICT third-party service providers. This TLPT must cover
Per DORA, operational testing must be risk-based and led
critical or important functions and must be performed on
by independent internal or external parties.29 Testing may
live production systems.28
include:30

NIS2 does not specify testing measures that should • Vulnerability assessments and scans
be put in place. In contrast, DORA requires financial
entities to conduct threat-led penetration testing (TLPT) • Open-source analyses

every three years, at a minimum, and the scope of this • Gap analyses
testing may include ICT third-party service providers.
• Reviews of physical security

Testing should incorporate criticality, business continuity, • Performance testing

disaster recovery, and failover considerations. While • Compatibility testing

three years is the minimum frequency for TLPT per

NIS2 does not require operational resilience testing, but
DORA, conducting this testing more frequently can
this testing can help enterprises evaluate how they may
ensure alignment with industry best practice and allow
respond to an incident, so it is a worthwhile activity even if
enterprises to have more accurate and up-to-date insights
it is not mandatory.
on potential areas for improvement. It is recommended

28 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 26, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
29 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 24, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
30 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 25, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng

© 2025 ISACA. All Rights Reserved.

 12 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

Third-Party Service Provider

Requirements
Most enterprises rely on third-party products and critical or important functions provided by ICT third-party
services, and third-party outages can have widespread service providers.31 Understanding which services support
consequences. Contracts with third parties can help critical or important functions is imperative to resilience.
address resilience and clearly define risk-related
NIS2 does not provide enterprises with ICT third-party
obligations, and enterprises should ensure that service
risk requirements, but addressing third-party risk can
provider requirements are clearly spelled out in contracts
support an enterprise’s cybersecurity posture. Reviewing
and service-level agreements (SLAs).
the security posture of a third party may include setting
NIS2 does not outline third-party service provider specific contractual clauses (e.g., SLAs, right to audit)
contractual requirements, but DORA requires that and requiring providers to provide proof of alignment with
contracts with ICT service providers address risk. specific frameworks, standards, and/or regulations.
Specifically, DORA requires that financial entities have:
NIS2 and DORA align on what is defined as a critical ICT
• Contractual provisions outlining how the ICT third-party service third-party service provider. NIS2 references DORA Article
provider promotes accessibility, availability, integrity, security, 31 in defining critical ICT third-party service providers. The
and personal data protection criteria for determining if a third party is considered a
• A method to access, recover, and return data if the service critical ICT third-party service provider are:32
provider discontinues operations
• The impact if the service provider experiences a large-scale
• Assistance in the event of ICT-related incidents related to the operational failure
services provided
• The importance of the financial entities that rely on the ICT

DORA requires that financial entities develop and regularly third-party service provider

review their ICT third-party risk strategy, which must • The ICT third-party service provider’s substitutability

include a policy about the use of ICT services supporting

Governance and Accountability

NIS2 and DORA have certain requirements around are responsible for approving cybersecurity measures
governance and accountability, especially related to and overseeing compliance. Additionally, these individuals
senior management involvement. NIS2 specifies that may be held liable for noncompliance related to
management bodies at essential and important entities cybersecurity risk management.33

31 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 28, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
32 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 31, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
33 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 20, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

© 2025 ISACA. All Rights Reserved.

 13 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

DORA requires management to oversee and be management body remain knowledgeable on the
responsible for implementing the ICT risk management applicable topics to best perform their oversight and
framework.34 As with NIS2, DORA requires that this implementation duties.

Information Sharing
To promote resilience and cybersecurity across an NIS2 allows entities in its scope to share information
industry, enterprises may wish to share cybersecurity- about the categories shown in figure 5.
related information with others in the industry. NIS2 and
DORA allow this type of information sharing, but it is
voluntary.

FIGURE 5: Cybersecurity Information to Share

Cyberthreats Near misses

Cybersecurity
tool
configuration Vulnerabilities

Cybersecurity Techniques and

alerts procedures

Threat-actor- Indicators of
specific compromise
information
Adversarial
tactics

The purpose of information sharing should be to improve Note that information sharing with other industry
cybersecurity, or to prevent, detect, respond to, or recover enterprises is voluntary, but significant incident reporting
from incidents or address their impact. 35
to competent authorities is mandatory.

