DORA & NIS2 Are Now Enforced: What Every Enterprise Vendor Program Must Do Right Now

For years, EU regulators telegraphed their intent. Now, the deadline has passed — and the Digital Operational Resilience Act (DORA) and the NIS2 Directive are no longer “upcoming” obligations. They are live, enforceable law, and enterprises that haven’t restructured their third-party governance programs are already exposed.

This article breaks down what each regulation requires, where they overlap, and the concrete steps procurement, risk, and compliance teams must take today.

What Is DORA?

DORA — the Digital Operational Resilience Act — is an EU regulation that entered into force in January 2023 and became fully applicable on January 17, 2025. It targets the financial sector: banks, insurers, investment firms, payment institutions, and critically, their ICT third-party service providers.

Its core premise is straightforward but demanding: financial institutions must be able to withstand, respond to, and recover from any ICT-related disruption — not just those caused internally, but those originating from their entire vendor ecosystem.​

What Is NIS2?

NIS2 — the Network and Information Security Directive 2 — is the successor to the original NIS Directive and significantly expands its scope. Member states were required to transpose NIS2 into national law by October 2024, and national cybersecurity agencies have since begun publishing enforcement expectations and “acceptable means of compliance”.​

Unlike DORA (which is a regulation, directly binding), NIS2 is a directive — meaning each EU member state implements it slightly differently. But the core obligations are consistent: risk management, supply chain security, incident reporting, and management accountability.​

Who Is In Scope?

DORA Scope

DORA applies to virtually the entire EU financial services ecosystem:​

• Banks, credit institutions, and payment service providers
• Insurance and reinsurance companies
• Investment firms and crypto-asset service providers
• Critical ICT third-party providers (cloud platforms, data analytics vendors, SaaS tools serving financial entities)

NIS2 Scope

NIS2 applies far more broadly:​

• Essential Entities: Energy, transport, banking, financial market infrastructure, health, water, digital infrastructure (250+ employees or €50M+ revenue)
• Important Entities: Postal services, waste management, manufacturing, food, digital services (50+ employees or €10M+ revenue)
• Non-EU companies serving EU entities also fall under supply chain obligations

The 5 Core Pillars of DORA

DORA is structured around five mandatory compliance areas:

1. ICT Risk Management — Continuous vulnerability monitoring, documented risk registers, and proactive mitigation strategies. Organizations must move beyond annual audits to real-time risk management frameworks.
2. ICT Incident Management & Reporting — Major ICT incidents must be reported to competent authorities within 4 hours of classification. This is significantly stricter than most prior frameworks and requires pre-built incident detection and escalation pipelines.​
3. Digital Operational Resilience Testing — Annual basic testing for all in-scope entities; advanced Threat-Led Penetration Testing (TLPT) every three years for entities performing critical functions. Backup systems and failover capabilities must be independently tested.​
4. ICT Third-Party Risk Management — This is the pillar most directly relevant to vendor programs. Financial entities must maintain a formal register of all ICT third-party arrangements, and contracts must include specific rights around audit, data location, sub-outsourcing, incident support, and exit strategies.​
5. Information Sharing — Voluntary sharing of cyber threat intelligence among financial entities is explicitly encouraged, establishing a collaborative defense model across the industry.​

NIS2’s 10 Mandatory Cybersecurity Measures

NIS2 mandates ten core cybersecurity requirements that all in-scope organizations must implement:​

1. Risk analysis and information system security policies
2. Incident handling and response protocols
3. Business continuity and crisis management plans
4. Supply chain security — assessing risks from all tiers of suppliers
5. Security in network and information systems acquisition
6. Policies to assess cybersecurity measure effectiveness
7. Basic cyber hygiene practices and employee training
8. Cryptography and encryption policies
9. Human resources security and access control
10. Multi-factor authentication (MFA) across critical systems

Third-Party Risk: The Heart of Both Regulations

Both DORA and NIS2 place third-party and supply chain risk at the center of compliance — but DORA goes further in prescribing exactly how that risk must be governed.

