/
When NIS2 and DORA are no longer compliance programmes, but a managerial redesign of digital resilience.
The European regulatory agenda regarding cybersecurity has shifted in recent years from normative direction to enforceable administrative responsibility. The NIS2 Directive and the DORA Regulation fit within the same logic: digital disruptions and cyber incidents are no longer treated as exceptional IT events, but as structural business risks that must permeate governance, architectural choices, and operational control.
For you as a CISO or cybersecurity executive, the implication is clear: security is no longer primarily a domain of technical optimization. It becomes a discipline of demonstrable control, where the burden of proof, decision-making, and liability are explicitly anchored in the governance layer.
The core shift: from capability to accountability
NIS2: governance as a requirement, not a best practice
NIS2 not only prescribes measures; it explicitly makes governance a requirement. Article 20 mandates that the management bodies - the governing body or the executive body, depending on the national implementation - approve cyber risk management measures, oversee implementation, and can be held accountable in case of breaches. Furthermore, there is an explicit training requirement for members of the management body.
For you, this means that it is not enough for your organization to have security teams, roll out tools, or publish policies. The regulator expects cyber risks to be managed at the governance level as a separate risk category with:
• formal approval of the chosen control measures;
• oversight of implementation and effectiveness;
• demonstrable understanding at the governance level through training;
• demonstrable follow-up when controls are lacking.
DORA: operational resilience as a manageable system
DORA is fundamentally different from NIS2 in legal nature: it is an EU regulation directly applicable to the financial sector, with an explicit focus on ICT risk and operational digital resilience. The framework includes, among other things, ICT risk management, incident reporting, resilience testing, and third-party oversight. DORA has been applicable since 17 January 2025.
Where NIS2 is often read as cybersecurity compliance, DORA forces you to treat your digital resilience as an end-to-end control system: from governance to detection, from recovery to supply chain, with formal oversight logic.
Management responsibility is historically filled in many organizations as the appointment of a CISO and the establishment of a policy framework. However, regulatory responsibility requires something different: managerial traceability.
As an organization, you must be able to demonstrate:
Which risks you acknowledge at the management level: from the threat landscape to business exposure;
Which control measures you have chosen and why;
What residual risk you accept and at what level;
How you check that control measures are working effectively;
How you adjust deviations within the governance cycle.
That traceability is not a documentation project. It requires a governance model in which cyber risks are given the same discipline as financial, legal, or credit risks, with clear accountability, risk appetite, key risk indicators (KRIs), and key performance indicators (KPIs), escalation paths, and formal decision-making moments.
The implicit requirement: verifiability at scale
NIS2 and DORA imply that your cyber risk management must be scalable across business units, product lines, cloud and application landscapes, supply chains, and transnational business models. Regulation does not assume that you can demonstrate individual controls in one defined domain, but that you can prove consistency across the entire organizational and technological breadth of your company.
Therefore, the focus shifts from isolated initiatives to systemic design. An isolated implementation of, for example, SIEM tooling is insufficient when architecture principles, delivery controls, identity governance, logging and monitoring baselines, and supplier governance do not coherently connect. Verifiability at scale means that your security measures are reproducible, measurable, and managerially traceable, regardless of where in the organization they are applied.
NIS2 in practice: compliance is a byproduct of mature governance
NIS2 positions cybersecurity risk management as a set of measures that organizations must implement and manage. In practice, however, compliance is often approached as an end goal, whereas it is actually the result of mature governance. When governance, architecture, and operational control are coherently configured, compliance follows as a logical consequence.
The typical pitfall: policy without evidence
In a mature organization, policy is not the endpoint, but the beginning of evidence. Regulatory pressure makes the distinction visible between paper compliance and demonstrable control. The former consists of policy documents, procedures, and awareness programs. The latter requires measurable control measures, logging, reporting, test results, and structural improvement loops.
The governance articles within NIS2 implicitly insist on this second level. Executives must be able to oversee, and for that, manageable management information is necessary. Without consistent, traceable, and substantiated information, a gap arises between formal accountability and actual control.
The strategic question for you as a CISO
The core question will not be whether you are compliant. The core question will be whether you can consistently demonstrate that your cyber risks are under managerial control.
