/
When NIS2 and DORA are no longer compliance programmes, but a managerial redesign of digital resilience.
The European regulatory agenda regarding cybersecurity has shifted in recent years from normative direction to enforceable administrative responsibility. The NIS2 Directive and the DORA Regulation fit within the same logic: digital disruptions and cyber incidents are no longer treated as exceptional IT events, but as structural business risks that must permeate governance, architectural choices, and operational control.
For you as a CISO or cybersecurity executive, the implication is clear: security is no longer primarily a domain of technical optimization. It becomes a discipline of demonstrable control, where the burden of proof, decision-making, and liability are explicitly anchored in the governance layer.
The core shift: from capability to accountability
NIS2: governance as a requirement, not a best practice
NIS2 not only prescribes measures; it makes governance explicit. Article 20 mandates that management bodies - the governing body or the executive body, depending on national transposition - approve cyber risk management measures, oversee implementation, and can be held accountable for breaches. Furthermore, there is an explicit training requirement for members of the management body.
For you, this means that it is not enough for your organization to have security teams, roll out tools, or publish policies. The regulator expects that cyber risks are addressed at the governance level as a separate risk category with:
• formal approval of the chosen control measures;
• oversight of execution and effectiveness;
• demonstrable understanding at the management level through training;
• demonstrable follow-up when controls fail.
DORA: operational resilience as a supervisable system
DORA is fundamentally different from NIS2 in legal nature: it is an EU regulation directly applicable to the financial sector, with an explicit focus on ICT risk and operational digital resilience. The framework includes among other things ICT risk management, incident reporting, resilience testing, and third-party oversight. DORA has been applicable since 17 January 2025.
Where NIS2 is often interpreted as cybersecurity compliance, DORA compels you to treat your digital resilience as an end-to-end control system: from governance to detection, from recovery to supply chain, with formal oversight logic.
Executive responsibility is historically fulfilled in many organizations by appointing a CISO and establishing a policy framework. However, supervisory responsibility requires something different: executive traceability.
As an organization, you must be able to demonstrate:
Which risks you recognize at an executive level: from threat landscape to business exposure;
Which control measures you have chosen and why;
What residual risk you accept and at what level;
How you verify that control measures are working effectively;
How you make adjustments in case of deviations within the governance cycle.
That traceability is not a documentation project. It requires a governance model in which cyber risks are given the same discipline as financial, legal, or credit risks, with clear responsibilities, risk appetite, key risk indicators (KRIs), and key performance indicators (KPIs), escalation paths, and formal decision-making moments.
The implicit requirement: verifiability at scale
NIS2 and DORA imply that your cyber control must be scalable across business units, product lines, cloud and application landscapes, supply chains, and transnational business models. Regulation does not assume that you can demonstrate individual control measures in one defined domain, but that you can prove consistency across the entire organizational and technological breadth of your enterprise.
Therefore, the focus shifts from isolated initiatives to systemic design. An isolated implementation of, for example, SIEM tooling is insufficient when architecture principles, delivery controls, identity governance, logging and monitoring baselines, and supplier governance do not coherently align with each other. Verifiability at scale means your security measures are reproducible, measurable, and governance-followable, regardless of where in the organization they are applied.
NIS2 in practice: compliance is a by-product of mature governance
NIS2 positions cybersecurity risk management as a set of measures that organizations must implement and manage. In practice, compliance is often approached as an end goal, whereas, in reality, it is the result of mature governance. When governance, architecture, and operational control are coherently designed, compliance follows as a logical consequence.
The typical pitfall: policy without evidence
In a mature organization, policy is not the endpoint but the beginning of evidence gathering. Regulatory pressure makes the distinction visible between paper compliance and demonstrable control. The former consists of policy documents, procedures, and awareness programs. The latter requires measurable control measures, logging, reporting, test results, and structural improvement loops.
The governance articles within NIS2 implicitly push for this second level. Executives must be able to oversee, and for that, manageable management information is necessary. Without consistent, traceable, and substantiated information, a gap arises between formal responsibility and actual control.
The strategic question for you as a CISO
The core question is not whether you are compliant. The core question is whether you can consistently demonstrate that your cyber risks are under executive control.
This requires a different discipline than classic security program management. You need a management information layer that translates the technical reality into business impact, coverage of control measures, effectiveness, and recovery capacity. Only when exposure, effectiveness of control measures, and resilience are presented in one coherent framework can the board make well-founded decisions about risk acceptance.
