In recent years, the European Union (EU) has significantly strengthened its information security regulations, seeking to protect data and ensure the digital resilience of organisations. The most recent and important of these regulations are NIS 2 and DORA.

 

 

A comparative analysis

The Network and Information Security Directive 2 (NIS 2), which will come into force in October 2024, extends the coverage of the original NIS, requiring critical sectors – such as health, energy, transport, finance, and digital infrastructure – to implement robust cybersecurity measures. NIS 2 aims to mitigate the risks of cyberattacks and increase co-operation between EU member states. The main aspects of NIS 2 include the requirement for Information and Communication Technology (ICT) risk management, mandatory incident notifications, and the implementation of preventive measures to protect networks and information systems.


The Digital Operational Resilience Act (DORA) is scheduled to come into force in January 2025, focusing specifically on the financial sector. DORA establishes strict requirements for ICT risk management, covering banks, insurance companies, investment firms, payment service providers and other financial institutions. DORA requires these institutions to implement measures to ensure operational resilience, carry out periodic resilience tests, report ICT incidents and maintain robust business continuity plans.


The table below summarises the main points of contrast between NIS 2 and DORA:

 

 

NIS 2

DORA

Creation date

14th December 2022

16th January 2023

Entry into force

17th October 2024

17th January 2025

Critical sectors covered

  • Energy
  • Transport
  • Health
  • Banking
  • Finance
  • Digital infrastructure
  • Drinking water
  • Waste water
  • ICT infrastructure
  • Public Administration
  • Space
  • Banks
  • Insurance companies
  • Investment companies
  • Payment Service Providers
  • Financial technology companies (Fintechs)
  • Financial market infrastructures

Main objectives

  • Improve cybersecurity in critical sectors to mitigate cyberattack risks.
  • Establish a common base of cybersecurity measures for EU member states.
  • Increase cooperation and information sharing between member states.
  • Ensure that financial institutions can resist, respond to and recover from cyberattacks and other operational disruptions.
  • Establish strict requirements for ICT risk management.
  • Implement periodic operational resilience tests.
  • Ensure business continuity and resilience of EU financial systems.

Penalties for non-compliance

Sanctions vary according to the national legislation of the member states. They can include:

  • Significant fines and other financial penalties (the maximum fine for essential entities is 10 million euros).
  • The possibility of administrative sanctions, such as compliance orders and mandatory audits.

Sanctions vary and can include:

  • Significant fines and other financial penalties specific to the financial sector.
  • Possibility of administrative sanctions, including compliance orders and mandatory audits.
  • Risks of additional regulatory measures, such as operational restrictions.

Other relevant dates

  • 17/01/2025: the NIS Cooperation Group shall establish a peer review methodology.
  • 17/04/2025: Member States shall establish a list of essential and important entities by this date.
  • 17/10/2025: the European Commission will analyse and review the functioning of the NIS 2 Directive.

Deadline for institutions to fulfil the specific requirements: up to 18 months after entry into force.

 

 

Why should I comply?

Failure to comply with these regulations carries significant risks for institutions. Companies can face substantial fines and legal sanctions, leading to a loss of customer trust and a weakening of the business.


In addition, exposure to cyberattacks can result in sensitive data breaches, financial losses and irreparable damage to the company's reputation.

 

Which cyberattacks and threats might be involved?

The NIS 2 and DORA information security regulations aim to improve the overall resilience of the companies working in sensitive sectors so that they can prepare themselves and their employees to avoid or manage cybersecurity risks such as:

  • Malware: malicious software such as viruses, worms, trojans, spyware, or ransomware (which encrypts data and demands a ransom to deliver the decryption key).
  • Phishing and spear phishing: sending fraudulent emails (targeted or not) that appear to be from trusted sources in order to obtain sensitive information or deliver malware.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: focused on making online services unavailable by overloading servers or the network with massive traffic.
  • Ransomware: malware that encrypts data and demands a payment (ransom) to deliver the decryption key.
  • Credential theft: obtaining login credentials to access sensitive systems and data, usually through phishing or fake websites.
  • Security configuration flaws abuse: an attack that exploits incorrect or weak configurations in IT systems.
  • Zero-day attacks and software vulnerabilities exploits: attacks that exploit unknown or unpatched vulnerabilities in a system or software.

 

 

Other relevant regulations

In addition to NIS 2 and DORA, other ongoing European regulations play a crucial role in information security, namely:

 

 

Sharing responsibility

Given the complexity and scope of these regulations, it is highly recommended that companies seek the support of specialised consultancies that can provide the expertise needed to ensure compliance, help implement best practices and prepare companies for audits and possible incidents.


In addition, consultancies – such as Alter Solutions – offer ongoing support, helping companies to adapt to regulatory changes and stay focused on their core activities, while remaining safe and compliant with current legislation.


In short, compliance with information security regulations in Europe is not just a legal requirement, but an essential practice for protecting businesses and maintaining trust in the digital marketplace.

NIS 2 Directive is a EU-wide legislation on cybersecurity
Ensure NIS 2 compliance
Alter Solutions can help companies across different sectors prepare to comply with the most comprehensive EU cybersecurity legislation.
Share this article