A row of European Union flags outside an EU institutional building in Brussels
Photo: Guillaume Périgois on Unsplash
← All posts NIS2 16 min read

The Complete Guide to NIS2 and DORA Compliance for European SMEs

Everything European SMEs need to know about NIS2 and DORA in 2026: who's in scope, the 10 Article 21 measures, the 24-72-30 incident timeline, DORA's 5 pillars, penalties, and a 10-step path to compliance. Updated quarterly.

European SMEs spent most of 2024 and 2025 absorbing two of the most consequential cybersecurity regulations the EU has produced: the NIS2 Directive and the Digital Operational Resilience Act also known affectionately as just DORA.

The NIS2 Directive applies across 18 sectors and brings approximately 160,000 entities into scope across the Union.

DORA has applied since 17 January 2025 to roughly 22,000 financial entities and an expanding list of critical ICT third-party providers. Most SMEs in scope are still working out what compliance actually requires.

This guide is the map.

It covers who's in scope, what each regulation requires, where they overlap, and how an SME can build a defensible compliance baseline without enterprise resources.

TL;DR

  • In scope: Essential and important entities across 18 sectors under NIS2 (medium-sized enterprises and above by default); roughly 22,000 financial entities under DORA, with no size floor.
  • Hardest deadlines: NIS2 transposition was due 17 October 2024 — most member states are now in force, with several still completing secondary legislation; DORA has applied since 17 January 2025.
  • Most-failed control: incident reporting — DORA demands a 4-hour initial notification for major incidents, NIS2 a 24-hour early warning followed by 72-hour notification and 30-day final report.
  • Real penalties: up to €10M or 2% of global turnover for essential entities; €7M or 1.4% for important entities; DORA penalties are set by member states, with EU-level periodic penalty payments of up to 1% of average daily worldwide turnover for critical ICT third-party providers.
  • The SME shortcut: start with the 10 Article 21 measures and always anchor your control depth to the proportionality principle, document everything.

If you're a compliance lead, CISO, or IT director at an EU SME between 50 and 500 employees and you're trying to figure out what you actually have to do — this is the page that gives you the map. The cluster articles linked throughout give you the routes for each terrain.

Why NIS2 and DORA exist — the European cybersecurity reset

From NIS1 to NIS2: closing the gaps

The first NIS Directive (Directive 2016/1148) covered roughly seven sectors and was inconsistently transposed across member states.

By 2020 the European Commission concluded the regime had failed to keep pace with the threat landscape and the digitalisation of essential services.

The NIS2 (Directive (EU) 2022/2555) replaces NIS1 outright.

It expands the regulated perimeter to 18 sectors, splits entities into a two-tier classification of essential and important, harmonises sanctions across the Union, and introduces direct accountability for management bodies.

The two-tier model also changes how supervision works: essential entities face proactive, audit-driven oversight; important entities face reactive supervision triggered by incidents or evidence of non-compliance.

DORA: the financial sector's lex specialis

The DORA (Regulation (EU) 2022/2554) addresses a different problem.

Before DORA, EU financial-sector cyber rules were scattered across MiFID II, Solvency II, PSD2, and a long list of national supervisory frameworks — Germany's BAIT and VAIT, France's regulatory technical standards, and others.

DORA replaces the ICT-related portions of those frameworks with a single, uniform, directly applicable regulation. Where DORA and NIS2 cover the same ground for a financial entity, DORA takes precedence as lex specialis.

We unpack this rule in detail in NIS2 vs DORA: Key Differences for European Companies.

The 2026 picture: simplification on the horizon

On 20 January 2026 the European Commission proposed targeted amendments to NIS2 as part of a broader Digital Omnibus package.

The proposal is aimed at simplifying compliance for an estimated 28,700 companies, including 6,200 micro and small enterprises. The amendments are still working through the EU legislative process; they change the conversation but not yet the rules.

A future cluster article will cover the omnibus in depth as it progresses.

