---
title: "DORA and NIS2: strengthening digital resilience across the EU"
type: source
tags: [dora, nis2, ict-risk-management, third-party-risk, financial-sector, operational-resilience, regulatory-risk, legal]
authors: [C-Risk (Cyber Risk Quantification consultancy)]
year: 2025
venue: "C-Risk Cybersecurity Compliance Guide — vendor-published web article (c-risk.com)"
kind: webpage
raw_path: "raw/Legal/c-risk-dora-and-nis2-overview.pdf"
created: 2026-04-27
updated: 2026-04-27
key_claims:
  - DORA (Reg. EU 2022/2554) applies directly and uniformly across the EU; NIS2 (Directive 2022/2555) is transposed through national legislation and varies by Member State — this regulation-vs-directive distinction is the central operational difference between the two regimes.
  - DORA structures financial-sector ICT resilience around five pillars — ICT Risk Management, ICT-Related Incident Management/Classification/Reporting, Digital Operational Resilience Testing, Managing of ICT Third-Party Risk, Information Sharing.
  - NIS2 distinguishes between *Essential entities* (severe-consequence sectors, full supervisory regime) and *Important entities* (other critical sectors, lighter regime) — both must comply with the same core risk-management and incident-reporting obligations.
  - Both DORA and NIS2 extend accountability to ICT/digital third parties — supply-chain and third-party vendor risk is a regulatory priority for organisations operating in Europe.
  - Compliance with DORA and NIS2 requires a shift from checklist-based compliance to a *risk-based, data-driven approach* — Cyber Risk Quantification (CRQ) using methodologies like Open FAIR™ is positioned as the C-Risk-recommended path.
---

# C-Risk 2025 — DORA and NIS2: strengthening digital resilience across the EU

Vendor-published article by **C-Risk**, a Cyber Risk Quantification (CRQ) consultancy that uses the Open FAIR™ methodology. Part of their "Cybersecurity Compliance Guide" hub. **The most detailed source in the legal-risk cluster on the DORA × NIS2 mapping** — particularly relevant for AI-driven process automation in financial services and other regulated critical sectors.

## DORA: the financial-sector pillar

### Scope and structure
- **Regulation (EU) 2022/2554** introduced September 2020; in force 16 January 2023; applicable from **17 January 2025**.
- Applies to all financial institutions in the EU — banks, investment firms, credit institutions, plus non-traditional entities like crypto-asset service providers (Art. 2(1) lists exhaustively; Art. 2(3) exceptions).
- **Critical extension**: ICT third-party service providers do *not* need to be EU-based to come under the regulation. Any third party providing services to a European company is in scope.

### The five DORA pillars
1. **ICT Risk Management** — robust governance and control frameworks, up-to-date systems, digital operational-resilience strategies.
2. **ICT-Related Incident Management, Classification and Reporting** — structured process for identifying and managing incidents; major incidents reported to the relevant authority.
3. **Digital Operational Resilience Testing** — regular testing of ICT systems including third-party penetration testing and **threat-led penetration testing (TLPT)**.
4. **Managing of ICT Third-Party Risk** — due diligence, contractual provisions, ICT concentration risk.
5. **Information Sharing** — cyber-threat and vulnerability intelligence sharing among financial entities and authorities.

### European Supervisory Authorities (ESAs) and policy products
The ESAs (EBA, EIOPA, ESMA) plus ECB and ENISA are mandated to develop **13 policy products** in two batches:
- **First batch**: RTS on ICT risk management framework; RTS on ICT incident classification; ITS for register of information; RTS on policy on ICT services performed by ICT third-party providers.
- **Second batch**: RTS/ITS on incident reporting content/timelines/templates; GL on aggregated costs/losses from major incidents; RTS on subcontracting critical functions; RTS on oversight harmonisation; GL on oversight cooperation between ESAs and competent authorities; RTS on threat-led penetration testing (TLPT).

