DORA and NIS2: what really changes for IT companies in 2025
2025 is a watershed year for compliance in the technology sector: two European regulations, DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive), come fully into force and reshape the rules of the game for IT companies, digital service providers, and organizations operating in critical sectors.
Many businesses today find themselves asking: What does it actually mean to comply with DORA and NIS2? What obligations do they entail? What risks are incurred in case of non-compliance?
In this article, we will answer these questions, providing a clear overview and practical advice for those facing this challenge.
It seems that there is no text provided for translation. Please provide the text you would like to have translated, and I’ll be happy to assist you!
DORA and NIS2: a brief summary
- DORA (EU Regulation 2022/2554) is specifically designed for the financial sector and all its IT suppliers. The goal is to ensure that banks, insurance companies, fintechs, and technology partners can withstand cyber incidents and operate continuously.
- NIS2 (EU Directive 2022/2555) has a broader scope: it aims to raise the level of cybersecurity across all critical sectors (energy, transport, healthcare, digital infrastructure, public administration) and imposes obligations on digital service providers as well.
Together, these regulations create a much stricter framework for cybersecurity and operational resilience.
It seems that you haven’t provided the text you want to be translated. Please share the text, and I’ll be happy to assist you with the translation!
Who is Involved
DORA
- Financial institutions (banks, insurance companies, investment firms).
- Critical IT providers for the financial sector (cloud providers, software houses, outsourcers).
NIS2
- Operators of essential services (hospitals, utilities, telecommunications).
- Providers of digital infrastructure (data centers, DNS, cloud services).
- Medium and large enterprises that manage critical data or sensitive services.
👉 In practice, almost all IT companies that provide services to large enterprises or public entities are affected by at least one of the two regulations.
It appears that there is no text provided for translation. Please provide the text you would like to have translated, and I’ll be happy to assist!
The main obligations
1. Governance and Responsibilities
Management (board, C-level) becomes directly responsible for compliance. It is not enough to delegate to IT: decisions must be deliberate, documented, and approved at the management level.
2. Risk management
- Continuous identification and assessment of ICT risks.
- Adoption of proportionate technical and organizational controls.
- Periodic update of the risk register.
3. Business Continuity & Disaster Recovery
- Mandatory BCDR plan.
- Documented periodic tests (at least annually).
- Recovery procedures with measurable RTO/RPO.
4. Incident reporting
- Obligation to report relevant incidents within 24 hours.
- Final report with impact analysis and corrective measures.
5. Supply chain and suppliers
- Contracts with suppliers must include specific clauses on security and audit.
- Continuous monitoring of the critical supply chain.
6. Training
- Periodic training for employees and management.
- Awareness tests (phishing simulation, tabletop exercise).
It seems that the text you intended to provide for translation is missing. Please provide the text you would like me to translate, and I’ll be happy to assist you!
Risks of Non-Compliance
The penalties are significant:
- NIS2: up to 10 million euros or 2% of global revenue.
- DORA: variable fines but proportional to the severity of the incident and the size of the entity.
In addition to fines, the greatest risk is loss of reputation and the possible exclusion from public/financial tenders or contracts.
It seems that the text you intended to provide for translation is missing. Please provide the text you’d like me to translate, and I’ll be happy to assist you!
How to Prepare: A Practical Approach
Step 1 – Initial Assessment
- Analysis of DORA and NIS2 requirements.
- Gap analysis compared to the current state.
- Definition of intervention priorities.
Step 2 – Governance and Policy
- Creation or update of ICT, security, and risk management policies.
- Definition of internal roles and responsibilities.
Step 3 – Technical Implementation
- Updating security measures (firewall, IAM, monitoring).
- Automation of compliance controls.
- SIEM and SOC tools to detect incidents in real time.
Step 4 – Testing and Simulations
- Tabletop exercise with management.
- Simulations of cyber attacks.
- Documented business continuity tests.
Step 5 – Continuous Monitoring
- Security KPIs (mean time to detect incidents, mean time to resolve).
- Periodic reports to the board.
- Update of procedures with every regulatory change.
It seems that you haven’t provided any text to translate. Please share the text you’d like me to translate to English, and I’ll be happy to assist you!
Case study: an IT provider for the banking sector
A software company that provides solutions to Italian banks has addressed the DORA/NIS2 compliance through this process:
- Assessment: identified 25 compliance gaps.
- Remediation: updated policies, introduced a centralized logging system, defined BCDR plan.
- Training: workshop for the board and operational training for the IT team.
- Testing: simulation of a ransomware attack with measured response times.
Results:
- Incident response time reduced by 45%.
- Passed external audit without any major non-conformities.
- Increased trust from banking clients, who now include the company among “trusted” suppliers.
It seems that the text you wanted to translate is missing. Please provide the text you’d like me to translate, and I’ll be happy to assist you!
Conclusion
DORA and NIS2 are not merely “regulatory compliance,” but tools that encourage companies to structure more robust and resilient processes.
For IT providers, they represent both a challenge and an opportunity: those who adapt in a timely manner gain competitive advantage, credibility, and trust.
In 2025, a new standard is set: it is no longer enough to protect systems; it is necessary to demonstrate the ability to withstand, recover, and document every action.
It seems that the text you intended to provide for translation is missing. Please provide the text you would like to have translated, and I’ll be happy to assist you!
➡️ Do you want to understand how to bring your company into compliance with DORA and NIS2? Contact me for a personalized assessment.
Related articles
Software development assisted by AI: what really changes in the work of developers
AI is transforming the way we write and manage software. Here’s how it changes the lives of developers, what the concrete benefits are, and the limitations to be aware of.
Copilot for Microsoft 365: what it can really do for businesses and developers
Copilot is the new AI assistant integrated into Microsoft 365: discover what it offers to business users and developers, including productivity, automation, and customization.
SharePoint Framework in 2025: new possibilities for development
SPFx continues to be the heart of modern development on SharePoint Online. Here are the latest updates, best practices, and opportunities for developers and businesses.