What is NIS2 (Cyber Security Act in the Netherlands)?

The NIS2 Directive (Network and Information Security Directive) is about cybersecurity for key sectors in Europe. In the Netherlands, NIS2 is implemented by means of the Cybersecurity Act (Cbw). Essential sectors include energy companies, healthcare, transport, but also major IT service providers. With NIS2, the EU wants to ensure that these companies:

• Have their digital safety in order.
• Identify and address risks.
• Report major cyber incidents quickly.

The goal is simple: protect critical infrastructure against cyber attacks and ensure that companies and countries work better together to address digital threats. Companies that work as suppliers for those essential sectors must make agreements with their major customers. They must be able to show them that, depending on their risk profile, they work safely.

Why NIS2 is relevant to the financial sector

Traditionally, financial institutions have already fallen under many strict frameworks such as PCI-DSS, EBA guidelines, Wft and AVG. With the arrival of NIS2, Europe is adding an extra layer.

As a financial organization, are you automatically subject to NIS2?

Yes. The financial sector falls under the category essential entities. This means:

• tougher security requirements
• strict reporting obligations
• supervision by national authorities
• directors' liability

But... something else is added: DORA.

What is DORA?

Where NIS2 is a broad cybersecurity directive that applies to many sectors, DORA (Digital Operational Resilience Act) is fully focused on the financial world:

• Banks
• Insurers
• Payment settings
• Investment firms
• Pension funds
• Crypto providers
• ICT Service Providers (Critical Third Party Providers)

DORA is not a directive, but a regulation. That means: directly binding, without national interpretation.

DORA focuses on:

• ICT risk management

Example: a payment institution must annually assess which IT systems pose the most critical risk (e.g. the payment platform) and take measures such as network segmentation, MFA and stricter monitoring.

• Incident reports

Example: a bank that discovers a phishing attack that could affect customers must report this to the regulator within a very short time, including impact analysis, actions taken and follow-up measures.

• Penetration tests (TIBER-EU)

Example: an insurer must periodically carry out a TIBER-EU test where ethical hackers simulate realistic attacks, such as entering the customer portal or fraud via APIs.

• Chain Management and Dependencies

Example: a pension fund must understand which software providers have access to sensitive data and what risks this poses, including exit strategies if a supplier fails.

• Supervision of ICT service providers

Example: a fintech that depends on a cloud provider (such as AWS, Azure or Google Cloud) must demonstrate what contractual agreements have been established, how performance is monitored and what happens in case of failures.

Many parts overlap with NIS2, but DORA goes deeper and is stricter.

How do NIS2 and DORA relate to each other?

‍

1. DORA is the leader for financial institutions

The following applies to all financial companies: DORA is your primary cyber regulation. NIS2 is additional, but where there is overlap, DORA's requirements “win”.

2. NIS2 continues in chain responsibility

DORA mainly looks at your direct ICT suppliers. NIS2 forces organizations to assess the entire chain, including smaller suppliers.

3. Incident reports are similar but differ in timelines

• NIS2 → 24-hour notification, 72-hour reporting
• DORA → varies by type of incident, often in more detail and with stricter documentation requirements

4. NIS2 is wider, DORA is deeper

You can think of it as:

• NIS2 = comprehensive security obligation for many sectors
• DORA = specialized, in-depth requirements for financial institutions

The role of ISO 27001: standard for both regulations

Now that you have two strong frameworks (NIS2 + DORA), as an organization, you might be wondering: “How do I make sure I don't double work?” That is exactly true ISO 27001 becomes relevant.

ISO 27001:

• provides structure through an information security management system (SIMS)
• is internationally recognized
• seamlessly connects to risk-based cybersecurity
• demonstrably helps to comply with legal requirements

Many of the controls that ISO 27001 requires or recommends directly correspond to both NIS2 and DORA requirements. ISO 27001 supports, among other things, with:

• Risk Management
• Policy & governance
• Incident Management
• Access control
• Supplier management
• Logging & monitoring
• Continuity Management

So if you choose ISO 27001 as a framework, you are laying a foundation that covers a large part of the topics and requirements of NIS2 and DORA.

‍

What do NIS2, ISO 27001, and DORA mean to you?

‍

1. You must comply with DORA

DORA is mandatory for almost all financial institutions and many ICT service providers that support them.

2. NIS2 also applies, but largely overlaps with DORA

So, unlike other sectors, you have no choice: both apply.

3. ISO 27001 is the smartest way

ISO 27001 helps you implement DORA and NIS2 by:

• to structure processes
• safeguarding measures
• simplifying audits
• improving demonstrability

4. Start with a DORA GAP analysis

A good approach:

1. Start with DORA requirements as a basis
2. Check what additional NIS2 requirements apply
3. Record everything in an ISMS based on ISO 27001

How to get started with NIS2, DORA, and ISO 27001? (Roadmap)

1. Identify which parts of DORA and NIS2 apply to your organization
2. Perform a GAP analysis
3. Link all requirements to ISO 27001 controls
4. Create a roadmap of 12—24 months, for example
5. Set up governance and roles
6. Implement technical and organizational measures
7. Document demonstrability: policy, risks, procedures, tests, reports

Conclusion

DORA and NIS2 are mandatory, but ISO 27001 is the most practical way to become and stay compliant. It seems like a lot, but by combining smartly, you can avoid duplication of work and build a future-proof information security management system. Want to know more? Contact us below for an informal consultation!

‍