For years, EU cybersecurity regulation was something to monitor. In 2026 it is something you are audited against. DORA's informal grace period has ended, with supervisors shifting to active enforcement — and NIS2 has finally landed in national law across most member states, including Poland, where the amended National Cybersecurity System Act took effect on 3 April 2026. Here is a practical map of what applies to whom, and what to do about it.
Which regime applies to you?
DORA (Regulation (EU) 2022/2554) covers around 20 categories of financial entities — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers — and, crucially, the ICT providers that serve them. It is a regulation, directly applicable since 17 January 2025, with no national transposition needed.
NIS2 (Directive (EU) 2022/2555) covers "essential" and "important" entities across 18 sectors — energy, transport, health, digital infrastructure, cloud and managed services, manufacturing and more — generally from 50 employees or €10M turnover upwards, with some categories in scope regardless of size.
If you are a financial entity, DORA takes precedence as lex specialis: its rules on ICT risk management, incident reporting, resilience testing and third-party risk apply instead of NIS2's. If you are a software house, MSP or cloud provider, you may face both worlds at once — NIS2 obligations of your own, plus DORA requirements flowing down contractually from financial-sector clients.
DORA in 2026 — enforcement, not preparation
Three things changed this year:
- Supervisors moved from paperwork to proof. With the technical standards finalised, competent authorities are running active reviews, cross-checking Register of Information submissions and expecting evidence — logs, test results, registers — rather than policies. Roughly half of institutions entered 2026 with known gaps.
- Critical ICT providers are under direct oversight. In November 2025 the ESAs designated the first 19 Critical ICT Third-Party Providers — including AWS, Microsoft Azure, Google Cloud, IBM and Bloomberg — now supervised by Joint Examination Teams. If you depend heavily on one of them, that concentration risk belongs in your register.
- The clocks are real. A major incident triggers an initial notification within 4 hours of classification, an intermediate report at 72 hours, and a final report within a month. Significant entities run threat-led penetration tests (TIBER-EU style) at least every three years.
NIS2 in Poland — the deadlines started ticking in April
Poland transposed NIS2 late — late enough that the European Commission issued a reasoned opinion in May 2025 — but the amendment to the KSC Act was signed on 19 February 2026 and entered into force on 3 April 2026. The practical timeline for entities in scope:
- By 3 October 2026 — apply for entry in the register of essential and important entities.
- By 3 April 2027 — implement the full information-security management system, including supply-chain security policies.
- By 3 April 2028 — essential entities complete their first cybersecurity audit, then repeat at least every three years.
Two Polish specifics deserve attention. The law reaches further than the directive in places — notably "high-risk vendor" rules across all sectors, under which regulated entities must stop using products from a vendor once it is designated high-risk. And the penalty ceiling goes beyond NIS2's €10M / 2% and €7M / 1.4% tiers, up to PLN 100M (~€24M) in extraordinary cases — with management bodies personally accountable.
Where firms actually struggle
Across both regimes, the same four gaps come up in practice: nobody owns a complete inventory of ICT suppliers and contracts; incident classification is not decided before the 4- or 24-hour clock starts; evidence lives in people's heads rather than in systems; and testing is a document, not a calendar.
A pragmatic 90-day plan
- Scope yourself formally. Decide — and document — whether you are a DORA financial entity, a NIS2 essential or important entity, an ICT supplier to either, or several at once.
- Run a gap assessment against DORA's five pillars or NIS2's Article 21 measures. Reuse what you have: existing ISO 27001 coverage typically maps to a large share of the requirements.
- Build the supplier register. Every ICT arrangement, its criticality, subcontractors and exit options. This is the single highest-leverage artefact for both regimes.
- Pre-wire incident reporting. Classification thresholds, a named decision owner, report templates and regulator contact details — agreed before an incident, not during one.
- Put testing on a calendar — vulnerability scanning, recovery exercises and, where required, TLPT — with findings tracked to closure.
Where Educatifu fits
We help software companies, MSPs and financial-sector suppliers scope their obligations, close the technical gaps — logging, monitoring, incident pipelines, supplier management — and produce the evidence supervisors now expect. If you are not sure which side of these regulations you sit on, get in touch — that is a one-conversation answer.
References
- EIOPA — Digital Operational Resilience Act overview
- Orbiq — DORA compliance guide 2026 (CTPP list and deadlines)
- Regulation-DORA.eu — 2026: the grace period is over
- Schoenherr — New cybersecurity rules in Poland (NIS2 / KSC Act)
- Addleshaw Goddard — NIS2 implemented in Poland: what businesses need to know
- Bird & Bird — Poland's high-risk vendor rules and penalties