Blog

NIS2 and DORA: What UK and EU Organisations Need to Know in 2026

A practical guide to the EU's most significant cybersecurity regulations — and why UK organisations cannot afford to ignore them.

Back to Blog
8 March 2026 NIS2 DORA Regulatory Compliance

The regulatory landscape has shifted

The European Union's cybersecurity regulatory framework has undergone its most significant transformation in a decade. Two directives now define the compliance landscape for thousands of organisations across Europe and beyond: NIS2 (the Network and Information Security Directive 2) and DORA (the Digital Operational Resilience Act).

NIS2, which EU member states were required to transpose into national law by October 2024, dramatically expands the scope of cybersecurity obligations. DORA, which entered into force in January 2025, creates a comprehensive digital resilience framework specifically for financial services. Together, they represent the most far-reaching cybersecurity regulatory push the EU has ever undertaken.

If your organisation is based in the UK, you might assume these are purely EU concerns. That assumption is increasingly dangerous. If you serve EU customers, operate within EU supply chains, provide ICT services to EU-regulated entities, or maintain any infrastructure within the EU, one or both of these regulations likely applies to you. The extraterritorial reach is real, and enforcement is accelerating.

NIS2: broader scope, sharper teeth

The original NIS Directive, adopted in 2016, applied to a relatively narrow set of "operators of essential services." NIS2 rewrites the rules entirely. The scope has expanded to cover a far wider range of sectors:

Energy
Transport
Health
Digital infrastructure
ICT service management
Public administration
Space
Food production
Manufacturing
Waste management
Postal services
Chemicals
Research

The requirements are substantially more prescriptive than the original directive. Organisations in scope must implement:

  • Comprehensive risk management measures — covering incident handling, business continuity, supply chain security, network security, access control policies, and encryption
  • Rapid incident reporting — an early warning within 24 hours, a full notification within 72 hours, and a final report within one month of a significant incident
  • Supply chain security — organisations must assess and manage the cybersecurity risks of their direct suppliers and service providers
  • Board-level accountability — management bodies must approve cybersecurity risk management measures and can be held personally liable for non-compliance. Mandatory cybersecurity training for senior leadership is required

The penalties reflect the seriousness with which the EU is treating this. For essential entities, fines can reach the higher of 10 million euros or 2% of global annual turnover. For important entities, the cap is 7 million euros or 1.4% of turnover. These are numbers that command board attention.

DORA: resilience by design for financial services

Where NIS2 casts a wide net across sectors, DORA focuses its attention squarely on financial services. It applies to banks, insurance companies, investment firms, crypto-asset service providers, and — critically — the ICT third-party service providers they depend on, including cloud providers and data analytics firms.

DORA's five pillars create a comprehensive resilience framework:

  1. ICT risk management — financial entities must maintain a robust, documented ICT risk management framework that is reviewed and updated regularly
  2. Incident reporting — a standardised process for classifying and reporting ICT-related incidents to competent authorities, with defined timelines and severity thresholds
  3. Digital operational resilience testing — regular testing including, for significant entities, threat-led penetration testing (TLPT) at least every three years
  4. Third-party risk management — detailed requirements for managing ICT third-party providers, including contractual provisions, exit strategies, and oversight of concentration risk
  5. Information sharing — provisions encouraging the exchange of cyber threat intelligence and vulnerability information between financial entities

The regulation is directly applicable across all EU member states — no transposition required. For UK financial services firms with EU operations, clients, or partnerships, DORA compliance is not optional. And for ICT providers serving EU financial institutions, being able to demonstrate DORA alignment is rapidly becoming a market access requirement.

The real challenge: overlapping frameworks

Here is where the compliance landscape becomes genuinely complex. Many organisations — particularly financial services firms and their technology providers — do not face NIS2 or DORA in isolation. They face both, simultaneously, layered on top of existing obligations.

Consider a mid-sized UK fintech that provides payment processing services to EU banks. That organisation potentially falls within scope of:

  • DORA — as an ICT third-party service provider to EU financial entities
  • NIS2 — as a provider of digital infrastructure or ICT services
  • GDPR — for processing personal data of EU citizens
  • ISO 27001 — if certified, which most enterprise clients now expect
  • Cyber Essentials / Cyber Essentials Plus — as a UK government supply chain requirement

Each of these frameworks has its own control sets, its own documentation requirements, its own audit cycles. And yet there is significant overlap between them. Risk management, incident response, access control, supplier management, business continuity — these themes appear in every single framework, expressed differently but targeting the same underlying security practices.

The organisations that struggle are the ones managing each framework as a separate workstream, with separate documentation, separate evidence collection, and separate reporting. The duplication is enormous, expensive, and unsustainable as the number of applicable frameworks grows.

