How we impact
act PROSPERI.AI
Act Digital Corporate Artificial Intelligence
Solutions
Services
Partners
In recent years, the European Union (EU) has significantly strengthened its information security regulations, seeking to protect data and ensure the digital resilience of organisations. The most recent and important of these regulations are NIS 2 and DORA.
The Network and Information Security Directive 2 (NIS 2), which will come into force in October 2024, extends the coverage of the original NIS, requiring critical sectors – such as health, energy, transport, finance, and digital infrastructure – to implement robust cybersecurity measures. NIS 2 aims to mitigate the risks of cyberattacks and increase co-operation between EU member states. The main aspects of NIS 2 include the requirement for Information and Communication Technology (ICT) risk management, mandatory incident notifications, and the implementation of preventive measures to protect networks and information systems.
The Digital Operational Resilience Act (DORA) is scheduled to come into force in January 2025, focusing specifically on the financial sector. DORA establishes strict requirements for ICT risk management, covering banks, insurance companies, investment firms, payment service providers and other financial institutions. DORA requires these institutions to implement measures to ensure operational resilience, carry out periodic resilience tests, report ICT incidents and maintain robust business continuity plans.
The table below summarises the main points of contrast between NIS 2 and DORA:
| NIS 2 | DORA | |
| Creation date | 14th December 2022 | 16th January 2023 |
| Entry into force | 17th October 2024 | 17th January 2025 |
| Critical sectors covered | EnergyTransportHealthBankingFinanceDigital infrastructureDrinking waterWaste waterICT infrastructurePublic AdministrationSpace | BanksInsurance companiesInvestment companiesPayment Service ProvidersFinancial technology companies (Fintechs)Financial market infrastructures |
| Main objectives | Improve cybersecurity in critical sectors to mitigate cyberattack risks.Establish a common base of cybersecurity measures for EU member states.Increase cooperation and information sharing between member states. | Ensure that financial institutions can resist, respond to and recover from cyberattacks and other operational disruptions.Establish strict requirements for ICT risk management.Implement periodic operational resilience tests.Ensure business continuity and resilience of EU financial systems. |
| Penalties for non-compliance | Sanctions vary according to the national legislation of the member states. They can include:Significant fines and other financial penalties (the maximum fine for essential entities is 10 million euros).The possibility of administrative sanctions, such as compliance orders and mandatory audits. | Sanctions vary and can include:Significant fines and other financial penalties specific to the financial sector.Possibility of administrative sanctions, including compliance orders and mandatory audits.Risks of additional regulatory measures, such as operational restrictions. |
| Other relevant dates | 17/01/2025: the NIS Cooperation Group shall establish a peer review methodology.17/04/2025: Member States shall establish a list of essential and important entities by this date.17/10/2025: the European Commission will analyse and review the functioning of the NIS 2 Directive. | Deadline for institutions to fulfil the specific requirements: up to 18 months after entry into force. |
Failure to comply with these regulations carries significant risks for institutions. Companies can face substantial fines and legal sanctions, leading to a loss of customer trust and a weakening of the business.
In addition, exposure to cyberattacks can result in sensitive data breaches, financial losses and irreparable damage to the company's reputation.
The NIS 2 and DORA information security regulations aim to improve the overall resilience of the companies working in sensitive sectors so that they can prepare themselves and their employees to avoid or manage cybersecurity risks such as:
In addition to NIS 2 and DORA, other ongoing European regulations play a crucial role in information security, namely:
Given the complexity and scope of these regulations, it is highly recommended that companies seek the support of specialised consultancies that can provide the expertise needed to ensure compliance, help implement best practices and prepare companies for audits and possible incidents.
In addition, consultancies – such as act digital – offer ongoing support, helping companies to adapt to regulatory changes and stay focused on their core activities, while remaining safe and compliant with current legislation.
In short, compliance with information security regulations in Europe is not just a legal requirement, but an essential practice for protecting businesses and maintaining trust in the digital marketplace.
