DORA and NIS2: What US Companies Need to Know and Do Before the Deadlines
Complete guide to EU cybersecurity regulations DORA (Digital Operational Resilience Act) and NIS2 for US-based companies with EU operations. Covers scope, requirements, deadlines, and compliance roadmap.
Two major EU cybersecurity regulations are now in force — DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive 2) — and a significant number of US-headquartered companies are in scope. If your company serves EU financial institutions, provides IT services to EU entities, or has European operations, you may have compliance obligations you are not yet addressing. The stakes are significant: DORA non-compliance carries penalties up to €10 million or 5% of global annual turnover. NIS2 carries penalties up to €10 million or 2% of global annual revenue.
DORA: Digital Operational Resilience Act
What Is DORA?
DORA is an EU regulation that went into force on January 17, 2025. It establishes a comprehensive framework for digital operational resilience in the EU financial sector — covering banks, insurance companies, investment firms, payment processors, and critically, the ICT service providers (IT companies) that serve them.
Who Is In Scope?
DORA has two categories of in-scope entities:
Financial entities (direct obligation):
- Banks and credit institutions with EU operations or EU regulatory licenses
- Insurance and reinsurance companies operating in the EU
- Investment firms and asset management companies regulated in the EU
- Payment institutions, e-money institutions, crypto-asset service providers
- Central counterparties, credit rating agencies, data reporting service providers
ICT third-party service providers (indirect obligation via contracts):
- Cloud service providers whose EU financial institution clients are subject to DORA
- Data center providers serving EU financial institutions
- Managed security service providers (MSSPs) serving EU financial clients
- Software vendors whose products are used by EU financial institutions
- Any US IT services company contracted by a DORA-regulated financial institution
If you provide IT services, cloud infrastructure, software, or managed services to a bank, insurer, or investment firm with EU operations — you are likely in scope for DORA, even if you are headquartered in the United States.
DORA's Five Pillars
| Pillar | Key Requirements |
|---|---|
| ICT Risk Management | Comprehensive ICT risk framework; risk appetite statement; classification and protection of information assets |
| ICT Incident Reporting | Classify incidents by materiality; report major incidents to regulator within 4 hours (initial) and 72 hours (intermediate); root cause report within 1 month |
| Digital Operational Resilience Testing | Annual threat-led penetration testing (TLPT) for significant institutions; vulnerability assessments; scenario-based testing |
| ICT Third-Party Risk Management | Due diligence on all ICT vendors; contractual requirements for resilience; exit strategies; register of critical third parties |
| Information Sharing | Voluntary threat intelligence sharing within the EU financial community |
What DORA Means for US ICT Providers
If your EU financial institution clients are asking you to sign DORA-compliant contract addenda, this is your signal that you are in scope. DORA requires financial entities to include specific provisions in contracts with ICT providers:
- Incident notification obligations (you must notify your EU client of security incidents affecting their data within the DORA timeframes)
- Business continuity and recovery commitments (RPO, RTO targets)
- Audit rights (EU financial entities have the right to audit their ICT providers)
- Sub-contracting restrictions (you must notify the financial entity of any critical sub-contractors)
- Concentration risk disclosures (if you are serving many EU financial institutions, regulators want to know)
NIS2: Network and Information Security Directive 2
What Is NIS2?
NIS2 is an EU directive that updated the original 2016 NIS Directive. Member states were required to transpose NIS2 into national law by October 17, 2024. NIS2 significantly expanded the scope of cybersecurity obligations beyond the original directive — adding new sectors and new requirements.
Who Is In Scope?
NIS2 applies to organizations that:
- Operate in an in-scope sector (see below)
- Operate in the EU (have an establishment in an EU member state, OR provide services to EU customers from outside the EU in certain sectors)
- Meet the size thresholds: medium enterprise (50+ employees or €10M+ revenue) or large enterprise (250+ employees or €50M+ revenue)
In-scope sectors:
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health (hospitals, healthcare providers, labs)
- Water and wastewater
- Digital infrastructure (internet exchange points, DNS, TLD registries, cloud computing, data centers, CDN, managed security services)
- ICT service management (managed service providers, managed security service providers)
- Public administration
- Space
- Postal and courier services
- Waste management
- Manufacturing (medical devices, computers, machinery, motor vehicles)
- Food production and distribution
- Digital providers (online marketplaces, search engines, social networks)
- Research
For US companies: If you are a cloud provider, managed service provider, or data center operator serving EU customers, you are likely in scope. If you are a manufacturer with EU production facilities, you are likely in scope. The "country of establishment" rule means NIS2 applies to the EU entity, even if the parent is headquartered in the US.
NIS2 Requirements
NIS2 requires in-scope entities to implement "appropriate and proportionate technical and organisational measures" in 10 areas:
- Risk analysis and information security policies
- Incident handling (detection, response, recovery)
- Business continuity (backup management, disaster recovery, crisis management)
- Supply chain security (ICT supplier relationships and security)
- Security in network and information systems acquisition, development, and maintenance
- Policies and procedures to assess cybersecurity risk management measures effectiveness
- Basic cyber hygiene practices and cybersecurity training
- Cryptography and encryption policies
- Human resources security, access control, and asset management
- Multi-factor authentication and continuous authentication solutions
Incident Reporting Under NIS2
NIS2 requires a three-stage reporting process for significant incidents:
- Early warning: Within 24 hours of becoming aware of a significant incident
- Incident notification: Within 72 hours — with initial assessment of severity, impact, and indicators of compromise
- Final report: Within 1 month — detailed description, threat type, root cause, cross-border impact
DORA vs NIS2: Key Differences
| Factor | DORA | NIS2 |
|---|---|---|
| Regulation type | EU Regulation (directly applicable) | EU Directive (transposed into national law) |
| Primary sectors | Financial sector only | 16 sectors across economy |
| US company applicability | US ICT providers serving EU financial entities | US companies with EU establishments in scope sectors |
| Enforcement date | January 17, 2025 (in force) | October 17, 2024 (transposition deadline) |
| Maximum penalty | €10M or 5% global turnover | €10M or 2% global revenue |
| Testing requirements | Mandatory TLPT for major institutions | Encouraged, not mandated |
The 90-Day DORA/NIS2 Compliance Roadmap for US Companies
Days 1–30: Scoping and Gap Assessment
- Confirm which entities (subsidiaries, divisions) are in scope for DORA and/or NIS2
- Conduct a gap assessment against applicable requirements
- Review all contracts with EU financial institution clients for DORA-required provisions
- Map current incident reporting procedures against DORA/NIS2 notification timelines
Days 31–60: Policy and Control Development
- Develop or update ICT risk management framework documentation
- Implement or validate MFA on all in-scope systems
- Establish formal incident classification process with DORA/NIS2 severity thresholds
- Build supplier/third-party risk register for in-scope ICT providers
Days 61–90: Testing and Documentation
- Conduct table-top incident response exercise against DORA/NIS2 scenario
- Complete technical vulnerability assessment of in-scope systems
- Document evidence of all implemented controls
- Brief board and senior management on obligations (both DORA and NIS2 have management accountability requirements)
TechCloudPro's cybersecurity practice helps US companies assess DORA and NIS2 applicability, conduct gap assessments, and build compliance programs that satisfy EU regulatory requirements. We have worked with technology companies, financial services firms, and manufacturers to navigate EU cybersecurity regulation. Schedule a DORA/NIS2 scoping call to determine your obligations and build a compliance plan.