NIS2 explained: scope, obligations, and the 10 risk management measures

Who's in scope — essential vs important entities

The default NIS2 size threshold is the EU's medium-enterprise definition: 50 or more staff, or annual turnover above €10 million, or balance-sheet total above €43 million.

Below that threshold, an entity is generally out of scope — with exceptions.

Specific entity types are in scope regardless of size:

  • Qualified trust service providers
  • Top-level domain registries
  • DNS service providers
  • Providers of public electronic communications networks or services
  • Entities designated as sole providers of a critical service in a member state.

Public administration entities below the central government level are scoped by member state choice.

The 18 sectors split between Annex I (essential) and Annex II (important).

Annex I covers

  • Energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management (B2B)
  • Public administration
  • Space.

Annex II covers

  • Postal and courier
  • Waste management
  • Chemical production and distribution
  • Food production and distribution
  • Manufacturing of medical devices
  • Computers
  • Electronics
  • Machinery, and motor vehicles
  • Digital service providers (online marketplaces, search engines, social networks), * Research organisations.

For the full edge-case treatment, see NIS2 Essential vs Important Entities: Which Are You?.

The 10 risk management measures (Article 21)

Article 21(2) NIS2 sets out ten measures that essential and important entities must implement:

  1. Risk analysis and information system security policies
  2. Incident handling
  3. Business continuity, backup management, disaster recovery, and crisis management
  4. Supply chain security, including direct suppliers and service providers
  5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of risk management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures regarding cryptography and, where appropriate, encryption
  9. Human resources security, access control, and asset management
  10. Multi-factor authentication or continuous authentication, secured voice/video/text communications, and secured emergency communication systems

Article 21(1) wraps these in the proportionality principle: measures must be "appropriate and proportionate" given the entity's risk exposure, size, the likelihood and severity of incidents, and the state of the art balanced against cost of implementation.

This is the most under-explained provision in NIS2 — and the one that determines what an SME actually has to do.

Each measure broken down with evidence packs and common pitfalls in NIS2 Article 21: All 10 Risk Management Measures Explained.

If you've already implemented ISO 27001, you have substantial coverage of Article 21 — most practitioners estimate roughly 80% — but not full coverage. The main differences lie primarily in supply chain due diligence, management body training, and incident reporting timing.

Incident reporting: the 24-72-30 timeline

Article 23 NIS2 sets a three-stage incident reporting timeline for significant incidents:

  1. Early warning within 24 hours of awareness — initial assessment, severity, suspected cause if known
  2. Incident notification within 72 hours of awareness — detail on impact, indicators of compromise where available, cross-border effects
  3. Final report within one month of the incident notification — root cause, mitigation measures, lessons learned

Reports go to the national CSIRT designated under NIS2; in Denmark, Center for Cybersikkerhed (CFCS); in Germany, BSI; in France, ANSSI. Cross-border incidents trigger cooperation duties between CSIRTs.

Detailed walkthrough in NIS2 Incident Reporting: The 24-72-30 Day Timeline.

Management body accountability

Article 20 in NIS2 places direct obligations on the management body.

They must approve the entity's risk management measures, oversee implementation, and undergo training to identify risks and assess cybersecurity practices.

National transpositions vary in how they handle personal liability.

Germany's NIS2UmsuCG includes personal liability provisions; Denmark's NIS-2-loven did not transpose them.

The training and oversight obligations apply universally regardless.

NIS2 Board-Level Accountability: Personal Liability Explained covers the country-by-country variance.

DORA explained: the five pillars for financial entities

Who's in scope

DORA covers approximately 22,000 financial entities across the EU under Article 2:

  • Credit institutions
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers under MiCA
  • Central counterparties
  • Central securities depositories
  • Trade repositories
  • Alternative investment fund managers
  • UCITS management companies
  • Insurance and reinsurance undertakings
  • Insurance intermediaries
  • Institutions for occupational retirement provision
  • Credit rating agencies
  • Securitisation repositories
  • Administrators of critical benchmarks
  • Crowdfunding service providers, and several others.

