Wyprzedzamy zmiany | Kwiatkowski & Co. » NIS2 and DORA: Harmonizing Cyber Resilience in the Financial Sector

2025 brings two major regulatory challenges for European (including Polish) companies in terms of cybersecurity and operational resilience: NIS2 and DORA. Both acts are the EU’s answer to the growing digital threats and increasingly complex landscape of cyberattacks, especially in finance, fintech, and sectors crucial for the economy. How should you prepare? What do regulators expect? And how can you create real value instead of just “ticking the box”? Let’s break it down.

NIS2 and DORA — What Are They, and Who Do They Affect?

NIS2

The updated Network and Information Security Directive (NIS2) significantly expands the list of entities subject to cybersecurity obligations. It’s no longer just “critical operators” — now it also covers financial services, health, energy, transport, ICT, digital providers, water supply, and many more. New elements: far greater management board responsibility, administrative fines, and the obligation to report incidents within 24 hours.

DORA

The Digital Operational Resilience Act (DORA) is an EU regulation focused on digital resilience in the financial sector. It covers banks, investment firms, payment institutions, fintechs, insurers, brokers, and other financial players. DORA imposes requirements not only for IT, but also for third-party risk management, resilience testing, incident reporting, and specialized exercises (e.g., threat-led penetration testing, TLPT).

Why Do Both Regulations Matter?

NIS2 and DORA often overlap — many companies (like banks, fintechs, payment operators) will need to comply with both sets of requirements at once. This means not just more compliance work, but the need for a unified strategy to avoid duplicated processes and unnecessary costs.Key shared elements:

Incident reporting obligations
IT risk management
Increased responsibilities for executive management
Third-party (supplier) risk assessment and monitoring
Documenting and regularly testing emergency procedures

Step by Step: How to Prepare for NIS2 and DORA

1. Diagnosis — Where Are You Now? Start with a review of your current policies, procedures, and cybersecurity tools. Do you have an incident response plan? Are your contingency procedures tested? Do you maintain a supplier risk register?Engage your management board early — under both NIS2 and DORA, they are directly responsible for compliance.

2. Obligation Mapping — What Needs to Be Implemented? Create a checklist:

Is there a dedicated person responsible for security?
Are incident detection and reporting mechanisms in place?
Do you have a structured third-party (supplier) risk process?
Are resilience tests carried out regularly?
Is your documentation up to date and actively tested?

3. Harmonizing Actions Don’t duplicate work — instead of separate policies for DORA and NIS2, build an integrated management system for information security and operational resilience.Example: one incident register can feed reports to both regulators.

4. Training and Exercises Both acts require regular training and exercises, including table-top simulations and cyberattack drills. Make sure not just IT, but also management and key departments know what to do in a crisis.

5. Tools and Documentation Support Consider adopting security monitoring tools (SIEM), automated reporting solutions, or ticketing systems for incident handling. Ready-made templates and checklists make day-to-day compliance much easier.

Pitfalls and Challenges

Lack of management engagement — both NIS2 and DORA put direct responsibility on senior executives.
Too much bureaucracy — overcomplicated procedures can hinder real action.
IT-only focus — real resilience requires business, IT, and legal teams to work together.
Poor supplier management — regularly audit and assess your cloud and SaaS providers.

Real-World Example (Case Study)

FintechX (anonymized client): A payment processor for e-commerce, with partial GDPR implementation but lacking a holistic cybersecurity approach.What we did:

Gap analysis audit (NIS2/DORA compliance)
Workshops for the board and management
Unified security and incident management policy
Automated incident reporting and regular exercises
A 12-month roadmap for risk mapping and remediation

Result: Greater security, quick closure of legal gaps, improved reputation with large clients, and confidence in regulatory audits.

What’s Next?

With NIS2, DORA, and the upcoming AI Act, regulations are converging. Companies must move from “box ticking” to a true culture of cyber resilience and continuous improvement.Now is the time to integrate compliance, build strong processes, and empower your teams.

Summary and Recommendations

Don’t postpone implementation — regulators will be vigilant in 2025.
Harmonize efforts — it saves time, money, and stress.
Involve your management board — their engagement is critical.
Invest in automation and regular training.
Consult experts with real experience in both NIS2 and DORA — you’ll avoid costly mistakes.