34 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 5, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
35 European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common
level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU)
2016/1148 (NIS2 Directive),” Article 29, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

© 2025 ISACA. All Rights Reserved.

 14 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

Noncompliance
NIS2 has significant penalties for noncompliance. To DORA allows competent authorities to determine
complicate matters, the directive left many aspects to be penalties and remedial measures for noncompliance.40
executed by member states. Member states needed to This may include criminal penalties.41 DORA does not set
transpose NIS2 into national law by 17 October 2024,36 specific fines or penalties for noncompliance.
but only Belgium, Croatia, Hungary, Italy, Latvia, and
Figure 6 shows the penalties for noncompliance with the
Lithuania met the deadline.37
NIS2 provisions around cybersecurity risk management
Like many member states, enterprises also struggle measures and reporting obligations, which are outlined
with NIS2 compliance. A survey conducted in Ireland in Articles 21 and 23. Member states can set their own
in October 2024 indicated that 38% of Irish businesses penalties for noncompliance with other aspects of NIS2.
would not be prepared for NIS2 compliance. 38

NIS2 allows member states to impose fines for infringing

on certain parts of the directive.39

FIGURE 6: NIS2 Noncompliance With Articles 21 and 23

Essential Entities Important Entities

Maximum fines of EUR 10,000,000 or 2% of total worldwide Maximum fines of EUR 7,000,000 or 1.4% of total worldwide
annual turnover, whichever is higher annual turnover, whichever is higher

Conclusion
Enterprises must determine whether they are compliant regulation is essential. Performing a gap analysis to
with NIS2 and/or DORA, as noncompliance could lead evaluate an enterprise’s current security posture in
to large fines and potential reputational damage. It is relation to DORA and NIS2 requirements can be a crucial
also important to note that enterprises that provide their step to identifying areas of noncompliance and ensuring
products or services to financial entities or essential alignment with regulatory obligations.
or important entities in the European Union may have
Figure 7 contains a high-level comparison of NIS2 and
additional obligations under NIS2 and/or DORA, so
DORA.
familiarity with the requirements of the directive and

36 European Commission, “NIS2 Directive: new rules on cybersecurity of network and information systems,” https://digital-strategy.ec.europa.eu/en/
policies/NIS2-directive
37 Pula, V.; “EU countries late in transposing new EU cybersecurity rules (NIS2),” 18 October 2024, https://www.cullen-international.com/news/
2024/10/EU-countries-late-in-transposing-new-EU-cybersecurity-rules--NIS2-.html
38 Mason Hayes & Curran, “Four in Ten Irish Businesses Not Ready for New EU Cyber Rules,” 15 October 2024, https://www.mhc.ie/latest/news/four-in-
ten-irish-businesses-not-ready-for-new-eu-cyber-rules
39 Official Journal of the European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures
for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing
Directive (EU) 2016/1148 (NIS2 Directive),” Article 34, 14 December 2022, https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng
40 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 51, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
41 Official Journal of the European Union, “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital
operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014
and (EU) 2016/1011,” Article 52, 14 December 2022, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng

© 2025 ISACA. All Rights Reserved.

 15 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

FIGURE 7: NIS2 and DORA Comparison Overview

NIS2 DORA

BOTH Regulation, so it outlines

Directive, so member states specific, enforceable
must enact laws to achieve requirements
Provide guidelines on
NIS2 objectives information and Covers financial sector
Covers essential and cybersecurity
important entities Requires an ICT risk
Same definition of critical management framework,
Competent authority has right third-party service provider which is subject to
to audit covered entities internal audit
Permit for the voluntary
Specifies penalties for certain sharing of information Allows for third-party service
aspects of noncompliance provider audit
Allow member states to
Must notify authorities of establish noncompliance Must report incidents within
a significant incident within penalties four hours of classification
24 hours of an incident as a major
ICT-related incident, and no
later than 24 hours after
becoming aware of it

Even for enterprises not subject to NIS2 or penetration testing, and performing audits are essential
DORA compliance, these frameworks provide valuable practices that can significantly benefit enterprises of all
strategies for enhancing resilience and risk management sizes across all jurisdictions and industries.
practices. Regularly reviewing third-party risk, conducting

© 2025 ISACA. All Rights Reserved.

