With DORA in force and NIS2 officially applicable, ISACA's new white paper comes at a key moment for digital security in Europe.

Madrid—This is a crucial year for new cybersecurity legal frameworks in Europe, but even halfway through 2025, a large portion of businesses still do not fully comprehend their obligations under the NIS2 Directive and DORA Regulation – or are struggling to apply them in practice.

Many organizations, especially SMEs and ICT providers, have a limited understanding of what these regulations require, how to successfully implement them or even what benefits they offer. Both are central to the European Union's digital operational resilience, but confusion remains widespread.

On top of this, only a handful of EU Member States met the October 2024 deadline to transpose NIS2 into national law. In Ireland – one of Europe’s most digitally advanced economies – 38% of businesses admitted they are unprepared, highlighting the scale of the challenge even in mature markets. This insufficient preparedness is likely mirrored across much of the EU, particularly among SMEs and non-financial entities, which now face new stringent accountability, audit, and reporting obligations.

With many enterprises still in the early stages of implementation, ISACA’s recently published its white paper, Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements, which serves  as a strategic guide for businesses, financial institutions, public administrations, and technology providers. The paper offers a clear breakdown of both regulations and outlines how enterprises can operationalize compliance while strengthening cyber resilience.

“The challenge is not only understanding the regulations but also ensuring that companies know how to apply them effectively,” says Chris Dimitriadis, ISACA Chief Global Strategy Officer, “DORA and NIS2 mark a fundamental shift in how organizations approach resilience and cybersecurity governance. The consequences for noncompliance are steep—and more importantly, so are the risks of operational disruption. ISACA is committed to helping individuals and organizations in preparing for this new era.”

Key Points to Keep in Mind for Compliance

ISACA's white paper offers essential guidance for companies working toward regulatory compliance:

1. Know your scope: determine whether your business falls under NIS2, DORA, or both. Even non-EU companies may be indirectly affected.
2. Build a resilient ICT framework: establish comprehensive ICT risk management strategies and align them with business objectives. Regularly review and test continuity and recovery plans.
3. Treat third-party risk seriously: make sure that contracts with ICT providers include specific clauses on continuity, security, and audit rights. Many technology providers, including software developers, cloud providers, and managed services providers, are unaware that DORA directly affects them due to their contracts with financial institutions.
4. Prepare for reporting obligations: DORA and NIS2 have strict and differing timelines for incident notifications and incident response teams must know what, when, and how to report.
   • NIS2: preliminary notice required within 24 hours and a final report within one month.
   • DORA: major ICT incidents require reporting within four hours of their classification.
5. Train leadership and staff: there should be mandatory cybersecurity awareness training at every level. With special regard to the financial sector, it’s worth noting that the TIBER-EU framework developed by the European Central Bank (ECB) has been fully aligned with DORA and it now requires top-tier skills & certifications for red team testers and threat intelligence providers, which must have skilled and certified staff to perform their functions properly.
6. Audit proactively: conduct internal and external audits regularly. Under DORA, ICT audit functions must be independent and skilled.
7. Test and improve: DORA requires financial entities to conduct threat-led penetration testing and testing their operational resilience.
8. Document everything: maintain updated documentation on policies, risk assessments, controls, and responses. This is critical for transparency and regulatory review.

In case of non-compliance with NIS2, the EU warns that fines can reach €7 million and up to €10 million for major entities, while DORA leaves the application of sanctions to national authorities.

A key resource for the European digital ecosystem

The white paper not only helps compliance teams understand regulatory expectations, but also supports CISOs, IT leaders, and risk professionals in building long-term resilience and digital trust. Designed to guide not only organizations but also their technology partners and suppliers, its comparative analysis of DORA and NIS2, combined with practical recommendations, makes it a key reference point for navigating Europe’s evolving cyber regulatory landscape. To download a free copy of Resilience and Security in Critical Sectors: Navigating NIS2 and DORA Requirements, visit https://www.isaca.org/resources/white-papers/2025/resilience-and-security-in-critical-sectors-navigating-nis2-and-dora-requirements. Other publications that may be useful for financial institutions include the ISACA IT Risk Framework; the IT Risk Professional's Guide; and the IT Risk Fundamentals Study Guide. Additional risk-related IT resources can be found at www.isaca.org/resources/it-risk.

About ISACA

ISACA^® (www.isaca.org)champions the global workforce advancing trust in technology. For more than 55 years, ISACA has empowered its community of 185,000+ members with the knowledge, credentials, training and network they need to thrive in fields like information security, governance, assurance, risk management, data privacy and emerging tech. With a presence in more than 190 countries and with nearly 230 chapters worldwide, ISACA offers resources tailored to every stage of members’ careers—helping them to thrive in a rapidly changing digital landscape, drive trusted innovation and ensure a more secure digital world. Through the ISACA Foundation, ISACA also expands IT and education career pathways, fostering opportunities to grow the next generation of technology professionals.

LinkedIn: www.linkedin.com/company/isaca 
Facebook: www.facebook.com/ISACAGlobal 
Instagram: www.instagram.com/isacanews 

Contact:

Estudio de Comunicación   
Pavel Ramírez, +34 649 134 153, pramirez@estudiodecomunicacion.com
Fernando García, +34 696 249 078, fgarcia@estudiodecomunicacion.com
Sonsoles Martín, +34 662 494 586, smartin@estudiodecomunicacion.com
Ana Pereira, +34 647 883 986, apereira@estudiodecomunicacion.com

ISACA    
Esther Almendros, +34 692 669 772, ealmendros@isaca.org