DORA and NIS2: beyond compliance
What the legislation actually requires, and why compliance without governance offers no protection
Regulations such as DORA and NIS2 are transforming how organisations view cybersecurity. Compliance is no longer merely a tick-box on an IT checklist. NIS2 Article 21 stresses the importance of board-level ownership rather than a technology-led approach. This shifts the focus from mere compliance towards a deeper integration of cybersecurity into business strategy. With fines that can reach up to 10 million euro or 2% of global turnover, the urgency is clear. Yet by mid-2025, 40% of NIS2 entities were still not compliant (ENISA 2025). How can organisations close this gap?
What organisations get wrong
The impact of NIS2 on organisations
NIS2 compels organisations to look beyond traditional IT security controls. It calls for a joined-up approach in which cybersecurity becomes a core part of business operations. This means that not only IT departments are involved, but that senior management also carries responsibility. This shift requires a cultural change within organisations that often demands time and effort.
Board-level ownership as the key
Board-level ownership is crucial to meeting the requirements of NIS2 Article 21. This means that senior management must not only be aware of cybersecurity risks, but must also be actively involved in managing them. By embedding cybersecurity into the governance structure, organisations can respond to threats more effectively and prevent incidents.
How it works in practice
The risk of non-compliance
Failing to comply with NIS2 can lead to significant financial and reputational damage. With fines of up to 10 million euro or 2% of global turnover, the financial impact is considerable. In addition, a loss of trust among clients and partners can lead to further business challenges.
Driving cultural change
Cultural change begins with awareness and education. It is essential that all employees, from senior management to operational staff, understand why cybersecurity matters. Training and workshops can help to implement these changes and embed them in day-to-day practice.
The benefits of compliance
Organisations that comply with NIS2 can benefit from an improved security posture. This leads to greater resilience against cyber threats and strengthens the trust of clients and partners. Moreover, compliance can lead to operational efficiencies and cost savings over the long term.
What it delivers
Board-level ownership. Board-level ownership can lead to more proactive and strategic decision-making within organisations.
Cultural change. Driving cultural change fosters a shared sense of responsibility for cybersecurity.
Competitive position. Complying with NIS2 strengthens competitive position by increasing trust among stakeholders.
By looking beyond compliance, organisations can become more resilient and future-ready. Read more about our approach.