This requires a different discipline than classical security program management. You need a management information layer that translates technical reality into business impact, coverage of control measures, effectiveness, and recovery capability. Only when exposure, effectiveness of control measures, and resilience are presented in one coherent framework can management make informed decisions about risk acceptance.
DORA: incident reporting and oversight logic accelerate maturity or pain
DORA formalizes expectations that supervisors have implicitly held for years. By explicitly structuring incident reporting, testing, and third-party oversight, operational digital resilience becomes a supervisable system. This accelerates organizational maturity when governance and execution are aligned but mercilessly exposes where structures are insufficiently robust.
Incident reporting as a stress test for your operating model
Incident reporting is not an administrative obligation but a stress test of your operating model. When a serious incident occurs, it becomes clear how classification, detection, triage, crisis governance, forensic analysis, communication, and recovery decision-making function in practice.
If you cannot produce a consistent timeline, substantiated impact analysis, and clear decision documentation during an incident, it indicates not only an operational shortfall but a governance shortfall. Reporting forces you to have your internal truth machine structurally in order.
Resilience testing as a control discipline
DORA emphasizes resilience testing and third-party risk. However, testing is only valuable when it is directly connected to architecture choices, recovery strategies, and concrete improvement actions.
When testing is merely conducted as a periodic exercise without influencing design and decision-making, ritual behavior emerges. When results are systematically translated into adjustments in controls, architecture, and governance, testing becomes a managerial feedback loop that structurally strengthens resilience.
Third-party risk: from contract management to chain responsibility
Both NIS2 and DORA strengthen the focus on dependencies such as cloud providers, managed services, software vendors, integrators, and other critical IT service providers.
Historically, third-party risk was often organized through contractual clauses, periodic assessments, and a generic risk register. However, regulatory pressure requires a supply chain perspective where you know exactly which suppliers are critical for which services, what control measures you impose, how you verify compliance, what exit strategies exist, and how incidents can spread through the chain.
It is no longer about supplier management in an administrative sense, but about chain responsibility in a managerial sense.
Regulatory pressure fundamentally changes your agenda. The focus shifts from delivering programmes to organising governance control.
From control ownership to control system design
Not every control measure needs to be housed within the security function. What is your responsibility is the design of a control system that is consistent, measurable, auditable, and manageable.
This implies that security design principles are embedded in architecture and delivery models, and governance is structured so that product owners, platform teams, and risk and compliance functions operate within one coherent framework.
From technical risk to business risk with explicit decision-making
Governance responsibility only works when you translate cyber risks into business risks. This means you provide scenarios, impact analyses, trade-offs, and residual risk in decision-making form.
As long as cyber risks are presented as technical vulnerabilities without the context of business impact and risk acceptance, the board cannot effectively fulfil its responsibilities.
From incident response to crisis governance
Incident response is an operational capability. Crisis governance is a governance discipline. Under NIS2 and DORA, you must be able to demonstrate under pressure who decides, based on what information and with what priorities.
Three questions you as an executive need to clarify
When you do not read regulation as a compliance obligation but as a catalyst for structural maturity, three core questions remain:
Where is the governance boundary of acceptable digital risk for your organisation?
Which digital services are critical to oversight and what is the minimum control level you apply for them?
What evidence can you provide under pressure to audit, regulators, or the board to demonstrate that you are in control?
These questions are concrete enough to initiate decision-making but fundamental enough not to get bogged down in tooling.
Finally: regulation as accelerated maturity
NIS2 and DORA are not extra work on top of security. They codify a reality that already existed: digital dependencies are critical to business and cyber incidents are predictable disruptions.
When you approach regulation not as a checklist but as an opportunity to redesign your digital resilience as a manageable system with demonstrable control in line with governance responsibility, the conversation shifts to the level it belongs: the governance level.
Other interesting subjects
Cloud & Platform Engineering
The manageability crisis in complex cloud environments
Read
Cybersecurity & Digital Risk Engineering
Identity & Access Management: the operating system of digital control
Read
Architecture, Governance & Technology Transformation
Why digital transformation without architectural governance leads to fragmentation, risks, and value loss
Read
Data, Analytics & Artificial Intelligence
Why data and AI initiatives rarely achieve structural business impact
Read
Application Engineering & Software Delivery
When application architecture begins to undermine strategic agility
Read
Enterprise Platforms & Business Systems
The platform hardening in enterprise organizations: why core systems block innovation instead of accelerating it.
Read
