Skip to content

30,000 Companies Must Comply with NIS2 and DORA Requirements

Bottom line: 30,000 companies must implement NIS2 and DORA requirements starting in 2025, forcing CISOs to review their governance, incident management, and third-party dependency management.

The European Union is requiring approximately 30,000 companies to implement the cybersecurity directives NIS2 and DORA. For CISOs, this means concrete requirements for governance, incident management, and cryptography management.

NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act) are two separate but substantively interrelated EU regulatory frameworks that will gradually take effect starting in 2025. NIS2 addresses critical and important infrastructure as well as the public sector, while DORA specifically targets financial institutions and their digital resilience. It is estimated that approximately 30,000 organizations in the DACH region and beyond are affected.

For CISOs, the focus lies on several core requirements: Both regulatory frameworks mandate a documented cybersecurity governance framework, measures for detecting and remediating vulnerabilities, incident response processes with defined escalation chains, management of cryptographic keys and third-party dependencies. DORA additionally requires regular penetration testing and disaster recovery testing. NIS2 requires reporting of security incidents to competent authorities within defined time limits.

Implementation requires investments in personnel development, security tools, and process optimization. Companies should now develop their compliance roadmap, perform gap analyses, and clearly assign responsibilities. Violations of NIS2 can result in fines up to several million euros; for DORA, they can reach up to 6 percent of global annual turnover.


Source: news.google.com · Published 31 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: