Two EU frameworks are reshaping how organizations are expected to manage cyber risk: NIS 2 (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554). They apply to different populations — NIS 2 to a broad set of essential and important entities across many sectors, DORA to financial entities and their ICT providers — but they pull in the same direction: measurable security measures, fast incident reporting, supply-chain scrutiny, and personal accountability for management.
If you are responsible for security or IT, the hard part is usually not understanding the goal. It is knowing, concretely, where your organization already meets the bar and where the gaps are. This post gives you a practical starting point — and a free checklist to make it actionable.
What NIS 2 actually asks for
NIS 2 sets a baseline of ten minimum risk-management measures in Article 21(2): risk-analysis and security policies; incident handling; business continuity and crisis management; supply-chain security; security in acquisition, development and maintenance; assessing the effectiveness of your measures; basic cyber hygiene and training; cryptography and encryption; human-resources security, access control and asset management; and multi-factor authentication with secured communications.
Two things are easy to miss. First, Article 20 makes management bodies accountable — they must approve and oversee these measures and take training themselves. Second, Article 23 sets a strict incident-reporting clock: an early warning within 24 hours, a notification within 72 hours, and a final report within a month.
What DORA adds for financial entities
DORA is built on five pillars: an ICT risk-management framework owned by the board; ICT incident management and reporting of major incidents to the competent authority; digital operational resilience testing, including Threat-Led Penetration Testing (TLPT) for entities in scope; ICT third-party risk management, with a register of providers and attention to concentration risk; and information sharing of cyber threat intelligence.
If you fall under both regimes, the good news is that the underlying work overlaps heavily — risk management, testing, incident response and third-party oversight serve both.
From "we should" to "we can prove it"
The recurring theme in both frameworks is evidence. It is no longer enough to say you do security awareness or that you test your systems; you need to show it, keep it current, and demonstrate that risk is trending down. That means a baseline, a target, and a repeatable way to test and report.
A simple way to begin:
- Map each requirement to an owner and a current status — in place, partial, or missing.
- Turn the gaps into a short, prioritized plan rather than a 200-page programme.
- Validate the technical controls with real testing — vulnerability assessments and penetration testing — not just self-attestation.
- Treat the human layer (awareness, phishing resilience, training records) as a measured control, since people remain the most exploited entry point.
Get the free checklist
To make this concrete, we published a free, no-jargon NIS 2 & DORA readiness checklist. It covers all ten Article 21 measures, the Article 20 and 23 obligations, and DORA's five pillars — as tick-box items you can work through with your team. You can read it online or download it as a PDF to share internally.
If, after the checklist, you want help closing the gaps, that is exactly what we do: from penetration testing and vulnerability assessment to human risk and awareness and audit-ready compliance evidence.
Start with the checklist, see where you stand, and make the gaps a plan.
This article is general information, not legal advice. Your specific obligations depend on your sector, size and role under each framework.