NIS2 and DORA are the two regulations reshaping cybersecurity obligations for European businesses in 2026. NIS2 is the EU directive on a high common level of cybersecurity across essential and important entities in sectors like energy, transport, health, and digital infrastructure. DORA, the Digital Operational Resilience Act, is the parallel regulation for financial entities — banks, insurers, investment firms, and their critical ICT providers. Together, they turn cybersecurity from a best practice into a supervised legal obligation.

Both regulations are now enforceable. DORA has been fully applicable since January 17, 2025, and the informal tolerance period that characterised its first year is over — national competent authorities are conducting active reviews, cross-checking Register of Information submissions, and issuing the first compulsion payments, according to DORA regulatory analysts. For NIS2, national transposition is still accelerating — Germany, Portugal, and Austria adopted implementing laws late in 2025, and the full compliance cliff arrives in October 2026. Maximum penalties reach €10 million or 2% of global annual turnover for essential entities under NIS2, and a comparable ceiling under DORA.

This guide covers what NIS2 and DORA actually require, how the 2026 enforcement landscape has shifted, where most organisations still have gaps, and a practical readiness checklist for the next six months. It closes with how CTDefense combines governance, risk and compliance (GRC) consulting with hands-on penetration testing to help European businesses produce the evidence regulators, auditors, and cyber insurers now expect.

What NIS2 And DORA Actually Require

NIS2 and DORA are different in scope but share a common spine: risk management, incident reporting, third-party oversight, and management accountability. Understanding where each applies is the first step of readiness.

NIS2 — Scope And Core Obligations

NIS2 expands the original 2016 NIS Directive to a far broader set of sectors and to medium-sized entities, not just large ones. In-scope organisations fall into two tiers: essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, and space) and important entities (postal, waste management, chemicals, food, manufacturing of medical devices, computers and electronics, motor vehicles, digital providers, and research). Most medium and large businesses in these sectors are covered.

Core obligations under Article 21 require organisations to adopt risk management measures across ten areas — including policies on risk analysis and information security, incident handling, business continuity and crisis management, supply chain security, vulnerability disclosure, testing and auditing, cryptography, human resources security, access control, and multi-factor authentication. Incident reporting obligations under Article 23 require an early warning within 24 hours, a full notification within 72 hours, and a final report within a month. Management bodies are personally responsible for approving risk management measures and can face liability for non-compliance.

DORA — Scope And Core Obligations

DORA applies to nearly every regulated financial entity in the EU — credit institutions, payment and e-money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers, trade repositories, and more. It also reaches critical ICT third-party providers (CTPPs) designated by the European Supervisory Authorities, including some cloud hyperscalers.

DORA’s five pillars cover ICT risk management (Article 5), incident reporting (Chapter III), digital operational resilience testing including threat-led penetration testing (TLPT) for significant entities (Article 25), ICT third-party risk management (Article 28), and information sharing. The penalty framework mirrors NIS2 in ambition: up to 2% of total annual worldwide turnover for the most serious breaches, fixed fines up to €5 million depending on the violation, and — notably — personal fines up to €1 million for senior managers. CTPPs face daily penalties of up to 1% of average daily global turnover for continued non-compliance, for up to six months.

Where They Overlap

For an EU business that operates in a NIS2-covered sector and holds a financial licence — a fintech, a payment institution inside a retail group, a health insurer with a digital platform — both regulations apply simultaneously. The overlap is substantive: risk management frameworks, incident reporting procedures, third-party due diligence, testing cadence, and board-level accountability all show up in both texts. The good news is that a well-built control environment can satisfy both; the bad news is that one weak link (say, an un-tested incident response playbook) creates exposure under two regimes at once.

The 2026 Enforcement Shift

For most of 2024 and 2025, NIS2 and DORA existed in parallel realities: the law on paper, and an industry waiting to see how seriously regulators would treat it. That ambiguity is gone.

National transposition of NIS2 is catching up fast. Germany’s BSI opened its registration portal on January 6, 2026, giving essential and important entities three months to register. Italy’s Agenzia per la Cybersicurezza Nazionale (ACN) is scaling up systematic audits of essential entities beginning in 2026. Spain, France, and Poland are close to completing their transposition; Portugal and Austria already have. According to Bird & Bird’s regulatory tracker, regulatory scrutiny and enforcement activity are expected to increase materially across member states through 2026, and the October 2026 window is where the grace for late transposing states closes.

DORA’s shift is equally clear. The first year of the regulation was characterised by what regulatory analysts have called “informal tolerance” — supervisors focused on education and guidance rather than fines. That tolerance has ended. National competent authorities are now running active supervision, automated cross-checks against Register of Information submissions, and — per published DORA enforcement analysis — issuing the first compulsion payments. Deloitte research cited by the same analysts found that only about 50% of in-scope institutions expected full DORA compliance by the end of 2025, with a further 38% pushing their target into 2026 — meaning nearly half of all regulated entities are entering active enforcement with known gaps.

The practical consequence is that organisations can no longer treat NIS2 and DORA readiness as a planning-cycle question. Both frameworks are in a supervised-enforcement phase where policy-only compliance is visibly insufficient.

The Compliance Evidence Gap

The most common gap between a “compliant” organisation on paper and one that survives scrutiny is evidence. Supervisory authorities, external auditors, and cyber insurers are increasingly asking the same question: can you prove it?

A policy document stating that the organisation performs regular risk assessments is not, by itself, evidence. A report from a penetration test conducted eighteen months ago on a subset of systems is not sufficient testing evidence under NIS2 Article 21 or DORA Article 25. A procurement checklist listing third-party vendors is not a functioning third-party risk management programme under DORA Article 28. In each case, the law asks for a demonstrable practice, documented artifacts, and a testing cadence that a regulator can sample.

