Cyber Resilience
⚖️

NIS2 & DORA Compliance

NIS2 and DORA compliance for critical infrastructure operators and financial institutions - gap analyses, readiness assessments and risk management frameworks.

Start NIS2 Assessment All Cyber Resilience Services

What We Offer

NIS2 Gap Analyses & Readiness Assessments
DORA ICT Risk Management Framework
Incident Response & Reporting
Third-Party Risk Management
Business Continuity Planning
Cybersecurity Governance
Audit Preparation & Documentation
Continuous Compliance Monitoring

NIS2 & DORA - Compliance as Opportunity

The new EU regulations NIS2 and DORA set new standards for cybersecurity and resilience. We help you become compliant - pragmatically and without overengineering.

What is NIS2?

The NIS2 Directive (Network and Information Security) obligates critical infrastructure operators and essential service providers to higher cybersecurity standards:

  • Extended Scope - More industries affected
  • Stricter Requirements - Risk management, incident response, supply chain security
  • Reporting Obligations - Security incidents must be reported within 24h
  • Personal Liability - Management bears responsibility

What is DORA?

The Digital Operational Resilience Act targets financial institutions (banks, insurance companies, payment providers):

  • ICT Risk Management - Comprehensive IT risk management
  • Incident Reporting - Structured reporting processes
  • Third-Party Risk - Strict requirements for service providers
  • Testing - Regular penetration tests and resilience testing

Our Approach

Phase 1: Gap Analysis

Where do you stand today? What’s missing for compliance?

  • As-Is assessment of your current cybersecurity posture
  • Mapping to NIS2/DORA requirements
  • Prioritization of measures

Phase 2: Roadmap & Implementation

Pragmatic implementation of necessary measures:

  • Risk management framework
  • Incident response playbooks
  • Supply chain risk management
  • Technical protection measures (Zero Trust, MFA, Monitoring)

Phase 3: Documentation & Audit

Demonstrate compliance:

  • Complete documentation of all measures
  • Audit support
  • Continuous monitoring and adaptation

Typical Measures

Governance & Processes:

  • Cybersecurity policies & guidelines
  • Incident response & crisis management
  • Business continuity & disaster recovery
  • Training & awareness

Technical Implementation:

  • Zero Trust Architecture
  • Multi-Factor Authentication (MFA)
  • Security Monitoring & SIEM
  • Vulnerability Management
  • Backup & Recovery

Third-Party Management:

  • Vendor risk assessments
  • SLA agreements with security requirements
  • Continuous monitoring of critical service providers

Why alfatier?

  • Pragmatic - We implement what’s necessary - nothing more
  • Technically sound - No consultant slides, but real implementation
  • Experience - We know the frameworks and tools
  • End-to-End - From gap analysis to audit support

Frequently Asked Questions

Is my company affected by NIS2?

NIS2 applies to companies in 18 defined sectors (including energy, transport, healthcare, digital infrastructure, IT service providers) with 50+ employees or EUR 10 million annual revenue. Smaller companies may also be affected if classified as critical. We assess your applicability in a free initial consultation.

What is the difference between NIS2 and DORA?

NIS2 is a cross-sector EU directive for cybersecurity at critical and important entities. DORA (Digital Operational Resilience Act) specifically targets the financial sector and regulates the digital operational resilience of banks, insurance companies and financial service providers. Both can apply simultaneously.

What penalties apply for non-compliance?

NIS2 provides for fines of up to EUR 10 million or 2% of global annual turnover (whichever is higher). Under DORA, fines can reach up to 1% of average daily turnover. Additionally, managing directors are personally liable for implementation.