The European cyber security landscape is at a turning point. Following the introduction of DORA, which transformed IT security in the financial sector, NIS2 is now on the horizon – and this time, it affects almost all critical infrastructures. What does this mean for your company?
If you have already implemented DORA, you have a decisive advantage. If not, now is the time to embrace modern cyber resilience. NIS2 dramatically broadens the scope from specialised sector regulations to a comprehensive framework for all critical infrastructures. At the same time, the rapid development of generative AI presents new risks that previous regulations did not anticipate.
NIS2 is radically changing the cybersecurity landscape. While the original NIS Directive affected around 1,000 German companies, NIS2 expands this circle to an estimated 30,000 organisations (https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/nis-2-regulierte-unternehmen_node.html).
The new sectors comprise:
Companies that have had little to do with cyber regulation so far are now facing complex requirements. However, for financial companies with DORA experience, this opens up a new opportunity.
Financial companies that have already implemented DORA are in a strong position. They have laid the foundations for modern cyber resilience: identification of critical services, robust governance structures and effective incident response processes.
This advantage pays off with NIS2: proven frameworks that have already been successfully established in the financial sector can be applied to other sectors relatively easily. Processes that have already been tried and tested in practice only require minimal adjustments to meet the requirements of NIS2. Existing governance can be expanded and scaled to new areas, eliminating the need to develop new structures from scratch. Above all, however, existing expertise can be transformed into a genuine competitive advantage. Companies that have already developed a “Security First” culture benefit from a mindset that is not only helpful but also essential for NIS2. This culture is particularly valuable. With NIS2, it becomes a key factor for success.
“But we already have DORA” is a common objection from financial service providers. However, NIS2 requires a broader perspective:
For companies with no prior experience with DORA, NIS2 presents both a challenge and an opportunity. Proven approaches from the financial sector can provide guidance on how to proceed. Those who start now can benefit from the experience of companies that are already familiar with DORA and do not have to reinvent the wheel. There is real pressure to act: the implementation deadlines are tight, and companies that do not act in time not only risk heavy fines, but also significant competitive disadvantages. A proactive approach is therefore crucial.
While DORA and NIS2 were being developed, the cyber threat landscape underwent fundamental changes. Generative AI introduces entirely new risk dimensions that are only partially addressed by both regulations. New attack vectors, such as deepfake-based Social Engineering, AI-generated malware and phishing campaigns, and adversarial attacks on AI systems present companies with challenges that they have never previously encountered. Specific threats such as prompt injection and model poisoning are also emerging.
However, not only are the risks increasing, but the compliance challenges are, too. Companies must deal with the transparency and explainability of AI decisions, implement controls and ensure data protection during training and inference. In addition, the governance of AI itself requires new guidelines and processes.
The good news is that generative AI can also be a solution. Intelligent automation has the potential to make compliance more efficient, cost-effective and responsive. From automated compliance monitoring systems and AI-supported incident detection to intelligent documentation systems, there are many ways to use AI as an enabler for cyber resilience.
The era of isolated compliance silos is over. To be successful, companies must consider DORA, NIS2 and AI governance as an integrated system. Those who set the right course now will benefit from synergies, efficiency gains, and new business opportunities. Integration, automation and proactivity are not only the keys to meeting regulatory requirements, but also to strengthening your long-term competitiveness.
The Executive & Professional Education programme at Frankfurt School offers DORA and NIS2 seminars to support you.