Skip to main content
Governance & Risk

DORA and NIS2: beyond compliance

What the legislation actually requires, and why compliance without governance offers no protection

Regulations such as DORA and NIS2 are transforming how organisations view cybersecurity. Compliance is no longer merely a tick-box on an IT checklist. NIS2 Article 21 stresses the importance of board-level ownership rather than a technology-led approach. This shifts the focus from mere compliance towards a deeper integration of cybersecurity into business strategy. With fines that can reach up to 10 million euro or 2% of global turnover, the urgency is clear. Yet by mid-2025, 40% of NIS2 entities were still not compliant (ENISA 2025). How can organisations close this gap?

What organisations get wrong

The impact of NIS2 on organisations

NIS2 compels organisations to look beyond traditional IT security controls. It calls for a joined-up approach in which cybersecurity becomes a core part of business operations. This means that not only IT departments are involved, but that senior management also carries responsibility. This shift requires a cultural change within organisations that often demands time and effort.

Board-level ownership as the key

Board-level ownership is crucial to meeting the requirements of NIS2 Article 21. This means that senior management must not only be aware of cybersecurity risks, but must also be actively involved in managing them. By embedding cybersecurity into the governance structure, organisations can respond to threats more effectively and prevent incidents.

How it works in practice

The risk of non-compliance

Failing to comply with NIS2 can lead to significant financial and reputational damage. With fines of up to 10 million euro or 2% of global turnover, the financial impact is considerable. In addition, a loss of trust among clients and partners can lead to further business challenges.

Driving cultural change

Cultural change begins with awareness and education. It is essential that all employees, from senior management to operational staff, understand why cybersecurity matters. Training and workshops can help to implement these changes and embed them in day-to-day practice.

The benefits of compliance

Organisations that comply with NIS2 can benefit from an improved security posture. This leads to greater resilience against cyber threats and strengthens the trust of clients and partners. Moreover, compliance can lead to operational efficiencies and cost savings over the long term.

What it delivers

Board-level ownership. Board-level ownership can lead to more proactive and strategic decision-making within organisations.

Cultural change. Driving cultural change fosters a shared sense of responsibility for cybersecurity.

Competitive position. Complying with NIS2 strengthens competitive position by increasing trust among stakeholders.

By looking beyond compliance, organisations can become more resilient and future-ready. Read more about our approach.

Governance & Risk

Dit vraagstuk vertalen naar jouw organisatie.