There is no size floor — even microenterprise financial entities are in scope, but with proportionality in how requirements scale. Microenterprises receive a lighter regime in some areas, particularly governance and ICT-related incident reporting.

DORA also creates a wholly new regulatory mechanism: direct EU-level supervision of critical ICT third-party providers (CTPPs) by Lead Overseers appointed from among the European Supervisory Authorities. The first list of designated CTPPs was published in November 2025 and includes major cloud and data providers serving the financial sector.

Pillar 1 — ICT risk management framework

Articles 5–14 DORA require a comprehensive ICT risk management framework owned and approved by the management body.

The framework must cover identification, protection and prevention, detection, response and recovery, learning and evolving — explicitly more prescriptive than NIS2's Article 21.

See DORA ICT Risk Management Framework Explained for the implementation detail.

Pillar 2 — ICT-related incident management, classification, and reporting

DORA mandates a uniform classification scheme across the EU, specified by Commission Delegated Regulation.

Reporting is three-stage:

  1. An initial notification within four hours of classification as a major incident
  2. An intermediate report when status changes or new information becomes available
  3. A final report within one month of incident handling completion.

The four-hour initial notification is significantly tighter than NIS2's 24-hour early warning. For financial entities subject to both, building to DORA's timeline satisfies NIS2's by definition.

Pillar 3 — Digital operational resilience testing

All in-scope entities must conduct annual basic resilience testing. Entities meeting size and criticality thresholds must additionally undergo Threat-Led Penetration Testing (TLPT) at least every three years, based on the TIBER-EU framework. TLPT uses real threat intelligence and simulates the tactics, techniques, and procedures of adversaries actually targeting the institution.

Pillar 4 — ICT third-party risk management

Operationally, this is the heaviest pillar for most firms.

Three components stand out:

  1. Pre-contractual risk assessment under Article 28 — including concentration risk analysis
  2. Mandatory contractual provisions under Article 30 — service descriptions, data location, security incident notification, audit rights, exit strategies
  3. Register of Information under Article 28(3) — every contract with an ICT third-party provider documented in the structured template prescribed by Commission Implementing Regulation (EU) 2024/2956

DORA Third-Party Oversight and DORA Register of Information: Template and Requirements cover the operational detail.

Pillar 5 — Information sharing arrangements

DORA explicitly enables and encourages the voluntary sharing of cyber threat intelligence within trusted communities (Article 45).

Often missed because it is voluntary, this pillar offers strategic value to SMEs that cannot afford full-scale threat intelligence subscriptions.

NIS2 vs DORA: how they interact, where they overlap

Five core differences

Dimension NIS2 DORA
Legal instrument Directive (transposed nationally) Regulation (directly applicable)
Sectoral scope 18 sectors; essential + important Financial sector + critical ICT TPPs
Risk management 10 measures (Article 21) 5 pillars (Articles 5–14)
Incident reporting 24h / 72h / 30 days 4h / intermediate / 30 days
Penalty cap €10M or 2% (essential); €7M or 1.4% (important) National discretion + 1%/day for CTPPs

When you're subject to both

A financial entity providing critical infrastructure services, or operating in another sector covered by NIS2, can fall under both.

The compliance approach: do DORA fully, then run a residual gap analysis against NIS2 for activities or obligations DORA does not cover. Cross-sector supply chain duties, for example, may not be fully displaced.

The lex specialis rule

Article 4 NIS2 contains the displacement clause:

Where sector-specific Union legal acts impose at least equivalent cybersecurity risk management or incident notification requirements, those acts apply instead of NIS2. Recital 28 of DORA explicitly confirms DORA's status as lex specialis relative to NIS2 for the financial sector.