The gaps observed most often in pre-enforcement readiness assessments share a pattern. Penetration testing programmes are run once a year on a narrow scope, leaving newly deployed systems untested. Threat-led penetration testing — the TLPT regime that DORA references — has not been scoped at all for significant financial entities. Third-party inventories are incomplete or out of date, with critical ICT providers missing or mis-categorised. Incident response playbooks exist but have not been rehearsed within the 24/72-hour reporting windows NIS2 requires. Management bodies are approving summary reports without the detail they need to bear personal responsibility.

Closing these gaps is not primarily a documentation exercise. It requires governance work (policies, procedures, the control-to-regulation mapping) combined with hands-on testing work (pen tests, social engineering exercises, TLPT, incident drills) that produces the artifacts regulators and insurers now ask for.

A Practical Readiness Checklist For October 2026

The six months to October 2026 is enough time to close the most common gaps if the work starts now. The following sequence reflects the order that NIS2 and DORA readiness programmes typically take:

1. Confirm scope and classification. Determine whether the organisation qualifies as essential, important, or out of scope under NIS2, and whether any entity in the group falls under DORA. For cross-border groups, map obligations per member state, because national implementations vary.
2. Register with the competent authority. In Germany, the BSI registration window is open; in Italy, ACN registration is required; in other member states, check the national implementing law. Missing a registration deadline is itself a compliance failure.
3. Run a gap assessment against NIS2 Article 21 and DORA’s five pillars. The output is a prioritised remediation plan tied to each regulatory clause, not a generic maturity score.
4. Refresh the risk management framework. Policies, procedures, asset inventories, and the control-to-requirement map must cover the ten NIS2 risk management areas and DORA’s ICT risk management framework.
5. Rebuild the testing programme. Move from annual, narrow-scope pen tests to a year-round programme — web and mobile application testing, infrastructure and wireless testing, code review for critical systems, social engineering exercises, and TLPT where DORA requires it.
6. Close third-party risk gaps. Complete the ICT third-party inventory, update contractual terms to meet DORA Article 28, and submit Register of Information updates accurately.
7. Rehearse incident response. Run tabletop exercises that include the NIS2 24-hour early warning, 72-hour notification, and one-month final report cycle, and map them to DORA’s incident classification.
8. Brief and document management accountability. The board or equivalent management body must approve risk management measures on record, understand the residual risks, and be trained on their personal liability.
9. Package the evidence. Assemble an artifact pack — policies, risk registers, test reports, incident logs, training records, third-party assessments — in the format supervisors and cyber insurers ask for.

Organisations that complete these nine steps before October 2026 enter the enforcement phase with a defensible posture; organisations that don’t are exposed to the penalty ceilings on both regimes.

How CTDefense Helps European Businesses Meet NIS2 And DORA

CTDefense’s value to in-scope European businesses comes from pairing two services that are usually sold separately: governance, risk and compliance (GRC) consulting and hands-on offensive security testing. NIS2 and DORA demand both. A GRC engagement alone produces policies and gap assessments but does not generate the test evidence Article 21 and Article 25 require. A pen test alone produces vulnerability findings but does not translate them into the control-to-regulation mapping a regulator will sample. Combined, the two produce the evidence-ready artifact pack described above.

On the GRC side, CTDefense’s governance, risk and compliance service covers the framework work: establishing or refining policies, procedures, and internal controls; running compliance gap assessments against NIS2, DORA, and related frameworks; evaluating and integrating GRC tooling; and developing awareness and training programmes for the management body and operational teams. The output is a remediation plan tied directly to each NIS2 clause and DORA pillar, plus the documented framework that makes the remediation defensible.

On the testing side, CTDefense’s penetration testing services cover the evidence generation: web and mobile application penetration testing across iOS and Android, infrastructure and wireless testing, code review on critical platforms, cloud security assessments, and social engineering testing that rehearses the human layer NIS2 expects organisations to address. For DORA-regulated entities, the testing programme can be scoped as threat-led testing suitable for TLPT expectations.

The combined engagement produces what regulators and cyber insurers increasingly ask for on day one of a review: a current gap assessment mapped to NIS2 and DORA clauses, an up-to-date set of policies and procedures approved by the management body, a twelve-month testing calendar with completed reports, a rehearsed incident response playbook, and a third-party risk register that matches the Register of Information. Clients are supported through remediation rather than handed a report and left to interpret it.

Our Process: A Step-By-Step Approach To Better Security

1. Scoping — classify the entity under NIS2 and/or DORA, identify the in-scope systems, business lines, and third parties, and agree on the evidence pack the engagement will produce.
2. Gap Assessment — map the current control environment against NIS2 Article 21, DORA’s five pillars, and any overlapping frameworks (ISO 27001, SOC 2, PCI DSS) already in place.
3. Framework Refresh — update or build the policies, procedures, asset inventories, risk registers, and management-body reporting that the regulations require.
4. Offensive Testing — execute the pen testing, code review, cloud, wireless, and social engineering work that produces the evidence artifacts.
5. Incident Response Rehearsal — run the tabletop exercises that prove the 24/72-hour reporting cycle works in practice.
6. Remediation Support And Evidence Pack — close findings from the testing and assessment work, then assemble the artifact pack for regulators, auditors, and cyber insurers.

Secure Your Business With CTDefense

Closing the window to October 2026 starts with a scoping conversation — reach out to CTDefense to begin.