DORA: incident reporting and oversight logic accelerate maturity or pain
DORA formalizes expectations that supervisory authorities have implicitly employed for years. By explicitly structuring incident reporting, testing, and third-party oversight, operational digital resilience becomes an overseable system. This accelerates organizational maturity when governance and execution are aligned, but ruthlessly exposes where structures are insufficiently robust.
Incident reporting as a stress test for your operating model
Incident reporting is not an administrative obligation but a stress test of your operating model. When a serious incident occurs, it becomes evident how classification, detection, triage, crisis governance, forensic analysis, communication, and recovery decision-making function in practice.
If you cannot produce a consistent timeline, substantiated impact analysis, and clear decision documentation during an incident, this points not only to an operational shortfall but also to a governance shortfall. Reporting forces you to have your internal truth machine structurally in order.
Resilience testing as a management discipline
DORA emphasizes resilience testing and third-party risk. However, testing is only valuable when it is directly connected to architectural choices, recovery strategies, and concrete improvement actions.
When testing is merely conducted as a periodic exercise without influencing design and decision-making, ritual behavior emerges. When the results are systematically translated into adjustments in controls, architecture, and governance, testing becomes a governance feedback loop that structurally strengthens resilience.
Third-party risk: from contract management to chain responsibility
Both NIS2 and DORA strengthen the focus on dependencies such as cloud providers, managed services, software suppliers, integrators, and other critical IT service providers.
Historically, third-party risk was often organized through contractual clauses, periodic assessments, and a generic risk register. However, regulatory pressure requires a chain perspective in which you know exactly which suppliers are critical for which services, which control measures you impose, how you verify compliance, what exit strategies exist, and how incidents may spread through the chain.
It is no longer just about supplier management in an administrative sense, but about chain responsibility in a governance sense.
Regulatory pressure fundamentally changes your agenda. The focus shifts from delivering programmes to organising governance control.
From control ownership to control system design
Not every control measure needs to be housed within the security function. What is your responsibility is the design of a control system that is consistent, measurable, auditable, and manageable.
This implies that security design principles are embedded in architecture and delivery models, and governance is structured so that product owners, platform teams, and risk and compliance functions operate within one coherent framework.
From technical risk to business risk with explicit decision-making
Governance responsibility only works when you translate cyber risks into business risks. This means you provide scenarios, impact analyses, trade-offs, and residual risk in decision-making form.
As long as cyber risks are presented as technical vulnerabilities without the context of business impact and risk acceptance, the board cannot effectively fulfil its responsibilities.
From incident response to crisis governance
Incident response is an operational capability. Crisis governance is a governance discipline. Under NIS2 and DORA, you must be able to demonstrate under pressure who decides, based on what information and with what priorities.
Three questions you as an executive need to clarify
When you do not read regulation as a compliance obligation but as a catalyst for structural maturity, three core questions remain:
Where is the governance boundary of acceptable digital risk for your organisation?
Which digital services are critical to oversight and what is the minimum control level you apply for them?
What evidence can you provide under pressure to audit, regulators, or the board to demonstrate that you are in control?
These questions are concrete enough to initiate decision-making but fundamental enough not to get bogged down in tooling.
Finally: regulation as accelerated maturity
NIS2 and DORA are not extra work on top of security. They codify a reality that already existed: digital dependencies are critical to business and cyber incidents are predictable disruptions.
When you approach regulation not as a checklist but as an opportunity to redesign your digital resilience as a manageable system with demonstrable control in line with governance responsibility, the conversation shifts to the level it belongs: the governance level.
Other interesting subjects
Cloud & Platform Engineering
The manageability crisis in complex cloud environments
Read
Cybersecurity & Digital Risk Engineering
Identity & Access Management: the operating system of digital control
Read
IT Architecture, Governance, and Digital transformation
Why digital transformation without architectural governance leads to fragmentation, risks, and value loss
Read
Data, Analytics & Artificial Intelligence
Why data and AI initiatives rarely achieve structural business impact
Read
Application Engineering & Software Delivery
When application architecture begins to undermine strategic agility
Read
Enterprise platforms and core systems
The platform hardening in enterprise organizations: why core systems block innovation instead of accelerating it
Read