The practical consequence:

A bank in DORA scope does not need to run two parallel ICT risk management programmes. It runs one DORA-compliant programme. NIS2 still applies to activities or obligations not displaced by DORA — registration with national competent authorities, cross-sector cooperation, activities outside DORA's perimeter — but the substantive ICT risk management and incident reporting obligations belong to DORA.

A practical mapping of the displacement is in NIS2 vs DORA: Key Differences for European Companies.

Who is actually in scope? An SME decision tree

The size test

NIS2 applies by default to medium and large entities, using the EU's standard SME definition (Recommendation 2003/361/EC):

  1. Medium: fewer than 250 staff and turnover ≤ €50 million or balance sheet ≤ €43 million
  2. Small: fewer than 50 staff and turnover ≤ €10 million or balance sheet ≤ €10 million
  3. Micro: fewer than 10 staff and turnover ≤ €2 million or balance sheet ≤ €2 million

NIS2 binds medium-sized enterprises and above. Below medium, the entity is generally out of scope unless it falls into one of the size-irrelevant categories above.

The sector test

Walk Annex I (essential):

  • Energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management (B2B)
  • Public administration
  • Space.

Walk Annex II (important):

  • Postal and courier
  • Waste management
  • Chemicals
  • Food
  • Manufacturing (specific sub-sectors only — verify NACE codes)
  • Digital providers
  • Research.

If you're not in either annex, you're out of scope on a sector basis, regardless of size.

SME edge cases

  • A 30-person company operating a top-level domain registry is in scope regardless of size.

  • A 200-person company manufacturing nuts and bolts is out of scope — Annex II manufacturing is restricted to specific NACE codes that don't include general fasteners.

  • A US-headquartered SaaS provider serving EU customers is generally in scope under Article 26 NIS2 if it provides a relevant service in the EU.

A 10-step path to NIS2 + DORA compliance for an SME

The operational answer to "what do I do Monday morning?"

Each mapping step is small enough for a single working week of effort by an IT lead with compliance responsibility:

  1. Determine your scope status — NIS2, DORA, both, or neither. One hour with the annexes and Article 2 DORA.
  2. Register with your national competent authority — deadlines vary by country. Germany's BSI portal opened in early 2026; Denmark's CFCS portal closed for first registration in October 2025.
  3. Conduct a gap assessment against Article 21 (NIS2) or DORA's five pillars. Spreadsheet or simple GRC tool — output is a list of missing artifacts.
  4. Build or refresh your incident response runbook with the capability to issue a 24-hour early warning under NIS2 or a 4-hour initial notification under DORA.
  5. Map your supply chain — start with critical ICT vendors. Document contracts. Identify single points of failure and concentration risks.
  6. Implement the 10 measures in priority order — backups, MFA, training, vulnerability management first; the rest follows.
  7. Train the management body and document it — minutes of training sessions are audit evidence.
  8. Set up a Register of Information (DORA) or supplier register (NIS2) — formats prescribed for DORA, flexible for NIS2.
  9. Run a tabletop exercise simulating a major incident. Measure time-to-early-warning. Document the result.
  10. Document everything — the regulator cannot reward what cannot be shown.

The full SME-scaled framework is in Minimum Viable NIS2 Compliance for SMEs (Under 250 Employees).

Penalties — what's actually at risk

NIS2 penalty framework

Article 34 NIS2 sets the penalty maxima:

  • Essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher
  • Important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher

Member states may set higher national caps. Non-monetary sanctions include public reprimands, compliance orders, and in some transpositions, temporary bans on management body certification. Country-by-country variance in NIS2 Penalties by Country: A Complete 2026 Guide.

DORA penalty framework

Articles 50–52 DORA leave penalty levels to member state discretion, with the directive's "effective, proportionate, dissuasive" standard. National variance is significant.

Article 35 DORA introduces a uniquely aggressive EU-level mechanism for critical ICT third-party providers: periodic penalty payments of up to 1% of average daily worldwide turnover, per day, for up to six months. No other EU regulation applies a comparable daily-accrual penalty to non-financial firms.

