NIS2 and DORA Compliance

What is NIS2 and DORA Compliance?

NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act) are landmark EU cybersecurity regulations that establish mandatory security requirements for critical infrastructure and financial services organizations operating in or serving EU markets. NIS2, effective October 2024 with full compliance required by October 2026, applies to over 160,000 organizations across essential sectors including energy, transport, healthcare, digital infrastructure, and public administration. DORA, in force since January 2025, applies specifically to financial entities and mandates ICT risk management, incident reporting, and resilience testing including penetration testing. Both regulations have direct implications for U.S.-based organizations that serve EU clients or have EU subsidiaries.

Description

NIS2 establishes minimum cybersecurity capabilities for essential and important entities: risk management measures, incident reporting within 24 hours (early warning) and 72 hours (detailed notification), supply chain security requirements, business continuity planning, and board-level accountability for cybersecurity compliance — with personal liability provisions for senior management. DORA requirements for financial entities are more prescriptive: a documented ICT risk management framework, major incident classification and reporting, third-party ICT service provider risk management, and mandatory penetration testing — specifically TLPT (Threat-Led Penetration Testing) based on the TIBER-EU framework for significant financial institutions. DORA's TLPT requirement mandates red team exercises that simulate realistic threat actor techniques against production systems — making structured red team engagements a compliance obligation rather than an optional best practice. Both regulations emphasize third-party risk management, requiring organizations to extend security requirements to their technology suppliers and conduct supplier security assessments. DORA explained in detail provides a comprehensive breakdown of DORA's requirements and what financial entities need to do to comply.

Usage and Examples

A U.S. fintech company that processes payments for European customers and uses EU cloud infrastructure becomes subject to DORA requirements. Compliance analysis reveals gaps: no formal ICT risk management framework, no documented incident classification process aligned with DORA's major incident criteria, third-party contracts with critical cloud providers that lack the required contractual security provisions, and no history of threat-led penetration testing. The company must build these capabilities within DORA's enforcement timeline or face regulatory sanctions from EU financial supervisors. NIS2 compliance for a European subsidiary of a U.S. manufacturer requires: a designated cybersecurity responsible person, board approval of cybersecurity risk management measures, documented business continuity and incident response plans, and security requirements flowed down to supply chain vendors.

How Does This Relate to Penetration Testing?

Both NIS2 and DORA explicitly require penetration testing as a compliance control — not just as a best practice. DORA's TLPT mandate for significant financial institutions specifies threat-led exercises that use realistic threat intelligence about the adversaries most likely to target the institution, scope the full production environment, and involve red team techniques rather than standard vulnerability assessments. Evolve Security's red team and network and application penetration testing services align with the testing requirements of both regulations, providing the documented evidence and remediation guidance that regulators and auditors require. Evolve Security's Red Team and full suite of penetration testing services provide the documented security evidence that NIS2 and DORA compliance requires — contact our Advisory team to map your testing program to regulatory obligations.