A smarter approach: multi-framework control mapping

The solution is not to hire more compliance analysts for each new regulation. It is to recognise that the majority of controls across NIS2, DORA, GDPR, ISO 27001, and other frameworks are addressing the same fundamental security requirements — and to manage them accordingly.

How GRCxAI addresses this

GRCxAI covers 26 regulatory and industry standards — including NIS2, DORA, GDPR, ISO 27001, SOC 2, and Cyber Essentials — across 47 modules and 764 controls. Its multi-framework control mapping means you implement a control once, and it maps that control across every applicable framework automatically.

When you document your incident response process to satisfy NIS2's 24-hour reporting requirement, GRCxAI identifies that the same control also satisfies DORA's incident reporting obligations, ISO 27001 Annex A.5.24-5.28, and GDPR Article 33. One piece of evidence. Multiple frameworks. AI identifies the overlaps and highlights the gaps — the requirements that are unique to one framework and need additional attention.

Automated evidence collection reduces the manual burden of gathering proof across systems. Board-ready reporting addresses the new personal accountability requirements that both NIS2 and DORA impose on senior leadership. Your management body gets clear visibility of compliance posture without wading through spreadsheets.

Intelligence-led compliance

Both NIS2 and DORA explicitly require that risk management is informed by current threat intelligence. Article 21 of NIS2 mandates "policies on risk analysis and information system security." DORA requires that ICT risk management frameworks account for "the evolving cyber threat landscape."

This is where Corvus Security IQ complements the compliance picture. Corvus provides regulatory horizon scanning that tracks upcoming enforcement deadlines and regulatory developments across jurisdictions. Its threat intelligence feeds — drawn from 15 sources and analysed through structured analytical methodologies — feed directly into the risk assessment processes that both NIS2 and DORA demand.

When a new threat campaign targets your sector, that intelligence should flow into your risk register. When a vulnerability affects your supply chain, that should trigger a reassessment. NIS2 and DORA are moving the regulatory world away from point-in-time compliance towards continuous, intelligence-driven risk management. The tools you use need to support that shift.

Practical next steps

If your organisation has not yet assessed its NIS2 and DORA exposure, the time to start is now. Enforcement is underway, and supervisory authorities are building capacity. Here is a practical starting framework:

  1. Audit your current framework coverage. Map every regulation and standard you are subject to. Identify where NIS2 and DORA apply — remembering that EU reach extends to non-EU suppliers, service providers, and partners. Be rigorous about the scope assessment.
  2. Identify the gaps. If you already hold ISO 27001 certification or maintain SOC 2 compliance, you have a substantial foundation. The gap analysis should focus on the requirements unique to NIS2 (such as the 24-hour early warning obligation and board-level accountability) and DORA (such as threat-led penetration testing and ICT third-party concentration risk).
  3. Establish incident reporting processes. Both NIS2 and DORA impose strict timelines for incident notification. If your current process assumes "report within a reasonable timeframe," that is no longer sufficient. Define clear escalation paths, reporting templates, and responsible individuals. Test them.
  4. Review supply chain security. NIS2 places explicit obligations on managing supplier cybersecurity risk. DORA requires detailed oversight of ICT third-party providers. Audit your critical suppliers, assess their security posture, and ensure your contracts contain the necessary provisions.
  5. Engage senior leadership. Both directives make board-level accountability a legal requirement. Ensure your management body understands their obligations, receives regular compliance reporting, and has undergone appropriate cybersecurity training.
  6. Consolidate your compliance tooling. If you are managing NIS2, DORA, GDPR, ISO 27001, and other frameworks in separate spreadsheets, separate tools, or separate teams, consolidation will save significant effort and reduce the risk of inconsistencies. A platform like GRCxAI is designed precisely for this scenario.

The bigger picture

NIS2 and DORA are not isolated regulations. They are part of a broader trend towards mandated cybersecurity maturity across all sectors and all sizes of organisation. The EU Cyber Resilience Act is coming for connected products. The UK's own regulatory landscape continues to evolve with updates to the Network and Information Systems Regulations and sector-specific requirements from the FCA and PRA.

The organisations that will navigate this well are those that treat compliance not as a checkbox exercise but as an integrated part of how they manage security. Build the controls once, map them across frameworks, evidence them continuously, and use threat intelligence to keep your risk management current.

That is the approach we have built GRCxAI and Corvus Security IQ to support. Not compliance for its own sake, but genuine security posture improvement that happens to satisfy the regulators along the way.

If you would like to explore how this works in practice, view our pricing or get in touch.

This article provides general guidance on NIS2 and DORA regulatory requirements and is intended for informational purposes only. It does not constitute legal advice. Organisations should consult qualified legal counsel for advice specific to their circumstances and jurisdictions.

Multi-framework compliance,
without the duplication.

GRCxAI maps controls across NIS2, DORA, GDPR, ISO 27001, and 22 more standards. One control. Every framework.

Explore GRCxAI View Pricing