In recent years, the European Union (EU) has significantly strengthened its information security regulations, seeking to protect data and ensure the digital resilience of organisations. The most recent and important of these regulations are NIS 2 and DORA.
The Network and Information Security Directive 2 (NIS 2), which will come into force in October 2024, extends the coverage of the original NIS, requiring critical sectors – such as health, energy, transport, finance, and digital infrastructure – to implement robust cybersecurity measures. NIS 2 aims to mitigate the risks of cyberattacks and increase co-operation between EU member states. The main aspects of NIS 2 include the requirement for Information and Communication Technology (ICT) risk management, mandatory incident notifications, and the implementation of preventive measures to protect networks and information systems.
The Digital Operational Resilience Act (DORA) is scheduled to come into force in January 2025, focusing specifically on the financial sector. DORA establishes strict requirements for ICT risk management, covering banks, insurance companies, investment firms, payment service providers and other financial institutions. DORA requires these institutions to implement measures to ensure operational resilience, carry out periodic resilience tests, report ICT incidents and maintain robust business continuity plans.
The table below summarises the main points of contrast between NIS 2 and DORA:
| NIS 2 | DORA | |
| Creation date | 14th December 2022 | 16th January 2023 |
| Entry into force | 17th October 2024 | 17th January 2025 |
| Critical sectors covered | EnergyTransportHealthBankingFinanceDigital infrastructureDrinking waterWaste waterICT infrastructurePublic AdministrationSpace | BanksInsurance companiesInvestment companiesPayment Service ProvidersFinancial technology companies (Fintechs)Financial market infrastructures |
| Main objectives | Improve cybersecurity in critical sectors to mitigate cyberattack risks.Establish a common base of cybersecurity measures for EU member states.Increase cooperation and information sharing between member states. | Ensure that financial institutions can resist, respond to and recover from cyberattacks and other operational disruptions.Establish strict requirements for ICT risk management.Implement periodic operational resilience tests.Ensure business continuity and resilience of EU financial systems. |
| Penalties for non-compliance | Sanctions vary according to the national legislation of the member states. They can include:Significant fines and other financial penalties (the maximum fine for essential entities is 10 million euros).The possibility of administrative sanctions, such as compliance orders and mandatory audits. | Sanctions vary and can include:Significant fines and other financial penalties specific to the financial sector.Possibility of administrative sanctions, including compliance orders and mandatory audits.Risks of additional regulatory measures, such as operational restrictions. |
| Other relevant dates | 17/01/2025: the NIS Cooperation Group shall establish a peer review methodology.17/04/2025: Member States shall establish a list of essential and important entities by this date.17/10/2025: the European Commission will analyse and review the functioning of the NIS 2 Directive. | Deadline for institutions to fulfil the specific requirements: up to 18 months after entry into force. |
Failure to comply with these regulations carries significant risks for institutions. Companies can face substantial fines and legal sanctions, leading to a loss of customer trust and a weakening of the business.
In addition, exposure to cyberattacks can result in sensitive data breaches, financial losses and irreparable damage to the company's reputation.
The NIS 2 and DORA information security regulations aim to improve the overall resilience of the companies working in sensitive sectors so that they can prepare themselves and their employees to avoid or manage cybersecurity risks such as:
In addition to NIS 2 and DORA, other ongoing European regulations play a crucial role in information security, namely:
Given the complexity and scope of these regulations, it is highly recommended that companies seek the support of specialised consultancies that can provide the expertise needed to ensure compliance, help implement best practices and prepare companies for audits and possible incidents.
In addition, consultancies – such as act digital – offer ongoing support, helping companies to adapt to regulatory changes and stay focused on their core activities, while remaining safe and compliant with current legislation.
In short, compliance with information security regulations in Europe is not just a legal requirement, but an essential practice for protecting businesses and maintaining trust in the digital marketplace.
