Digital security in Europe is in full transformation. With the entry into force of Regulation Dora and the NIS2 Directive, the rules of the game have changed for thousands of companies, especially those of the financial sector and digital service providers, which must now comply with strict standards of resilience and cybersecurity. But despite legal deadlines, many organizations still do not know where to start.

Faced with this scenario, Isaca has published its latest technical report: “Resilience and security in critical sectors: how to address the requirements of NIS2 and Dora”. Far from being just an interpretive guide, the document acts as a survival manual for companies that need to align their digital strategies with new European obligations. In the words of Chris Dimitriadis, director of Global Strategy of Isaca, “the challenge not only lies in understanding regulations, but also in ensuring that companies know how to apply them effectively.” He adds that “the consequences of breach are serious and, more importantly, so are the risks of operational interruption.”

Nis2’s national transposition should have already been completed in October 2024, but only a few member states have done so. Spain, among the lags, reflects a problem that goes beyond its borders. In Ireland, for example, 38 % of companies recognize not being ready. The situation is repeated, with different intensity, in many European SMEs and technological suppliers that still do not know that they are directly affected by these regulations.

Isaca’s new White Paper arrives at a critical moment for European organizations, many of which are still not prepared for regulatory demands that are already in force.

Dora, on the other hand, imposes especially severe obligations on financial institutions and their ICT suppliers. From specific contractual clauses to incident notification deadlines that do not exceed four hours, the level of demand grows drastically.

What companies should know

Isaca’s report identifies eight fronts that organizations cannot ignore:

  • Identify scope: Does Nis2, Dora or both apply? Even companies may be affected.
  • Strengthen the ICT framework: Review risk management, continuity plans and recovery tests.
  • Control third parties: Many suppliers still do not know that Dora affects them.
  • Dominate notification deadlines: 24 hours for preliminary alerts with Nis2; Only four for serious incidents under Dora.
  • Train the template: From senior management to operations, everyone must understand the risks.
  • Periodic audits: Internal and external, with independence and technical qualification.
  • Advanced penetration tests: Mandatory in financial entities.
  • Updated documentation: Regulatory traceability will be key.

Europe hardens its cyberdefense

Beyond the urgency of compliance, Isaca proposes a long -term vision: the creation of resilient organizational cultures. The guide is not aimed only to compliance, but also to Ciso, CIO and risk responsible, as well as its technological suppliers, which are often the weakest link.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.