NIS2 and DORA Compliance

Company Received €2 Million Fine - Didn’t Know They Were Subject to NIS2

A logistics operator didn’t register as an NIS2-covered entity. They had no incident management procedures. After a ransomware attack, they didn’t report the incident to CSIRT within the required 24-hour timeframe. Regulator imposed fine: €2 million + mandate to implement all requirements within 90 days. Total cost including implementation: €3.5 million.

Without NIS2/DORA preparation:

• Risk fines up to €10 million or 2% of annual turnover
• Don’t know if you’re subject to regulations (18 NIS2 sectors)
• Lose contracts - partners require compliance
• Regulator can order business suspension

Comprehensive Path to Compliance

We don’t leave you with a list of requirements. We guide you from the first meeting to successful audit completion. We deliver ready documentation templates, help implement technical controls, and prepare you for regulator communication.

What you get:

• Assessment whether you’re subject to NIS2 or DORA (qualification: essential/important entity)
• Gap analysis against 10 NIS2 areas and DORA chapters
• Cybersecurity maturity assessment
• Implementation roadmap - prioritized action plan with timeline
• Ready templates: policies, procedures, registers, forms
• Support in implementing technical controls (SIEM, VM, backup, IR)
• Preparation for incident reporting to CSIRT
• Training for management and teams (awareness, obligations)
• Support in preparing for regulator audit
• Optionally: ongoing compliance oversight (virtual CISO)

Who Is It For?

This service is for you if:

• You operate in one of 18 NIS2 sectors (energy, transport, finance, e-commerce…)
• You’re a financial institution subject to DORA
• You have more than 50 employees or €10 million turnover (NIS2 criteria)
• You provide digital services (cloud, DNS, registry, marketplace)
• You want to avoid fines and be ready for regulator audit

NIS2 Directive

Who Does NIS2 Apply To?

18 critical sectors:

• Energy (production, transmission, distribution of electricity, gas, oil)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Healthcare (hospitals, laboratories, pharmaceutical production)
• Drinking water and wastewater
• Digital infrastructure (cloud, data centers, CDN, DNS, registry)
• Public administration (government, local authorities)
• Space
• Waste management
• Food production, processing, and distribution
• E-commerce (online marketplaces)
• Postal and courier services
• ICT service management (B2B)

Size thresholds:

• Essential entities: medium and large enterprises
• Important entities: SMEs above 50 employees OR €10 million turnover

10 NIS2 Requirement Areas

1. Risk management policies - identification, assessment, mitigation
2. Incident management - detection, response, reporting (24h)
3. Business continuity and crisis management - backup, DR, BCP
4. Supply chain security - ICT supplier assessment
5. Security of system acquisition, development, and maintenance - secure SDLC
6. Effectiveness assessment policies and procedures - tests, audits, KPIs
7. Basic cyber hygiene practices - MFA, encryption, patching
8. Cybersecurity training - awareness for everyone
9. Cryptography and encryption - data at rest and in transit
10. Human resources security - access control, offboarding

NIS2 Violation Penalties

Essential entities:

• Up to €10 million OR 2% of annual global turnover (whichever is higher)
• Personal liability of management

Important entities:

• Up to €7 million OR 1.4% of annual turnover

NIS2 Incident Reporting

3 reporting levels:

1. Early warning (24h) - notification of significant incident
2. Notification (72h) - initial incident assessment
3. Final report (1 month) - detailed report with impact and actions

Where to report: National CSIRT

DORA Regulation

Who Does DORA Apply To?

Financial institutions:

• Banks and credit institutions
• Investment firms
• Payment institutions and EMIs
• Insurance companies
• Pension and investment funds
• Crypto-asset service providers

Third-party ICT providers:

• Cloud providers for financial sector
• Software vendors
• Data analytics providers

5 DORA Pillars

1. ICT risk management - framework, identification, protection
2. ICT incident management - classification, reporting to regulator
3. Digital resilience testing - TLPT (threat-led penetration testing)
4. ICT third-party risk management - due diligence, SLA, audits
5. Information sharing - threat intelligence, best practices

Key DORA Requirements

ICT Risk Management Framework:

• ICT risk management policy approved by management board
• Identification of all critical functions and dependencies
• Resilience testing at least once a year (every 3 years TLPT for large entities)

Incident reporting:

• Major incident: 4h (initial notification)
• Intermediate report: after situation stabilization
• Final report: with root cause analysis and remediation actions

DORA Timeline

• 17 January 2025 - full DORA application
• 17 January 2024 - entry into force
• Q4 2024 - Q1 2025 - technical standards publication (RTS/ITS)