What is NIS2 (Cybersecurity Act in the Netherlands)?
The NIS2 Directive (Network and Information Security Directive) concerns cybersecurity for essential sectors in Europe. In the Netherlands, NIS2 is implemented through the Cybersecurity Act (Cbw). Essential sectors include energy companies, healthcare, transportation, and large IT service providers. With NIS2, the EU aims to ensure that these companies:
- Ensuring their digital security is in order.
- Identifying and addressing risks.
- Report major cyber incidents quickly.
The goal is simple: protect critical infrastructure from cyberattacks and ensure that companies and countries work together more effectively to tackle digital threats. Companies that act as suppliers to these essential sectors must make agreements with their major customers. They must be able to demonstrate to them that they operate securely, depending on their risk profile.
Why NIS2 is relevant to the financial sector
Traditionally, financial institutions were already subject to all kinds of strict frameworks such as PCI-DSS, EBA guidelines, Wft, and GDPR. With the arrival of NIS2, Europe is adding an extra layer to this.
As a financial organization, are you automatically subject to NIS2?
Yes. The financial sector falls under the category of essential entities. This means:
- stricter security requirements
- strict reporting requirements
- supervision by national authorities
- directors' liability
But... there's something else: DORA.
What is DORA?
Whereas NIS2 is a broad cybersecurity directive that applies to many sectors, DORA (Digital Operational Resilience Act) focuses entirely on the financial world:
- Banks
- Insurers
- Payment settings
- Investment firms
- Pension funds
- Crypto providers
- ICT service providers (Critical Third Party Providers)
DORA is not a directive, but a regulation. This means that it is directly binding, without national interpretation.
DORA focuses on:
- ICT risk management
Example: A payment institution must assess annually which IT systems pose the most critical risk (e.g., the payment platform) and take measures such as network segmentation, MFA, and stricter monitoring.
- Incident reports
Example: a bank that discovers a phishing attack that could affect customers must report this to the supervisory authority within a very short period of time, including an impact analysis, actions taken, and follow-up measures.
- Penetration testing (TIBER-EU)
Example: An insurer must periodically perform a TIBER-EU test in which ethical hackers simulate realistic attacks, such as infiltrating the customer portal or committing fraud via APIs.
- Supply chain management and dependencies
Example: a pension fund must have insight into which software suppliers have access to sensitive data and what risks this entails, including exit strategies if a supplier fails.
- Supervision of ICT service providers
Example: a fintech that relies on a cloud provider (such as AWS, Azure, or Google Cloud) must demonstrate what contractual agreements have been established, how performance is monitored, and what happens in the event of disruptions.
Many parts overlap with NIS2, but DORA goes deeper and is stricter.
How do NIS2 and DORA relate to each other?
1. DORA is leading the way for financial institutions
The following applies to all financial companies: DORA is your primary cyber regulation. NIS2 is supplementary, but where there is overlap, the requirements of DORA "win."
2. NIS2 goes further in chain responsibility
DORA mainly looks at your direct ICT suppliers. NIS2 requires organizations to assess the entire chain, including smaller suppliers.
3. Incident reports are similar, but differ in timelines
- NIS2 → 24-hour notification, 72-hour reporting
- DORA → varies depending on the type of incident, often more detailed and with stricter documentation requirements
4. NIS2 is broader, DORA is deeper
You can think of it as:
- NIS2 = broad security obligation for many sectors
- DORA = specialized, in-depth requirements for financial institutions
The role of ISO 27001: standard for both regulations
Now that you have two robust frameworks (NIS2 + DORA), your organization may be wondering: "How can I avoid duplicating work?" That is precisely where ISO 27001 becomes relevant.
ISO 27001:
- provides structure through an information security management system (ISMS)
- is internationally recognized
- fits seamlessly with risk-based cybersecurity
- helps to demonstrate compliance with legal requirements
Many of the controls that ISO 27001 requires or recommends correspond directly to the requirements of both NIS2 and DORA. ISO 27001 supports, among other things:
- Risk management
- Policy & governance
- Incident Management
- Access Management
- Supplier management
- Logging and monitoring
- Continuity management
So if you choose ISO 27001 as your framework, you lay a foundation that covers a large part of the topics and requirements of NIS2 and DORA.
What do NIS2, ISO 27001, and DORA mean for you?
1. You must comply with DORA.
DORA is mandatory for virtually all financial institutions and many ICT service providers that support them.
2. NIS2 also applies, but largely overlaps with DORA.
Unlike other sectors, you therefore have no choice: both apply.
3. ISO 27001 is the smartest way
ISO 27001 assists you with the implementation of DORA and NIS2 by:
- structure processes
- ensure measures are implemented
- simplify audits
- improve demonstrability
4. Start with a DORA GAP analysis
A good approach:
- Start with DORA requirements as a basis
- Check which additional NIS2 requirements apply
- Record everything in an ISMS based on ISO 27001
How do you get started with NIS2, DORA, and ISO 27001? (Step-by-step plan)
- Identify which parts of DORA and NIS2 apply to your organization.
- Perform a GAP analysis
- Link all requirements to ISO 27001 controls
- Create a roadmap covering, for example, 12–24 months.
- Set up governance and roles
- Implement technical and organizational measures
- Document demonstrable evidence: policy, risks, procedures, testing, reporting
Conclusion
DORA and NIS2 are mandatory, but ISO 27001 is the most practical way to become and remain compliant. It may seem like a lot, but by combining them smartly, you can avoid duplication of work and build a future-proof information security management system. Want to know more? Contact us below for a no-obligation consultation!
