For most of their existence, the European Unionโ€™s two flagship cyber-resilience regimes โ€” the Digital Operational Resilience Act (DORA) and the NIS2 Directive โ€” have been experienced by compliance teams as deadlines on a distant horizon and frameworks to be mapped. In 2026 that changes. DORA, which became applicable in January 2025 for financial entities, now enters its first genuine supervisory enforcement cycle, with regulators signaling that they will act on incident-reporting failures and persistent deficiencies in the Register of Information. NIS2โ€™s national transposition and compliance obligations culminate in an October 2026 deadline for covered entities across critical sectors. The frameworks are no longer arriving. They are here, and they are being enforced.

The readiness gap makes this acute. Industry surveys suggest only about half of in-scope financial institutions expect to reach full DORA compliance by the end of 2025, with a substantial share pushing their target into 2026. For NIS2, several member states have layered their own near-term milestones on top of the directive โ€” the Netherlands, for instance, requiring essential and important entities to complete a self-assessment by mid-2026. The result is a year in which a large population of covered organizations will be operating under binding obligations they have not finished implementing, in front of supervisors who have stopped extending grace.

Two Regimes, One Resilience Objective

DORA and NIS2 are distinct instruments with different scopes, and organizations frequently fall under both. Understanding the division of labor is the starting point.

DORA is a regulation โ€” directly applicable across the EU without national transposition โ€” and it governs digital operational resilience in the financial sector. It applies to banks, insurers, investment firms, payment institutions, crypto-asset service providers, and a long list of other financial entities, plus the critical ICT third-party providers that serve them. Its core pillars are ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.

NIS2 is a directive โ€” requiring each member state to transpose it into national law โ€” and it governs cybersecurity across a much broader set of โ€œessentialโ€ and โ€œimportantโ€ entities spanning energy, transport, health, digital infrastructure, public administration, manufacturing, food, and more. Its obligations center on risk-management measures, governance accountability, and incident notification.

Where the two overlap โ€” a financial entity that is also a critical infrastructure operator โ€” DORA takes precedence as the more specialized regime (lex specialis). A firm in scope for both does not satisfy DORA by complying with NIS2 or vice versa; it must map each obligation and apply the controlling instrument where they intersect.

What DORA Enforcement Actually Targets in 2026

The 2026 supervisory cycle is not abstract. Supervisors have indicated where they will press, and two obligations sit at the center.

The Register of Information. DORA requires every financial entity to maintain a complete register of its contractual arrangements with ICT third-party providers, and to submit it to national competent authorities, who consolidate and forward the registers to the European Supervisory Authorities. The second annual submission cycle, with consolidated registers due to the ESAs by March 31, has now run, and supervisors have flagged persistent Register deficiencies as an enforcement priority. A register that is incomplete, inaccurate, or unable to trace the chain of subcontractors supporting critical functions is a documented compliance failure โ€” and, not incidentally, an admission that the entity does not fully understand its own third-party dependency map.

ICT incident reporting. DORA imposes structured, time-bound reporting of major ICT-related incidents โ€” an initial notification, an intermediate report, and a final report, each on defined timelines. Supervisors have signaled that serious-incident reporting failures will draw enforcement. The discipline this demands is operational, not merely procedural: an entity must be able to classify an incident against DORAโ€™s materiality criteria and produce a compliant initial report within hours, which is impossible to improvise during an actual crisis and must be rehearsed in advance.

The penalty exposure gives these priorities teeth. Under the NIS2 side, essential entities face fines up to โ‚ฌ10 million or 2% of total annual turnover, whichever is higher, and important entities up to โ‚ฌ7 million or 1.4%. DORAโ€™s enforcement runs through sectoral financial supervisors with their own substantial sanctioning powers, including measures reaching the senior individuals responsible.

The Management-Liability Shift

The feature of these regimes that most distinguishes them from prior cybersecurity rules is the direct accountability they place on management bodies. NIS2 makes management bodies responsible for approving and overseeing cybersecurity risk-management measures, requires them to undergo training, and provides that they can be held liable for the entityโ€™s failures. DORA similarly vests ultimate responsibility for the ICT risk-management framework in the management body. Cybersecurity is no longer something a board can fully delegate to a CISO and treat as an operational matter; it is a governance obligation with personal consequences for the individuals at the top. This is the same accountability trend visible in U.S. enforcement โ€” the SECโ€™s disclosure regime and OCRโ€™s focus on governance โ€” now codified into EU law with explicit liability.

Why U.S. Companies Are in Scope

American organizations frequently assume these are European problems for European entities. They are not. Both regimes reach beyond EU borders through the operations they touch:

  • A U.S. financial firm with EU operations or EU-regulated subsidiaries can fall directly within DORA.
  • A U.S. technology provider โ€” cloud, software, data-center, or managed-services โ€” that supplies critical ICT services to EU financial entities can be designated a critical ICT third-party provider under DORA, bringing it under direct EU oversight, and will in any case be pulled into its financial-sector clientsโ€™ Register of Information and contractual-remediation obligations.
  • A U.S. company operating in an NIS2-covered sector within the EU โ€” manufacturing, digital infrastructure, health, and others โ€” can be an essential or important entity under a member stateโ€™s transposing law.

For ICT vendors especially, the practical pressure often arrives through contracts: EU financial clients, obligated to manage their third-party risk under DORA, are amending agreements to demand audit rights, incident-cooperation commitments, subcontractor transparency, and exit arrangements. A U.S. vendor can find itself implementing DORA-shaped obligations not because a regulator named it, but because its customers must.

What To Do Now

With enforcement live and the NIS2 deadline in October, the runway is short. Priorities:

  • Determine your scope precisely, under both regimes, including indirect exposure as an ICT third-party provider to EU financial entities. Do not assume non-EU headquarters places you outside.
  • Complete and validate the Register of Information if you are a DORA-covered financial entity โ€” accurate, complete, and able to trace critical-function dependencies through subcontractors. This is a flagged enforcement priority.
  • Operationalize incident reporting, building and rehearsing the capability to classify a major ICT incident and file a compliant initial notification within DORAโ€™s tight timelines. Practice it before you need it.
  • Engage your management body now. Brief the board, document its approval and oversight of the risk-management framework, and arrange the training NIS2 expects. The liability is personal, and the record of governance is part of the compliance.
  • Push DORA-aligned terms into your vendor contracts โ€” audit rights, incident cooperation, subcontractor transparency, and exit plans โ€” and, if you are a vendor, prepare to meet those terms when your EU clients send them.
  • For NIS2-covered entities, drive toward the October deadline on risk-management measures and notification capability, accounting for the specific transposing law in each member state where you operate.

The EU spent years legislating digital resilience. 2026 is when it starts collecting. For organizations that treated DORA and NIS2 as compliance theater to be addressed eventually, the supervisory cycle now underway is the reminder that โ€œeventuallyโ€ has a date โ€” and several of those dates have already passed.

This article is provided for informational purposes only and does not constitute legal advice.