Reputational and contractual cost

As of mid-2026, public NIS2 enforcement actions remain rare — early-cycle regulatory behaviour favours remediation over fines. The bigger near-term cost driver for SMEs is commercial: in-scope customers increasingly require NIS2 attestation from their suppliers, regardless of supplier size. Procurement teams at large in-scope organisations now treat NIS2 due diligence as a precondition for new contracts.

Tools, templates, and what you don't need to buy

You can get to a defensible baseline using:

  • ENISA self-assessment tools for initial scope and gap identification
  • ISO/IEC 27001 Annex A as the structural backbone for your policy set
  • MITRE ATT&CK as your threat model and detection-engineering reference
  • CISA Known Exploited Vulnerabilities catalogue as your weekly patch-priority feed

Paid GRC tooling is worth considering when manual evidence collection becomes the bottleneck — typically around 150 employees or audit-imminent.

The trap most SMEs fall into is buying lots of expensive tools before even completing the gap assessment, then implementing controls to fit the product rather than the regulation.

Read more about our take on good tooling in Best Cybersecurity Tools for European SMEs.

Frequently asked questions

Does NIS2 apply to my company if we have fewer than 50 employees? Generally no. The default size threshold is medium-sized enterprises and above. Specific entity types — DNS providers, TLD registries, qualified trust service providers, sole providers of critical services — are in scope regardless of size.

What's the difference between NIS2 and DORA for a fintech? DORA is lex specialis. A fintech in DORA scope complies with DORA on ICT risk management and incident reporting. NIS2 may still apply for activities DORA does not cover.

Has the NIS2 transposition deadline of 17 October 2024 actually been met? Most member states transposed primary law in 2025. As of mid-2026, several are still completing secondary legislation. The European Commission opened infringement procedures in November 2024 and issued reasoned opinions to 19 member states in May 2025.

Can I be personally fined as a CISO under NIS2? National implementations vary. Germany transposed personal liability for management body members. Denmark did not. The training and oversight obligations under Article 20 apply universally regardless.

Is ISO 27001 enough for NIS2 compliance? No, but it covers most of Article 21. The deltas concentrate in supply chain due diligence specific to direct suppliers, management body training requirements, and incident reporting timing.

Do I need to report a near-miss or just successful attacks? Article 23 NIS2 requires reporting of significant incidents, defined as incidents causing or capable of causing severe operational disruption or financial loss. Near-misses below the significance threshold are not reportable but should be logged for internal review.

What if my ICT vendor isn't NIS2 compliant? Article 21(2)(d) NIS2 requires you to assess and manage your suppliers' security posture. Non-compliant suppliers become your supply chain risk. The remedy is contractual — security clauses, audit rights, and where necessary, replacement.

How does the 2026 Digital Omnibus Proposal change things? The proposal is intended to simplify obligations for around 28,700 companies, including 6,200 SMEs. It is still in the EU legislative process. Until adopted, current rules apply.

Where to go next

Read these next:

Country-specific implementation pages:


Sources & further reading

Primary EU legal sources:

  • Directive (EU) 2022/2555 — NIS2 — full text on EUR-Lex
  • Regulation (EU) 2022/2554 — DORA — full text on EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690 — technical and methodological requirements for specific NIS2 entity types
  • Commission Implementing Regulation (EU) 2024/2956 — DORA Register of Information template
  • European Commission, Shaping Europe's Digital Future — NIS2 transposition state-of-play

Supervisory authority guidance:

  • ENISA — NIS Cooperation Group reference documents
  • BSI (Germany), ANSSI (France), CFCS (Denmark), NCSC-NL (Netherlands)
  • Joint Committee of the European Supervisory Authorities — EBA, ESMA, EIOPA — DORA RTS and ITS publications
#nis2#dora#guide#pillar-page#sme