NIS2 · DORA · GDPR · EU mid-market
Know exactly where you stand on NIS2 and DORA — and what to do next.
You need a clear picture of your obligations, the governance and security gaps standing in the way, and a practical plan that gets your organization audit-ready. We help EU mid-market companies map scope under NIS2 and DORA, close gaps in cybersecurity governance, supply chain security, and ICT risk management, build the evidence regulators and customers ask for, and run the incident reporting and continuous monitoring controls afterward — so EU compliance readiness becomes a steady state instead of a fire drill.
- NIS2 scoping (Annex I/II, essential vs. important)
- DORA ICT risk framework + register of information
- 24/7 SOC for continuous monitoring controls
- EU-resident processing — no transfer assessment
NIS2 timeline
Three dates that matter for NIS2.
The Commission set a hard October 2024 transposition deadline. Most member states missed it. The Commission opened infringement proceedings in May 2025 against the laggards. Don't bet on national delay — your customers and counterparties will demand evidence regardless.
-
01
Jan 16, 2023
NIS2 Directive in force
Directive (EU) 2022/2555 entered into force. 21-month transposition window for member states.
-
02
Oct 17, 2024
Transposition deadline
Member states required to transpose into national law. Most missed the deadline; rolling enforcement now in 2026.
-
03
Active now
Enforcement live in most states
Belgium, Italy, Croatia, Hungary, Latvia, Lithuania transposed early. Germany, France, Spain, Netherlands rolling out 2026. Fines up to €10M or 2% of global turnover for essential entities.
DORA — already in force
Five DORA pillars, all binding.
DORA went into force January 17, 2025 with no grace period. Every financial entity in scope — banks, investment firms, insurers, crypto-asset service providers, crowdfunding platforms — has to demonstrate compliance against five pillars.
01
ICT risk management
Governance, control framework, simplified framework for smaller entities.
02
Incident classification & reporting
Major incident detection, classification by RTS criteria, initial / intermediate / final reports.
03
Resilience testing
Annual basic testing. Threat-led penetration testing (TLPT) every 3 years for significant entities.
04
Third-party risk
Register of information, ICT third-party risk policy, exit strategies for critical providers.
05
Information sharing
Voluntary cyber threat information exchange among financial entities.
What we deliver
From scoping to ongoing evidence.
Most consultancies hand you a gap analysis and walk away. We do the gap analysis, then we run the controls that produce the evidence — for the lifetime of the obligation.
Scoping & gap analysis
Annex I/II classification, essential vs. important, DORA scope determination. Gap against current state with evidence requirements identified.
Policies & documentation
ICT risk management policy, incident response procedures, third-party risk policy, register of information template, exit plans.
24/7 SOC + MDR
Continuous monitoring satisfies NIS2 Article 21 detection requirements and DORA ICT risk monitoring controls. EU-resident processing.
Incident reporting workflows
NIS2: 24h early warning, 72h notification, 1-month final. DORA: initial / intermediate / final reports per RTS. Pre-built templates and CSIRT routing.
Penetration & resilience testing
Basic ICT testing for all DORA entities. TLPT (TIBER-EU aligned) for significant entities. Vulnerability scans and red-team exercises.
Ongoing evidence collection
Control attestation, evidence library, board-level reporting cadence. Auditor-ready when the regulator or your customer's third-party risk team comes calling.
Talk to us
Where are you on the timeline?
Tell us your member state, your sector, and where you think you sit in scope. We'll tell you whether you're right, what's missing, and how long it takes to close — on the call.