Governance & Compliance
NIS2 & DORA
Two significant regulations. One clear goal: stronger cyber security, operational resilience, and risk management across organisations operating in or supporting regulated sectors. We help you understand what applies, assess your current position, and take a structured path to compliance.
Network & Information Security Directive 2
Broader scope. Stronger obligations.
NIS2 replaces the original NIS Directive and significantly expands the scope of organisations required to meet enhanced cyber security and incident reporting obligations across the EU.
It covers essential and important entities across a wide range of sectors — from energy and transport to healthcare, digital infrastructure, and managed service providers.
Sectors in scope
Digital Operational Resilience Act
Resilience at the core of financial services.
DORA applies to financial entities and their critical ICT third-party service providers operating within the EU. It establishes a comprehensive framework for ICT risk management, incident reporting, resilience testing, and third-party oversight.
Unlike NIS2, DORA is sector-specific — but its reach into the supply chain means many technology businesses supporting financial services will find themselves in scope.
Entities in scope
Scope & Applicability
Does this apply to your organisation?
Scope under both regulations is broader than many organisations realise. If you operate in or supply into regulated sectors, the answer is likely yes — even if you're UK-based.
You operate in a regulated sector
Energy, transport, healthcare, digital infrastructure, financial services — if your services are essential or important, you're likely in scope under NIS2.
You supply into financial services
DORA's third-party requirements mean ICT providers, MSPs, and cloud services supporting financial entities may need to demonstrate resilience and compliance.
You have EU operations or clients
Even UK-headquartered organisations with EU operations, clients, or data subjects may fall within scope of one or both regulations.
You're an MSP or IT provider
Managed service providers are explicitly in scope under NIS2. If you manage systems for organisations in regulated sectors, this applies to you.
You support critical infrastructure
Organisations in the supply chain of critical national infrastructure may carry indirect obligations even if not directly regulated.
You're not sure
Scope determination is one of the most common challenges. We help you work through whether — and to what extent — these regulations apply.
Not sure if you're in scope? That's exactly where we start. Understanding your obligations before building a compliance programme is the most important step — and the one most organisations skip.
Key Requirements
Five areas both regulations place emphasis on
NIS2 and DORA share significant thematic overlap. These are the areas that demand the most attention — and where most organisations have the largest gaps.
Risk Management & Governance
Both regulations require a documented, board-level approach to ICT and cyber risk. Risk management must be systematic, reviewed regularly, and connected to operational decisions — not a paper exercise.
Senior management accountability is explicit in both frameworks — responsibility cannot be fully delegated to IT.
Incident Handling & Reporting
Both regulations introduce strict timelines for reporting significant incidents to regulators and, where required, affected parties. The definition of "significant" is broader than most organisations currently use.
Effective incident handling requires detection capability, documented response procedures, and tested escalation paths — not just an IR policy that lives in a drawer.
Business Continuity & Resilience
DORA in particular places significant weight on operational resilience — including the ability to continue critical functions during and after major disruption. NIS2 reinforces the need for business continuity and recovery planning.
This means tested plans, documented RTOs and RPOs, and resilience testing — not just backups.
Supply Chain & Third-Party Oversight
One of the most challenging requirements — and the one most organisations underestimate. Both regulations require organisations to understand and manage the security and resilience risks introduced by third-party suppliers.
This isn't just procurement due diligence. It means ongoing monitoring, contractual obligations, and clear accountability for how third parties handle your data and systems.
Security Controls & Vulnerability Management
Both regulations require demonstrably effective technical and organisational security measures — proportionate to the risks you face. This includes patching, access controls, monitoring, and testing.
Under DORA, threat-led penetration testing (TLPT) is a specific requirement for significant financial entities. Under NIS2, security testing and assessment are strongly implied.
How We Help
Practical support across every stage
We don't just tell you what the regulations say. We help you understand what they mean for your organisation and what to do about it.
Scope & Applicability Assessment
We determine which regulations apply to you, to what extent, and in what capacity — before you commit to a compliance programme.
Gap Analysis & Maturity Assessment
We assess your current controls, policies, and processes against NIS2 and DORA requirements — identifying gaps and prioritising what needs to change.
Compliance Roadmap
A structured, prioritised plan for achieving compliance — phased to fit your resources and timeline, with clear ownership and measurable milestones.
Controls Implementation
Where improvements are needed, we support implementation — whether that's strengthening monitoring, improving incident response, or tightening third-party oversight.
Documentation & Evidence
Policies, procedures, risk registers, and evidence packs — created and maintained so you can demonstrate compliance when it matters.
Ongoing Assurance
Compliance isn't a one-off exercise. We support ongoing review, testing, and improvement — keeping you aligned as the regulations and your environment evolve.
Our Approach
The compliance journey with us
A structured path — from understanding your obligations to demonstrating readiness.
Understand Your Obligations
We interpret NIS2 and DORA in the context of your organisation — clarifying which requirements apply, to which parts of your business, and what the obligations actually mean in practice.
Assess Current Position
We review existing controls, policies, technical measures, and documentation against the regulatory requirements — identifying gaps, risks, and areas of strength.
Build a Prioritised Roadmap
Rather than trying to fix everything at once, we prioritise actions by risk and effort — creating a realistic, phased plan that improves resilience and reduces regulatory risk in a manageable way.
Implement & Evidence
We support implementation of improvements across governance, technology, processes, and third-party management — with documentation and evidence generated throughout, not chased at the end.
Maintain & Improve
NIS2 and DORA require ongoing compliance — not a one-time certification. We support regular reviews, testing, reporting, and continuous improvement as your business and the regulatory landscape evolves.
What You Walk Away With
The result of getting this right
Compliance done properly doesn't just reduce regulatory risk — it makes your organisation more resilient, more secure, and more credible.
Regulatory Confidence
A clear, evidenced position against NIS2 and DORA — ready for regulatory scrutiny or customer due diligence.
Improved Cyber Resilience
Controls, processes, and governance that genuinely reduce your exposure — not just documentation that says you're compliant.
Supply Chain Clarity
A clear picture of your third-party risk landscape — with contractual protections and oversight processes in place.
Incident Readiness
Detection capability, response procedures, and reporting timelines understood and tested — so you're not scrambling when something happens.
Board-Level Visibility
Risk reporting and governance structures that give senior management the information they need — and the accountability the regulations require.
A Sustainable Approach
NIS2 and DORA as part of an ongoing risk management programme — not a one-off compliance sprint that gets forgotten.
Not sure where you stand?
We'll help you understand your obligations, assess your current position, and build a practical, proportionate path to compliance — without the consultancy overhead.