## NIS2: the cross-sector cybersecurity pillar

### Scope
- **Directive (EU) 2022/2555** — in force 16 January 2023; transposition deadline **17 October 2024**.
- At time of writing the article: only **17 of 27 EU Member States** had transposed NIS2 into national law (a known compliance lag).
- Applies to medium and large organisations in critical sectors. Significantly broader than the original NIS Directive.
- Two scope categories:
  - **Essential entities** — sectors where disruption could have severe societal/economic consequences. Full supervisory regime.
  - **Important entities** — other critical sectors, lighter supervisory regime.
- Both categories must comply with the same core cybersecurity risk-management and incident-reporting obligations.
- General threshold: 50+ employees or annual turnover exceeding €10 million; some entities included regardless of size due to systemic importance.
- Covered sectors include: energy; transport; banking; financial market infrastructures; health, drinking water, wastewater; digital infrastructure (cloud service providers, data centres, content delivery networks, managed service providers, managed security service providers); public administration at central and regional levels; space; postal/courier services.

### Core focus areas
- **Governance and accountability** — oversight responsibilities placed on executives. Management bodies approve cybersecurity risk-management measures, oversee implementation, ensure policies/controls/training in place.
- **Incident handling and reporting** — detect, assess, respond, report significant incidents. Structured framework with **early warnings, incident notifications, final reports**.
- **Third-party and supply-chain risk management** — explicitly extends cybersecurity expectations across the supply chain.
- **Business continuity and crisis management** — backup management, disaster recovery, crisis response planning, timely system restoration.

## DORA × NIS2: where they overlap

| Dimension | **DORA** | **NIS2** |
|---|---|---|
| Legal instrument | Regulation (uniform, directly applicable) | Directive (transposed nationally) |
| Sectoral scope | Financial entities + ICT third-party providers | Cross-sector (energy, transport, health, digital infra, etc.) |
| Implementation variance | Uniform across EU | Variable per Member State |
| Third-party coverage | Strict ICT third-party rules + concentration risk | Vendor diligence, supply-chain risk management |
| Incident reporting | Major incidents via classification/reporting system | Early warning + notification + final report; significant incidents to national authorities |
| Resilience testing | Mandatory TLPT for designated entities | Risk-based testing implied via risk management |

**Both regimes share**:
- Extension of accountability to ICT/digital third parties.
- Supply-chain and third-party vendor risk as priority.
- Executive accountability at the top.
- Demonstrable, documented, evidence-based compliance.

## Going beyond compliance: the C-Risk position

The article's editorial line (this is vendor content) is that compliance-as-checklist is insufficient under both regimes. C-Risk advocates:
- Cyber Risk Quantification (CRQ) using Open FAIR™ to translate technical risk into financial impact.
- Linking regulatory requirements to measurable outcomes rather than checklist controls.
- Supporting governance and board oversight with consistent risk metrics.
- Assessing third-party risk based on criticality, exposure, potential impact.
- Demonstrating resilience over time through repeatable, evidence-based analysis.

Resilience under both regimes is framed as requiring:
- Executive accountability for cybersecurity and operational-resilience decisions.
- Information and intelligence sharing with peers and regulators.
- Documented processes for risk assessment, incident response, continuity planning.
- Oversight of third parties and supply chains.

## Critical read

- **Source quality**: low-mid. Vendor content from a CRQ consultancy promoting its services. The factual content (DORA regulation number, NIS2 directive number, dates, pillars) is accurate and verifiable against EUR-Lex.
- **Useful as**: a structured DORA × NIS2 comparison. The five-pillar framing of DORA and the Essential-vs-Important distinction in NIS2 are correct.
- **Limitations**: 
  - The "going beyond compliance" section is sales material, not analysis.
  - The 17-of-27 transposition figure is undated — verify against ENISA's NIS2 transposition tracker before citing.
  - The article does not address how DORA/NIS2 interact with the AI Act for AI-driven process automation — this gap matters for the synthesis.

## Connections

**Concepts:** [[concepts/dora]] · [[concepts/nis2]] · [[concepts/eu-ai-act]] (interaction) · [[concepts/ict-third-party-risk]]
**Related sources (in this wiki):** [[sources/2026-bcc26-eu-digital-regulation-interpretation-to-implementation]] (2026 enforcement-status snapshot) · [[sources/2023-lazcoz-dehert-humans-in-gdpr-and-aia-governance]] (the AI/GDPR governance frame DORA/NIS2 connect with through accountability)
**Syntheses:** [[syntheses/legal-risk-mapping-ai-process-automation]]

## Open follow-ups

- The interaction between DORA and the AI Act for high-risk AI systems used in financial-sector decisioning (credit scoring, fraud detection, insurance underwriting) is not addressed here — significant gap in this source.
- ENISA tracker for NIS2 transposition status would be a better authoritative source for the per-Member-State picture.