MDR · 3 MIN READ · PIERRE NOEL · NOV 20, 2025 · TAGS: Guidance
TL;DR
- Two new EU regulations—the Digital Operational Resilience Act (DORA) and Network and Information Security Directive 2 (NIS2)—are in effect
- DORA is targeted at financial entities and is a regulation, while NIS2 is a directive targeting essential businesses
- Now is the time to act on regulatory compliance, before fines and penalties are handed out
As attackers pursue organisations to advance their causes, cybercrime has evolved into a multi-billion-pound global industry. Some threat actors work for financial gain; others to wreak havoc on societal infrastructure. We fight back against them all.
Their malicious motivations place several industries in the firing line. The financial sector is one: banks, private equity firms, and insurance brokers hold uniquely valuable data and capital that, if not adequately protected, are ripe for the taking.
Industries like energy, transportation, and healthcare are similarly targeted. In 2024, the fallout of the Synnovis ransomware attack led to more than 10,000 medical outpatient appointments being disrupted and delayed in the UK. As recently as September 2025, a ransomware attack on aviation technology provider Collins Aerospace grounded flights at major airports in London, Brussels, Dublin, and Berlin.
So what can leaders do to mitigate this rising threat?
Two new EU measures aim to enhance cybersecurity in critical sectors. Let’s explore how the Digital Operational Resilience Act (DORA) and Network and Information Security Directive 2 (NIS2) are impacting organisations today.
DORA regulation for the finance industry
Financial entities require comprehensive cybersecurity standards to keep customer data and capital safe. As of January 2025, DORA has been implemented to improve cyber hygiene in the sector.
The goal? To create a unifying framework that helps organisations withstand, respond to, and recover from all types of information and communication technology (ICT) disruptions.
DORA is enforceable for a wide range of financial entities operating in the EU, including banks, private equity firms, and insurance brokers. Its scope also extends to third parties, requiring financial bodies to assess and monitor risks associated with their digital service providers.
The regulation is built on pillars of compliance, including ICT risk management, ICT-related incident reporting, digital operational resilience testing, and information sharing.
For businesses, DORA means achieving full visibility of the digital portfolio, meeting rapid-turnaround reporting deadlines, and ensuring employees are educated on cybersecurity.
The tradeoff for non-compliance is a gap in your cyber defences. If threats come knocking—and they will—your organisation needs to be prepared to deal with the attack. But there are also penalties imposed by regulators. DORA non-compliance can lead to fines, administrative sanctions, and board-level criminal charges for serious cases of negligence.
Organisations can take actionable steps towards compliance, including conducting risk assessments, implementing 24×7 monitoring for threat activity, testing resilience, and practising incident response through tabletop exercises.
NIS2 directive for societal infrastructure
But what about non-finance companies? NIS2 is an EU directive aiming to improve cybersecurity standards across a larger spectrum of sectors.
NIS2 came into force in January 2023 and builds on the first NIS directive, widening the scope to include a broader range of industries and their supply chains. The new remit applies to “essential” critical infrastructure, including the energy, transport, and healthcare sectors, as well as “important” entities such as digital service providers and public administration. It’s expected to have a larger ripple effect across the EU—requiring entities and their providers to assess and manage security provisions.
NIS2’s key mandates include measures on risk management, incident reporting, corporate accountability, supply chain security, and business continuity.
Non-compliance could lead to consequences. Organisations may face “effective, proportionate, and dissuasive” fines for breaching the terms of NIS2, scaled in accordance with their classification as “essential” or “important.”
To achieve compliance, parties will need to implement a range of cybersecurity risk management measures, fulfil strict reporting obligations, and establish robust incident handling measures.
The path to regulatory compliance…
…never did run smooth. But an understanding of the relevant regulations can support a strong cybersecurity posture.
Both DORA and NIS2 are designed to enhance cybersecurity and resilience for organisations operating in the EU. They share similar core principles—to improve incident reporting and enhance third-party risk management while placing a strong emphasis on holding executive leaders accountable for cybersecurity failures.
Where they differ is the sectors they target. To recap, DORA applies solely to financial entities and their third parties, unlike NIS2, which affects many critical industries, including energy and healthcare.
But the differences don’t end there. DORA is an EU regulation, meaning it doesn’t have to be transposed into national law before it can be enforced. As a directive, NIS2 requires countries to transpose the law, which many have yet to do.
The European Commission has launched infringement procedures against some member states for failing to fully transpose the directive by its October 2024 completion deadline.
DORA and NIS2 each impose similar financial, administrative, and criminal penalties upon non-compliant organisations. However, at the time of writing, it’s unclear just how harshly regulators will enforce the proposed penalties.
Expel can help organisations transform their approach to regulatory compliance, no matter the sector. We offer continuous 24×7 monitoring and enhanced visibility to rapidly detect and report incidents, turning compliance into a competitive advantage for companies in finance, energy, transport, and more. As a third-party service provider to affected entities, Expel has also prepared contractual supplements that align with the relevant tiered requirements under DORA and NIS2.
Find out more about our managed detection and response services and begin your journey to full compliance.