 16 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

Acknowledgments
Lead Developer Board of Directors

An ISACA Staff Publication John De Santis, Chair Pamela Nigro

Former Chairman and Chief Executive ISACA Board Chair 2022-2023
Expert Reviewers Officer, HyTrust, Inc., USA CISA, CGEIT, CRISC, CDPSE, CRMA
Niel Harper, Vice-Chair Vice President, Security, Medecision, USA
Aamir Jamil
CISA, CRISC, CDPSE, CISSP, NACD.DC
CISM, CGEIT Tracey Dedrick
Chief Information Security Officer and
GRC Simplified Limited, United Kingdom ISACA Board Chair, 2020-2021
Data Protection Officer, Doodle, Former
Suzana Kužnik Chief Information Security Officer, United Former Executive Vice President and
Nations Office for Project Services Head of Enterprise Risk Management,
Forvis Mazars IT, Slovenia (UNOPS), Germany Santander Holdings, USA
Christian Riley Stephen Gilfus Brennan P. Baybeck
CISA, CISM Managing Director, Oversight Ventures ISACA Board Chair, 2019-2020
Royal London Group, United Kingdom LLC, Chairman, Gilfus Education Group CISA, CISM, CRISC, CISSP
and Founder, Blackboard Inc., USA
Stefano Romagnoli Senior Vice President and Chief
Gabriela Hernandez-Cardoso Information Security Officer for
CRISC
Customer Services, Oracle Corporation,
NACD.DC
Luxembourg USA
Former President and CEO, GE Mexico,
Rupinder Pal Singh Independent Board Member, Mexico
CISA, CRISC, CISSP
Jason Lau
NICE Incontact, USA
CISA, CISM, CGEIT, CRISC, CDPSE, CIPM,
CIPP/E, CIPT, CISSP, FIP, HCISPP
Chief Information Security Officer,
Crypto.com, Singapore

Massimo Migliuolo
Independent Board Member, Malaysia

Jamie Norton
CISA, CISM, CGEIT, CIPM, CISSP
Partner, McGrathNicol, Australia

Maureen O’Connell
NACD.DC
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA

Erik Prusch
Chief Executive Officer, ISACA, USA

Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CSX-P, CDPSE
Chief Executive Officer, introSight Ltd.,
Israel

© 2025 ISACA. All Rights Reserved.

 17 RESILIENCE AND SECURITY IN CRITICAL SECTORS: NAVIGATING NIS2 AND DORA REQUIREMENTS

About ISACA
ISACA® (www.isaca.org) is a global community advancing individuals and 1700 E. Golf Road, Suite 400
organizations in their pursuit of digital trust. For more than 50 years, ISACA Schaumburg, IL 60173, USA
has equipped individuals and enterprises with the knowledge, credentials,
education, training and community to progress their careers, transform their Phone: +1.847.660.5505

organizations, and build a more trusted and ethical digital world. ISACA is a Fax: +1.847.253.1755
global professional association and learning organization that leverages the
expertise of its 180,000+ members who work in digital trust fields such as Support: support.isaca.org

information security, governance, assurance, risk, privacy and quality. It has Website: www.isaca.org
a presence in 188 countries, including 225 chapters worldwide. Through the
ISACA Foundation, ISACA supports IT education and career pathways for
underresourced and underrepresented populations.

DISCLAIMER Participate in the ISACA Online

Forums:
https://engage.isaca.org/onlineforums
ISACA has designed and created Resilience and Security in Critical Sectors:
Navigating NIS2 and DORA Requirements (the “Work”) primarily as an X: www.x.com/ISACANews
educational resource for professionals. ISACA makes no claim that use of LinkedIn:
any of the Work will assure a successful outcome. The Work should not www.linkedin.com/company/isaca

be considered inclusive of all proper information, procedures and tests or Facebook:

www.facebook.com/ISACAGlobal
exclusive of other information, procedures and tests that are reasonably
Instagram:
directed to obtaining the same results. In determining the propriety of any www.instagram.com/isacanews/
specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.

RESERVATION OF RIGHTS

© 2025 ISACA. All Rights Reserved.

Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements

© 2025 ISACA. All Rights Reserved.