DORA and NIS2 - Key cybersecurity regulations that will change how your bisiness operates in 2025

May 28, 2025

DORA NIS2

Shortly, companies operating in the European Union will face the challenge of complying with two key cybersecurity regulations: DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive). Both pieces of legislation introduce significant changes to the way digital risk is managed. For many organizations, this means a major overhaul of their IT security strategies in the coming months. In this article, we outline the most important aspects of both regulations that are crucial for companies preparing for their implementation.

What are DORA and NIS2 key differences

DORA (Digital Operational Resilience Act) is an EU regulation focused on increasing the operational resilience of financial entities to digital incidents. Its main objective is to ensure that financial institutions can effectively deal with IT disruptions and threats, going beyond simple regulatory compliance.

NIS2, on the other hand, is an improved version of the earlier Network and Information Security Directive. It has a broader scope and aims to improve cybersecurity in various key sectors of the EU economy and society.

The most important difference between these regulations lies in their legal status. As a regulation, DORA will be directly applicable in all EU Member States without the need for adaptation to national law. This ensures uniform implementation across the Union. As a directive, NIS2 requires implementation into national law by each Member State, which allows for some flexibility in implementation and may lead to minor differences between countries.

Implementation deadlines – what you need to be ready for and when

The implementation schedules for the two regulations are different and are crucial for planning adaptation measures in organizations.

DORA comes into force on 17 January 2025, giving financial entities a specific deadline to adapt their systems and procedures to the new requirements. This is a date that companies in the financial sector should mark in their calendars as critical.

In the case of NIS2, the situation is slightly more complicated. In Poland, the implementation process of the directive has not yet been completed. It is currently expected that the relevant provisions will enter into force in the first half of 2025. These delays are due to the complexity of the new regulations and the need to adapt national legislation to the requirements of the directive.

Importantly, despite delays in implementation at the national level, organizations operating in the sectors covered by the NIS2 Directive should already start preparatory work.

Who is affected by the new regulations?

Scope of DORA

DORA covers a wide range of financial institutions, such as:

  • Banks
  • Insurance companies
  • Stock exchanges
  • Payment institutions
  • Technology companies providing services to the financial sector (e.g., cloud providers)

Importantly, DORA goes beyond traditional financial institutions and also covers technology entities supporting the financial sector, which is a significant change compared to previous regulations.

Scope of NIS2

NIS2 has a much broader scope and primarily applies to entities:

  • Employing more than 50 people
  • With an annual turnover or annual balance sheet total exceeding EUR 10 million

However, it should be noted that there are many exceptions to this rule. For example, all public entities are subject to NIS2 regardless of their size. In addition, even micro-enterprises and small enterprises may be covered by the regulation if they meet criteria indicating their critical role for the state, society, or the economy.

Key obligations under DORA

DORA imposes several important obligations on financial entities:

Ensuring operational resilience

Financial entities must ensure their ability to continue operating despite IT incidents (cyberattacks, system failures, etc.). This requires the implementation of appropriate processes, resources, and technologies to monitor, detect, and respond to such incidents.

Comprehensive ICT risk management

Organizations must effectively manage the risks associated with information and communication technologies, including having appropriate systems in place to identify and assess risks and implement response and recovery plans.

ICT supplier relationship management

Financial entities must manage in detail the risks associated with services provided by external technology suppliers, such as cloud services or other ICT solutions. DORA introduces detailed requirements for contracts with suppliers and their monitoring.

Incident reporting

DORA requires financial entities to report significant IT-related incidents to the relevant supervisory authorities and sets out detailed requirements for the manner and timing of reporting.

Regular digital resilience testing

The regulation requires financial entities to regularly conduct digital resilience tests, such as penetration tests, attack simulations, and other ICT security tests.

Key obligations under NIS2

The NIS2 Directive imposes the following obligations on companies and organizations:

Implementation of appropriate technical and organizational measures

Entities covered by the directive must implement appropriate technical and organizational measures to secure their systems against cyber risks.

Reporting security incidents

As with DORA, NIS2 requires entities covered by the directive to report significant security incidents to national supervisory authorities.

Integrated risk management

NIS2 emphasizes integrated risk management, which means not only identifying and analyzing potential risks but also integrating risk management processes with other areas of activity by the requirements of various directives and standards.

Practical preparatory steps for companies

Although the deadline for implementation of both regulations is 2025, companies should already take specific preparatory measures:

  1. Assessment of the organisation's classification

The first step should be to determine whether and to what extent your organization is subject to DORA or NIS2 regulations. This requires an in-depth analysis of the company's activities, its size, and its role in the economy.

  1. Operational readiness audit and risk analysis

Conducting a detailed operational readiness audit and risk analysis will identify key areas that require immediate attention.

  1. Developing an action plan (Road Map)

Based on the analyses, it is worth developing a personalized action plan that will guide the organization through the necessary adaptation steps.

  1. Preparation, verification, and updating of documentation

Regulations require appropriate documentation on risk management, security procedures, and incident response plans.

  1. Implementation of processes to monitor changes

It is important to establish mechanisms to monitor changes to ensure their effectiveness and compliance with regulatory requirements.

Benefits of early preparation

Early preparation for the implementation of DORA and NIS2 brings measurable benefits to companies:

  • Minimization of compliance risk and associated financial penalties
  • Building trust with customers and business partners who require the use of appropriate digital security standards
  • Optimization of implementation costs by spreading them over time
  • Ability to gradually adapt systems and processes without time pressure
  • Use of the adaptation process as an opportunity to improve overall cybersecurity in the organization

Summary

DORA and NIS2 represent a fundamental change in the approach to cybersecurity in companies operating in the EU. DORA, as a regulation focusing on the financial sector, entered into force on 17 January 2025, while NIS2, as a directive with a broader scope, is awaiting implementation in Polish law, probably in the first half of 2025.

Although these deadlines may seem distant, the complexity of the requirements and the scope of the changes that will need to be made suggest that companies should start preparing now. The key first step is to determine whether and to what extent the organization is subject to these regulations, and then to conduct a thorough analysis of its current security and operational resilience.

Case Studies
Testimonials

Hostersi is recommended as a reliable and highly professional partner. Thanks to the involvement of Hostersi the performance of Buykers.com platform increased by 8-times!

Rafal Kopyto
CEO
Briefly about us
We specialize in IT services such as server solutions architecting, cloud computing implementation and servers management.
We help to increase the data security and operational capacities of our customers.