NIS2 and DORA Compliance

Technical depth meets regulatory fluency — for finance, critical and digital infrastructure, healthcare, and public administration. Sector-specific packages aligned with the regulator and the industry.

Key differences NIS2 / DORA

Two overlapping regulations — different legal bases, different scope, different regulators.

NIS2

EU Directive 2022/2555 covering essential and important entities across 18 critical sectors. Requirements: risk management, incident reporting (24h/72h/30d), supply chain security, business continuity.

EU DIRECTIVE

DORA

EU Regulation 2022/2554 for the financial sector — payment institutions, CASPs, insurers, asset managers, and ICT service providers to finance. In force since January 2025. Requirements: operational resilience, ICT risk framework, third-party register, ICT incident logging.

EU REGULATION

Sector packages

A starting point for each sector — core compliance defined, scope aligned with the organisation's specifics after gap analysis.

Local Government Pack

NIS2 compliance for municipal authorities. Polish clients also get KSC-specific scope (Cyberbezpieczny Samorząd Programme) as part of the engagement.

LOCAL GOV · NIS2

Healthcare Pack

Compliance for healthcare entities classified as essential under NIS2 — hospitals, clinic networks, specialist clinics. Sector-specific methodology accounting for the operational constraints of medical facilities.

HEALTHCARE · NIS2

Civil Protection Pack

Compliance for NGOs and civil-defence organisations classified as essential under NIS2, with integration into crisis-management workflows. Full scope of this area — see Cyber consulting for social resilience.

NGO · CIVIL PROTECTION

Non-bank DORA Pack

DORA compliance for fintech, payment institutions, CASPs, asset managers, and ICT service providers — operational resilience, ICT risk framework, third-party register, ICT incident logging. Without assumptions about banking infrastructure.

FINTECH · DORA

For clients operating in Poland — KSC

KSC (Krajowy System Cyberbezpieczeństwa) is Poland's national cybersecurity framework — transposing NIS2 with additional scope for operators of essential services, digital service providers, and public administration. Audit cycle: every 2 years, supervised by the Ministry of Digital Affairs and CSIRT NASK. Polish clients of our Local Government Pack and Non-bank DORA Pack also receive KSC-specific scope as part of the engagement.

What each package includes

  • Gap analysis and compliance mapFull review of current controls against the regulator's requirements. Entity classification, gap identification, prioritised remediation plan.
  • Regulator-required documentationIncident reporting procedures (NIS2 24h/72h/30d, DORA Article 17), ICT risk management framework, supply chain security procedures. Tailored to how the organisation actually works, not generic templates.
  • Prioritised implementation planCompliance roadmap with timeline and scope budgetary. Iterative rollout with point-by-point reviews.
  • External audit supportAssistance during NASK/CSIRT inspections, KNF audits (for DORA), and KSC compliance audits. Team preparation and responses to auditor findings.

Related specialised competencies

Regulatory compliance rarely stands alone. As part of NIS2 or DORA preparation, we combine compliance work with financial-sector and AI/LLM pentesting, vCISO compliance oversight (a formal CISO function is required for essential entities), and sector-specific OSINT and Threat Intelligence (CTI for DORA, NIS2 supply chain monitoring). For civil-protection bodies and NGOs, see Cyber consulting for social resilience separately.

Who NIS2 applies to

NIS2 splits organisations into essential and important entities. Classification depends on sector, size, and criticality of services.

Energy

Electricity transmission and distribution operators, gas, district heating and fuel suppliers. Threshold: revenue and criticality of supply security.

Transport

Aviation, rail, road transport, maritime and inland shipping, port infrastructure. Air traffic operators, infrastructure managers.

Banking and finance

Credit institutions and payment platforms per PSD2/PSD3. Financial market infrastructure operators, exchanges. DORA as lex specialis for ICT matters.

Healthcare

Hospitals, clinic networks, research laboratories, medical device manufacturers and pharmaceutical companies. Integration with national health platforms.

Digital infrastructure

DNS providers, TLD registries, IXPs, cloud providers, CDN, hosting, data centres, electronic communications networks.

Public administration

Central and local government — essential entities with full NIS2 obligations. For Polish local government, integration with the Cyberbezpieczny Samorząd Programme.

Frequently asked questions

NIS2 covers essential and important entities across 18 critical sectors — energy, transport, banking, digital infrastructure, healthcare, administration, and others. The criteria are sector of activity and size thresholds (typically 50+ employees or EUR 10m turnover). We will confirm your classification in a free preliminary assessment.
For essential entities, administrative fines of up to EUR 10 million or 2% of total global turnover. For important entities, up to EUR 7 million or 1.4% of turnover. Personal liability of management may also apply.
Financial entities subject to DORA apply DORA as lex specialis in place of NIS2 for ICT matters. DORA has more detailed requirements regarding ICT risk management, third-party register, ICT incident logging, and operational resilience. NIS2 may still apply to other aspects beyond ICT.
Packages are a starting point. Each one covers the compliance core required for the sector, but the actual scope is adjusted to the organisation's maturity, existing documentation, and risk specifics. After gap analysis we finalise the roadmap and timeline.

Book a compliance consultation

Free initial conversation — we'll confirm your classification and the scope of obligations.

Schedule a consultation