C-Risk 2025 — DORA and NIS2: strengthening digital resilience across the EU

Vendor-published article by C-Risk, a Cyber Risk Quantification (CRQ) consultancy that uses the Open FAIR™ methodology. Part of their "Cybersecurity Compliance Guide" hub. The most detailed source in the legal-risk cluster on the DORA × NIS2 mapping — particularly relevant for AI-driven process automation in financial services and other regulated critical sectors.

DORA: the financial-sector pillar

Scope and structure

Regulation (EU) 2022/2554 introduced September 2020; in force 16 January 2023; applicable from 17 January 2025.
Applies to all financial institutions in the EU — banks, investment firms, credit institutions, plus non-traditional entities like crypto-asset service providers (Art. 2(1) lists exhaustively; Art. 2(3) exceptions).
Critical extension: ICT third-party service providers do not need to be EU-based to come under the regulation. Any third party providing services to a European company is in scope.

The five DORA pillars

ICT Risk Management — robust governance and control frameworks, up-to-date systems, digital operational-resilience strategies.
ICT-Related Incident Management, Classification and Reporting — structured process for identifying and managing incidents; major incidents reported to the relevant authority.
Digital Operational Resilience Testing — regular testing of ICT systems including third-party penetration testing and threat-led penetration testing (TLPT).
Managing of ICT Third-Party Risk — due diligence, contractual provisions, ICT concentration risk.
Information Sharing — cyber-threat and vulnerability intelligence sharing among financial entities and authorities.

European Supervisory Authorities (ESAs) and policy products

The ESAs (EBA, EIOPA, ESMA) plus ECB and ENISA are mandated to develop 13 policy products in two batches:

First batch: RTS on ICT risk management framework; RTS on ICT incident classification; ITS for register of information; RTS on policy on ICT services performed by ICT third-party providers.
Second batch: RTS/ITS on incident reporting content/timelines/templates; GL on aggregated costs/losses from major incidents; RTS on subcontracting critical functions; RTS on oversight harmonisation; GL on oversight cooperation between ESAs and competent authorities; RTS on threat-led penetration testing (TLPT).

NIS2: the cross-sector cybersecurity pillar

Scope

Directive (EU) 2022/2555 — in force 16 January 2023; transposition deadline 17 October 2024.
At time of writing the article: only 17 of 27 EU Member States had transposed NIS2 into national law (a known compliance lag).
Applies to medium and large organisations in critical sectors. Significantly broader than the original NIS Directive.
Two scope categories:
- Essential entities — sectors where disruption could have severe societal/economic consequences. Full supervisory regime.
- Important entities — other critical sectors, lighter supervisory regime.
Both categories must comply with the same core cybersecurity risk-management and incident-reporting obligations.
General threshold: 50+ employees or annual turnover exceeding €10 million; some entities included regardless of size due to systemic importance.
Covered sectors include: energy; transport; banking; financial market infrastructures; health, drinking water, wastewater; digital infrastructure (cloud service providers, data centres, content delivery networks, managed service providers, managed security service providers); public administration at central and regional levels; space; postal/courier services.

Core focus areas

Governance and accountability — oversight responsibilities placed on executives. Management bodies approve cybersecurity risk-management measures, oversee implementation, ensure policies/controls/training in place.
Incident handling and reporting — detect, assess, respond, report significant incidents. Structured framework with early warnings, incident notifications, final reports.
Third-party and supply-chain risk management — explicitly extends cybersecurity expectations across the supply chain.
Business continuity and crisis management — backup management, disaster recovery, crisis response planning, timely system restoration.

DORA × NIS2: where they overlap

Dimension	DORA	NIS2
Legal instrument	Regulation (uniform, directly applicable)	Directive (transposed nationally)
Sectoral scope	Financial entities + ICT third-party providers	Cross-sector (energy, transport, health, digital infra, etc.)
Implementation variance	Uniform across EU	Variable per Member State
Third-party coverage	Strict ICT third-party rules + concentration risk	Vendor diligence, supply-chain risk management
Incident reporting	Major incidents via classification/reporting system	Early warning + notification + final report; significant incidents to national authorities
Resilience testing	Mandatory TLPT for designated entities	Risk-based testing implied via risk management

Both regimes share:

Extension of accountability to ICT/digital third parties.
Supply-chain and third-party vendor risk as priority.
Executive accountability at the top.
Demonstrable, documented, evidence-based compliance.

Going beyond compliance: the C-Risk position

The article's editorial line (this is vendor content) is that compliance-as-checklist is insufficient under both regimes. C-Risk advocates:

Cyber Risk Quantification (CRQ) using Open FAIR™ to translate technical risk into financial impact.
Linking regulatory requirements to measurable outcomes rather than checklist controls.
Supporting governance and board oversight with consistent risk metrics.
Assessing third-party risk based on criticality, exposure, potential impact.
Demonstrating resilience over time through repeatable, evidence-based analysis.

Resilience under both regimes is framed as requiring:

Executive accountability for cybersecurity and operational-resilience decisions.
Information and intelligence sharing with peers and regulators.
Documented processes for risk assessment, incident response, continuity planning.
Oversight of third parties and supply chains.

Critical read

Source quality: low-mid. Vendor content from a CRQ consultancy promoting its services. The factual content (DORA regulation number, NIS2 directive number, dates, pillars) is accurate and verifiable against EUR-Lex.
Useful as: a structured DORA × NIS2 comparison. The five-pillar framing of DORA and the Essential-vs-Important distinction in NIS2 are correct.
Limitations:
- The "going beyond compliance" section is sales material, not analysis.
- The 17-of-27 transposition figure is undated — verify against ENISA's NIS2 transposition tracker before citing.
- The article does not address how DORA/NIS2 interact with the AI Act for AI-driven process automation — this gap matters for the synthesis.

Connections

Concepts: concepts/dora · concepts/nis2 · concepts/eu-ai-act (interaction) · concepts/ict-third-party-risk Related sources (in this wiki): sources/2026-bcc26-eu-digital-regulation-interpretation-to-implementation (2026 enforcement-status snapshot) · sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance (the AI/GDPR governance frame DORA/NIS2 connect with through accountability) Syntheses: syntheses/legal-risk-mapping-ai-process-automation

Open follow-ups

The interaction between DORA and the AI Act for high-risk AI systems used in financial-sector decisioning (credit scoring, fraud detection, insurance underwriting) is not addressed here — significant gap in this source.
ENISA tracker for NIS2 transposition status would be a better authoritative source for the per-Member-State picture.