NIS2 + DORA without the consultant theatre
What EU operators actually need to do to be ready for NIS2 and DORA — control by control, with the time and effort to expect.
By AnySec Engineering
The compliance industry's favourite chart
If you've taken a "NIS2 readiness assessment" or "DORA gap analysis" from any of the major consultancies in the last 18 months, you've seen the chart. Concentric circles, twelve domains, RAG-coloured maturity dots, an executive summary that says you need to spend €1.4M on a 24-month transformation programme.
It's mostly theatre. The actual underlying controls aren't as expensive or as exotic as the chart suggests.
This post is what we walk our clients through during a Security Audit and Compliance Readiness engagement: control by control, what each one actually means, and roughly how much effort it takes to satisfy if you're starting from a reasonable cybersecurity baseline.
Quick scope check
NIS2 (Directive (EU) 2022/2555) applies if you operate in one of 18 sectors classified as essential or important — financial services, gaming, transport, energy, digital infrastructure, ICT-managed services and more. Member states have transposed it into national law (mostly during 2024–2025). If you're an essential entity you fall under "ex-ante" oversight (regulators audit you proactively); important entities fall under "ex-post" (regulators investigate after incidents).
DORA (Regulation (EU) 2022/2554) applies specifically to financial entities — banks, payment institutions, e-money issuers, exchanges, crypto-asset service providers under MiCA, plus their ICT third-party providers. DORA became fully applicable in January 2025, so by mid-2026 every in-scope entity should be operating under it.
The two regulations overlap heavily but DORA has sharper teeth for financial entities. If you're in finance and NIS2-scoped, treat DORA as your binding requirement and NIS2 will mostly fall out.
The controls, in plain language
There are roughly 11 control families that show up across both regulations. Here's each one.
1. Governance and accountability
You need named owners for cybersecurity at the board level. The CEO can't fully delegate this to the CISO any more — under both NIS2 and DORA the management body is personally accountable for ICT risk decisions.
Effort: a quarter to update board charter, RACI matrix, and management reporting cadence. Mostly paperwork. Three to six management board sessions to bring everyone up to speed.
2. Risk management framework
Document your risk assessment methodology. Inventory critical ICT systems. Score each on confidentiality, integrity, availability impact. Refresh annually.
Effort: 2–3 weeks for a first pass if you have an existing CMDB. Without one, add a month to inventory systems.
3. ICT third-party risk
You need a register of every third-party ICT provider, classified by criticality, with contract clauses that let regulators access them, plus exit plans for the critical ones. DORA is much stricter here than NIS2 — financial entities have to maintain a "Register of Information" submitted to their NCA annually.
Effort: 4–6 weeks. The hardest part is the contract clauses — you'll need to amend existing supplier contracts and many vendors push back. Plan for friction. Critical providers (cloud, custody, core banking) often want to renegotiate pricing in exchange for the new clauses.
4. Incident classification and reporting
Both regulations require incident reporting to your national competent authority within strict windows:
- DORA: initial notification within 4 hours of classification as "major", intermediate reports within 72 hours, final within 1 month.
- NIS2: early warning within 24 hours, incident notification within 72 hours, final report within 1 month.
You need:
- A documented classification methodology with severity thresholds.
- Defined channels and templates for regulator reporting.
- Practice — most teams fail at the first real event because they've never reported one before.
Effort: 2 weeks to write the runbook, then ongoing — tabletop quarterly.
5. Business continuity and resilience testing
DORA mandates digital operational resilience testing. The frequency and scope depends on your size and criticality:
- Annual basic testing for all in-scope entities.
- Threat-led penetration testing (TLPT) every 3 years for systemically important entities, following the TIBER-EU framework.
NIS2 requires regular testing but is less prescriptive on framework.
If you've never done a TLPT, budget €120–€350K and 3–6 months of calendar time for the first one. Our Red Team Engagement service is TIBER-aligned for clients that need this.
6. Cryptography and key management
Both regulations want documented crypto standards, key lifecycle controls, HSM use for high-value keys, post-quantum readiness assessments.
Effort: 2 weeks if you already have a key management story. Months if you're starting from "we use a Hashicorp Vault we deployed in 2020 and nobody has touched since."
7. Identity and access
MFA on all privileged access (DORA explicit, NIS2 implicit), least-privilege provisioning, periodic access reviews, separation of duties.
If you've already got this — most regulated entities do — it's just documentation and evidence. If you don't — you have weeks of work.
8. Logging, monitoring, detection
You need security event logging across all critical systems, retained 6 months minimum (DORA suggests longer for financial entities), correlated and analysed in something like a SIEM, with detection content that aligns to ATT&CK or equivalent.
Most clients we work with have some of this. Few have all of it. This is one of the areas where Managed SOC replaces years of in-house build.
9. Vulnerability management
Documented vulnerability management programme. Patch SLAs by criticality. Vulnerability scans of critical systems at defined cadence. Penetration testing annually (or more under DORA).
Annual vulnerability assessments plus an annual penetration test satisfies both regulations cleanly.
10. Awareness and training
Annual training for all employees, role-specific training for ICT staff, phishing simulation, evidence of completion.
Cheap and important. Don't skimp on quality though — bad training is worse than no training because it produces false confidence.
11. Audit trail and evidence
This is the meta-control. Everything above produces artifacts. You need to keep them, organised, accessible to auditors. Most failed audits we see are not because the underlying controls were missing — they were because the evidence was scattered across team email folders.
Pick a GRC tool, even a simple one. Hyperproof, Drata, Vanta, OneTrust, whatever. The tool matters less than committing to a single source of truth.
What this actually costs
Roughly, for a mid-sized regulated entity (200–500 employees, financial services, no major existing compliance backlog):
| Item | Cost | Calendar time |
|---|---|---|
| Initial readiness assessment | €15–€45K | 2–4 weeks |
| Remediation work (varies wildly) | €0–€800K | 3–12 months |
| Annual penetration test | €15–€50K | 2 weeks |
| Annual vulnerability assessments (quarterly) | €15–€30K | rolling |
| TLPT every 3 years (DORA systemic only) | €150–€350K | 3–6 months |
| Annual training + phishing sim | €5–€20K | rolling |
| GRC tooling | €20–€80K/year | rolling |
| Managed SOC (if not in-house) | €50–€180K/year | rolling |
The shapeshifting €1.4M consultancy programme can be replaced by ~€300K of actual work for most operators we engage with. The difference goes to consultant overhead, not to your security posture.
The 90-day plan
If you're getting started today and have a hard regulator-driven deadline in the next 12 months:
Days 1–14: scoping. Confirm which articles apply to you. Map controls to your existing posture. Pick the GRC tool. Get board sign-off on the programme.
Days 15–45: foundational controls. Risk management framework, third-party register, incident classification methodology, identity and access baseline.
Days 46–75: detection and response. SOC standup (in-house or managed), runbook drafting, tabletop exercises.
Days 76–90: testing. First penetration test, first DORA-style resilience test, first regulator notification dry run.
Past day 90 you're in steady-state operation plus annual refresh cycles.
The harder truth
The compliance frameworks describe what you need to do. They don't tell you what you should do beyond that. A NIS2-compliant operator can still be breached. The frameworks are floors, not ceilings.
Once you're compliant, the more interesting question is what your actual threat model demands. That's where the Red Team Engagement and ongoing pentest cycles earn their keep — they tell you whether your compliant controls actually work against the attackers you face.
If you want a no-nonsense read of where you sit against NIS2 + DORA today, book a scoping call. We do a 60-minute walkthrough and tell you what's actually missing — no PDF with twelve concentric circles.