Under DORA:​

• Financial entities must maintain detailed registers of ICT contracts and dependencies
• Contracts must contain explicit clauses on access rights, audit rights, data residency, sub-outsourcing permissions, incident reporting obligations, and termination/exit provisions
• Critical ICT Third-Party Providers (CTPPs) — such as major cloud platforms — can be designated and supervised directly at the EU level by the ESAs (European Supervisory Authorities)

Under NIS2:

• Contractual clauses must mandate adherence to NIS2 security requirements AND include a right to audit
• Organizations must verify vendor compliance — not just require it on paper
• For vendors found non-compliant, continuous monitoring and remediation tracking must be implemented
• Risk levels must determine what access third parties are permitted in your systems

Reporting Obligations: A Side-by-Side View

Obligation	DORA	NIS2
Initial Alert	4 hours​	24 hours​
Intermediate Report	As required	72 hours​
Final Report	Within 1 month	Within 1 month​
Who Reports	Financial entities to competent authority	Essential/Important entities to national authority
Vendor Incidents	Vendors must support reporting	Vendors must report to you contractually​

Penalties: Personal Liability Is Now Real

Both regulations have moved firmly away from “name and shame” toward financial and personal consequences.​

• NIS2 fines: Up to €10 million or 2% of global annual turnover for Essential Entities; €7 million or 1.4% for Important Entities​
• DORA penalties: Similar financial magnitudes, plus daily penalty payments for critical third-party providers that fail to cooperate with EU-level oversight​
• Management liability: Under both frameworks, senior leadership must personally approve cybersecurity measures. Negligence can now trigger personal liability and management bans — the era of delegating compliance entirely to the IT department is legally over​

What Enterprise Vendor Programs Must Do Now

If your organization is in scope — or if you serve entities that are — here is the immediate action list:

For DORA compliance:

• Build and maintain a complete register of all ICT third-party arrangements with risk classifications
• Audit all vendor contracts for DORA-required clauses (audit rights, exit rights, incident reporting, sub-outsourcing controls)
• Establish a 4-hour incident detection-to-reporting pipeline
• Schedule and document annual resilience testing and three-year TLPT cycles​

For NIS2 compliance:

• Classify all vendors by risk tier — extend beyond Tier 1 to map Tier 2 and Tier 3 dependencies​
• Embed NIS2 security clauses and audit rights in all supplier contracts​
• Implement ongoing vendor monitoring — not just onboarding assessments​
• Brief senior management: they are now legally accountable for the program’s effectiveness​

For both:

• Conduct a formal gap analysis against both frameworks simultaneously, as they share overlapping requirements around risk, incident reporting, and supply chain security​
• Consolidate vendor risk data into a centralized governance platform — spreadsheets create the exact blind spots regulators are targeting

How Enlighta Helps You Operationalize DORA and NIS2

Most organizations don’t fail DORA or NIS2 because they lack policies; they fail because they cannot evidence consistent third-party oversight across contracts, risks, incidents, and critical services. Enlighta is designed exactly for that gap.

With Enlighta, you can:

• Maintain a single, governed register of all ICT and critical third-party relationships, including criticality, service mapping, and DORA/NIS2-relevant attributes (data location, sub-outsourcing, concentration risk).

• Standardize and track DORA- and NIS2-aligned contract clauses (audit rights, incident notification, exit and transition assistance), and flag agreements that deviate from your regulatory playbook.

• Orchestrate incident-to-board workflows by linking vendor incidents, impacted services, and business owners so you can determine materiality and meet stringent reporting timelines.

• Consolidate risk, performance, and compliance evidence in one place, giving risk, compliance, procurement, and security a shared view of third-party exposure.

Instead of stitching together spreadsheets, email threads, and siloed tools every time a regulator or internal auditor asks for proof, Enlighta gives you a continuous, auditable story of how you govern third parties under DORA and NIS2.

Contact us to get our DORA/NIS2 Compliance Gap Assessment Tracker. It includes a practical checklist of control expectations, mapped to data points and workflows you can manage directly within Enlighta, so you can see exactly where you stand today and what to fix first.