Educatifu

DORA and NIS2 in 2026 — A Practical Guide for EU Firms

Cybersecurity4 min readBy Michael Carter, Senior Software Engineerdoranis2complianceeu regulationcybersecurity

For years, EU cybersecurity regulation was something to monitor. In 2026 it is something you are audited against. DORA's informal grace period has ended, with supervisors shifting to active enforcement — and NIS2 has finally landed in national law across most member states, including Poland, where the amended National Cybersecurity System Act took effect on 3 April 2026. Here is a practical map of what applies to whom, and what to do about it.

Which regime applies to you?

DORA (Regulation (EU) 2022/2554) covers around 20 categories of financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers — and, crucially, the ICT providers that serve them. It is a regulation, directly applicable since 17 January 2025, with no national transposition needed.

NIS2 (Directive (EU) 2022/2555) covers "essential" and "important" entities across 18 sectors — energy, transport, health, digital infrastructure, cloud and managed services, manufacturing and more — generally from 50 employees or €10M turnover upwards, with some categories in scope regardless of size.

If you are a financial entity, DORA takes precedence as lex specialis: its rules on ICT risk management, incident reporting, resilience testing and third-party risk apply instead of NIS2's. If you are a software house, MSP or cloud provider, you may face both worlds at once — NIS2 obligations of your own, plus DORA requirements flowing down contractually from financial-sector clients.

DORA in 2026 — enforcement, not preparation

Three things changed this year:

  • Supervisors moved from paperwork to proof. With the technical standards finalised, competent authorities are running active reviews, cross-checking Register of Information submissions and expecting evidence — logs, test results, registers — rather than policies. Roughly half of institutions entered 2026 with known gaps.
  • Critical ICT providers are under direct oversight. In November 2025 the ESAs designated the first 19 Critical ICT Third-Party Providers — including AWS, Microsoft Azure, Google Cloud, IBM and Bloomberg — now supervised by Joint Examination Teams. If you depend heavily on one of them, that concentration risk belongs in your register.
  • The clocks are real. A major incident triggers an initial notification within 4 hours of classification, an intermediate report at 72 hours, and a final report within a month. Significant entities run threat-led penetration tests (TIBER-EU style) at least every three years.

NIS2 in Poland — the deadlines started ticking in April

Poland transposed NIS2 late — late enough that the European Commission issued a reasoned opinion in May 2025 — but the amendment to the KSC Act was signed on 19 February 2026 and entered into force on 3 April 2026. The practical timeline for entities in scope:

  1. By 3 October 2026 — apply for entry in the register of essential and important entities.
  2. By 3 April 2027 — implement the full information-security management system, including supply-chain security policies.
  3. By 3 April 2028 — essential entities complete their first cybersecurity audit, then repeat at least every three years.

Two Polish specifics deserve attention. The law reaches further than the directive in places — notably "high-risk vendor" rules across all sectors, under which regulated entities must stop using products from a vendor once it is designated high-risk. And the penalty ceiling goes beyond NIS2's €10M / 2% and €7M / 1.4% tiers, up to PLN 100M (~€24M) in extraordinary cases — with management bodies personally accountable.

Where firms actually struggle

Across both regimes, the same four gaps come up in practice: nobody owns a complete inventory of ICT suppliers and contracts; incident classification is not decided before the 4- or 24-hour clock starts; evidence lives in people's heads rather than in systems; and testing is a document, not a calendar.

A pragmatic 90-day plan

  1. Scope yourself formally. Decide — and document — whether you are a DORA financial entity, a NIS2 essential or important entity, an ICT supplier to either, or several at once.
  2. Run a gap assessment against DORA's five pillars or NIS2's Article 21 measures. Reuse what you have: existing ISO 27001 coverage typically maps to a large share of the requirements.
  3. Build the supplier register. Every ICT arrangement, its criticality, subcontractors and exit options. This is the single highest-leverage artefact for both regimes.
  4. Pre-wire incident reporting. Classification thresholds, a named decision owner, report templates and regulator contact details — agreed before an incident, not during one.
  5. Put testing on a calendar — vulnerability scanning, recovery exercises and, where required, TLPT — with findings tracked to closure.

Where Educatifu fits

We help software companies, MSPs and financial-sector suppliers scope their obligations, close the technical gaps — logging, monitoring, incident pipelines, supplier management — and produce the evidence supervisors now expect. If you are not sure which side of these regulations you sit on, get in touch — that is a one-conversation answer.

References

← Back to blog

Related articles