FRANKFURT SCHOOL

BLOG
From DORA to NIS2: The next level of cyber resilience
Executive Education / 14 July 2025

  • Share

  • 1806

  • Print
Kai Hermsen
Co-founder and Digital Governance Expert at DECAID
As co-founder and Digital Governance Expert at DECAID.secure, Kai makes professional AI governance accessible to small and medium-sized enterprises, ensuring the secure and responsible introduction of AI solutions. His career path took him from the hotel industry to a degree in Business Administration, followed by management roles in industry, before he became an entrepreneur. At Siemens, he led the Charter of Trust; as Co-Managing Director of Identity Valley, he shaped the digital responsibility goals; and with the twinds foundation, he is establishing disposable identities to foster greater online trust. He is also a lecturer and sits on expert committees such as the World Economic Forum. He organises community events like the Munich Cybersecurity Conference. As a husband and father of two, Kai believes that work-life integration is the key to sustainable success.

To Author's Page

More Blog Posts
Identity theft using fake accounts – an underestimated threat with serious consequences
Executive Education / 4 August 2025
What do product sales have to do with financial or estate planning?
Study / 28 July 2025
Why the AI-driven task revolution is a great opportunity for Executives
Executive Education / 21 July 2025

The European cyber security landscape is at a turning point. Following the introduction of DORA, which transformed IT security in the financial sector, NIS2 is now on the horizon – and this time, it affects almost all critical infrastructures. What does this mean for your company?

If you have already implemented DORA, you have a decisive advantage. If not, now is the time to embrace modern cyber resilience. NIS2 dramatically broadens the scope from specialised sector regulations to a comprehensive framework for all critical infrastructures. At the same time, the rapid development of generative AI presents new risks that previous regulations did not anticipate.

NIS2: The big leap – 30,000 companies are now affected

NIS2 is radically changing the cybersecurity landscape. While the original NIS Directive affected around 1,000 German companies, NIS2 expands this circle to an estimated 30,000 organisations (https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/nis-2-regulierte-unternehmen_node.html).

The new sectors comprise:

  • Healthcare and the Pharma Industry
  • Digital Infrastructure and Cloud Services
  • Food Production and Distribution
  • Waste and Water Management
  • Space and Satellite Technology
  • Public Administration

Companies that have had little to do with cyber regulation so far are now facing complex requirements. However, for financial companies with DORA experience, this opens up a new opportunity.

The DORA advantage: Why financial companies can now take the lead

Financial companies that have already implemented DORA are in a strong position. They have laid the foundations for modern cyber resilience: identification of critical services, robust governance structures and effective incident response processes.

This advantage pays off with NIS2: proven frameworks that have already been successfully established in the financial sector can be applied to other sectors relatively easily. Processes that have already been tried and tested in practice only require minimal adjustments to meet the requirements of NIS2. Existing governance can be expanded and scaled to new areas, eliminating the need to develop new structures from scratch. Above all, however, existing expertise can be transformed into a genuine competitive advantage. Companies that have already developed a “Security First” culture benefit from a mindset that is not only helpful but also essential for NIS2. This culture is particularly valuable. With NIS2, it becomes a key factor for success.

Why banks need NIS2 despite DORA

“But we already have DORA” is a common objection from financial service providers. However, NIS2 requires a broader perspective:

  1. Comprehensive scope coverage: NIS2 covers the entire corporate IT, not just financial services.
  2. Supply chain integration: All major suppliers and service providers are affected.
  3. Group perspective: Subsidiaries in other sectors are also covered by NIS2.
  4. Client base expansion: Your corporate clients are now affected by NIS2 – an opportunity for strategic support and additional services.

For everyone else: start now to avoid being left behind

For companies with no prior experience with DORA, NIS2 presents both a challenge and an opportunity. Proven approaches from the financial sector can provide guidance on how to proceed. Those who start now can benefit from the experience of companies that are already familiar with DORA and do not have to reinvent the wheel. There is real pressure to act: the implementation deadlines are tight, and companies that do not act in time not only risk heavy fines, but also significant competitive disadvantages. A proactive approach is therefore crucial.

Generative AI: The game changer for both worlds

While DORA and NIS2 were being developed, the cyber threat landscape underwent fundamental changes. Generative AI introduces entirely new risk dimensions that are only partially addressed by both regulations. New attack vectors, such as deepfake-based Social Engineering, AI-generated malware and phishing campaigns, and adversarial attacks on AI systems present companies with challenges that they have never previously encountered. Specific threats such as prompt injection and model poisoning are also emerging.

However, not only are the risks increasing, but the compliance challenges are, too. Companies must deal with the transparency and explainability of AI decisions, implement controls and ensure data protection during training and inference. In addition, the governance of AI itself requires new guidelines and processes.

The good news is that generative AI can also be a solution. Intelligent automation has the potential to make compliance more efficient, cost-effective and responsive. From automated compliance monitoring systems and AI-supported incident detection to intelligent documentation systems, there are many ways to use AI as an enabler for cyber resilience.

Conclusion: The future belongs to those who are integrated

The era of isolated compliance silos is over. To be successful, companies must consider DORA, NIS2 and AI governance as an integrated system. Those who set the right course now will benefit from synergies, efficiency gains, and new business opportunities. Integration, automation and proactivity are not only the keys to meeting regulatory requirements, but also to strengthening your long-term competitiveness.

The Executive & Professional Education programme at Frankfurt School offers DORA and NIS2 seminars to support you.

 

0 COMMENTS

Send