Skip to main content
NIS2 and DORA – critical regulations you can’t afford to ignore
Share on socials

NIS2 and DORA – critical regulations you can’t afford to ignore

Effie Bagourdi
Effie Bagourdi
November 18, 2024
10 min read
people trying to fix issues with a service desk
Effie Bagourdi
Effie Bagourdi
November 18, 2024
10 min read
The EU is on a mission to improve digital resilience, protecting organisations and consumers from the increasing risk of cyber threats. Part of that effort includes the introduction of NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act) – these are critical regulations for EU-based and non-EU companies (like UK organisations) that serve the EU market.
Hopefully you’re already meeting NIS2 standards (which already came into effect), but the deadline for DORA compliance is just around the corner. To make sure you’re ready, we take a look at why compliance is so important beyond legality, what you need to do to meet the regulations, and how effective IT service management (ITSM) can help.

What you need to know about NIS2 and DORA

What is NIS2?

NIS2 expanded the scope of the original NIS directive to tighten security standards and create a common level of cybersecurity across the EU. It requires digital service providers across ‘essential’ sectors like healthcare, energy, transport, finance, and digital infrastructure, as well as ‘important’ sectors like postal services and waste management, to implement robust measures, safeguarding our critical services. These measures relate to incident response, risk management, supply chain security, and information sharing.

What is DORA?

DORA is focused specifically on the financial sector. It requires banks, investment firms, payment providers, and other financial institutions to ensure they are able to withstand, respond to, and recover from IT-related threats. Related measures include cybersecurity, continuity plans, and response strategies. There’s a big emphasis on third-party risk management too – making sure your external IT providers are meeting the same standards.

When do NIS2 and DORA come into effect?

NIS2 was formally adopted by the EU in 2022, and by October 2024 all member states were required to transpose it into national law, which means it’s already in effect. DORA was adopted in 2022 as well, and it’s coming into effect on 17 January 2025 – so that’s the date financial institutions will need to be compliant by.

Why should you care about NIS2 and DORA regulations?

Prioritising these regulations is not just a good idea, it’s essential. NIS2 applies to a vast array of EU companies. While DORA is focused on financial institutions. If you’re an EU business or a non-EU business that serves customers in the EU, at least some of these regulations probably apply to your organisation.
Compliance isn’t just about avoiding financial and legal penalties – although failure to meet regulations can result in substantial fines and operational restrictions. There are plenty of other reasons to make sure you’re playing by the rules:
  • Mitigate cybersecurity risks – protect your business against ransomware, data breaches, and attacks on your supply chain, which can be costly and damaging.
  • Build customer and stakeholder trust – show you’re committed to security and reliability to maintain business relationships and grow your customer base.
  • Enhance operational resilience – build more resilience so you can withstand disruptions from incidents and supply chain instability and recover quickly.
  • Stay competitive – compliance might be a point of difference over your competitors, opening new doors and partnerships.
  • Streamline internal processes – put best practices in place, from service management to governance, to drive efficiency and improve decision-making.
  • Align with EU-wide standards – smooth cross-border operations by reducing compliance complexity across the wider European market.

How can you make sure you’re compliant?

The precise measures you’ll need to put in place for NIS2 and DORA will depend on your organisation’s size, its exposure to risk, and the cost of implementing technology. But taking a strategic approach to cybersecurity, risk management, and operational resilience can help make sure you meet the necessary obligations. Here are some simple steps to consider for each regulation.

For NIS2 compliance:

  • Know whether your organisation is ‘essential’ or ‘important’ under NIS2, as this will impact what you have to do.
  • Implement a cybersecurity risk management framework that includes threat detection, prevention, and incident response – and regularly update these measures in line with NIS2.
  • Establish a structured incident response process with clear roles and reporting procedures that mean NIS2’s timeframes.
  • Assess your suppliers’ and service providers’ security practices to make sure they meet NIS2 standards too.
  • Keep your team trained up in threat awareness and response to improve resilience against cyberthreats.
  • Work with other businesses across your sector and government agencies to communicate threat intelligence.

For DORA compliance:

  • Put a digital resilience strategy in place that identifies potential IT risks and plans for recovery.
  • Assess and manage risk from your external IT providers and put contracts in place that enforce DORA’s standards.
  • Establish a system for monitoring, detecting, and responding to cyber incidents in a timely manner.
  • Carry out testing (like penetration testing and disaster recovery drills) to prove your resilience measures are working.
  • Set up a team (or individual) to take care of DORA compliance for your organisation with a clear oversight process.
  • Keep your team trained up in responding to digital risks, like phishing, ransomware, and social engineering tactics.

How can service management make compliance easier?

Service management can be really useful when it comes to NIS2 and DORA compliance. ITSM practices and tools help build a structured, systematic approach to IT operations, making it much easier for you to implement the security, resilience, and reporting standards that these regulations demand.
Here’s how it helps:

Incident management

Both NIS2 and DORA have clear incident reporting requirements. ITSM frameworks like ITIL help you define processes for incident management, enabling you to carry out regular audits, respond quickly and consistently, notify authorities in line with the regulations, and produce incident reports. ITSM tools can also let you know whether a service is functioning properly, alerting you to potential incidents, and predict how long it will take to recover from an outage.
Adaptavist and ITIL logo with ITSM icon in the middle

ITIL training packages for the modern organisation

Empower your teams so they can learn how to correctly setup your Incident Management processes with our ITIL training packages, as part of your DORA and NIS2 compliance strategy.

Risk management

NIS2 puts a big emphasis on risk management, while DORA encourages digital resilience. ITSM encourages your organisation to undertake regular risk assessments and implement management vulnerability management frameworks so you can be proactive. These help you to identify and mitigate potential vulnerabilities before they become compliance issues.

Change management

NIS2 and DORA both outline a number of security and resilience requirements that changes to IT services can impact. ITSM frameworks include change management practices and tracking so any software updates or infrastructure improvements are documented, tested, and implemented in a controlled manner, reducing the risk of vulnerabilities and disruptions. Regulators can then use ITSM tools to query any changes that cause issues.

Governance and accountability

ITSM helps you develop a clear governance structure for assigning and tracking roles and responsibilities. That way, all compliance-related tasks are owned, reviewed, and audited effectively. This helps you meet the governance and accountability standards embedded within NIS2 and DORA. It also means you can demonstrate to regulators that oversight is embedded in your daily operations and organisational culture.

Third-party management

NIS2 and DORA regulations apply to your supply chain too, so you’ll need processes that assess and monitor your IT providers to make sure they’re compliant. ITSM frameworks promote systematic management of these third parties, helping you continuously monitor and assess related risks.

Employee awareness and training

Championing a security-first culture is paramount to compliance. Luckily, ITSM frameworks require staff training and knowledge sharing to keep everyone up to date about security best practice and protocols. This all serves to standardise the way these regulations are adhered to across your organisation.

Are you compliant?

Ensuring you meet new regulations (and maintain your compliance with older ones) is no mean feat. But with effective service management on your side, you stand a much greater chance. Our ITSM and ESM packages support organisations like yours to implement high-velocity service management solutions and practices.
Written by
Effie Bagourdi
Effie Bagourdi
Head of Service Management Practice
With 15 year's experience in IT and service management, Effie is an ITIL4 professional with a track record in highly regulated industries such as banking. Leading our service management practice, Effie is passionate about leveraging AI to elevate customer experience.
ITSM