Most security teams spent 2024 getting compliant on paper, and that was the necessary first step. But paper compliance and operational readiness are different things, and the difference doesn’t show up when your auditor visits. It shows up at 2am when you have 24 hours to notify a regulator and your IR plan was never tested at that speed.

NIS2 transposition was due in EU member states by October 2024. DORA has applied to financial sector firms since January 2025. Both frameworks are now in force long enough that “we’re working on it” isn’t a credible position. The question worth asking is whether the work that got done was the right work.

The requirements that look familiar but aren’t

Most CISOs can recite the NIS2 and DORA requirements at this point. Risk management, incident reporting, supply chain security, and board accountability. None of it sounds new. Teams that mapped existing controls to the framework requirements and called it done may have underestimated how demanding some of these are when you try to meet them under pressure.

NIS2 Article 23 requires an initial notification of a significant incident within 24 hours of becoming aware of it. Not 24 hours after confirming scope, not after legal reviews the draft — within 24 hours of awareness. Pulling together a compliant notification in that window requires a machinery most IR plans don’t have, because most IR plans were never tested at that speed.

NIS2 Article 21 requires managing security risks across your supply chain and supplier relationships. DORA Articles 28–30 go further — ICT third-party risk programmes with contractual minimum standards, concentration risk analysis, exit strategies. A spreadsheet of suppliers classified 18 months ago isn’t a programme. It’s a snapshot that’s already out of date.

And then there’s senior management liability. NIS2 Article 20 makes management bodies personally accountable for approving cybersecurity risk measures and overseeing their implementation. DORA does the same for ICT risk governance. This isn’t something the CISO handles on behalf of the board once a year. The accountability is ongoing, and it sits with people who in many organisations have only recently started paying close attention to what their security team is actually doing. DLA Piper’s analysis of the NIS2 management body provisions is worth reading if you’re briefing a board that hasn’t absorbed this yet — the personal liability exposure, including temporary bans from management functions, is more significant than most board members realise.

Where the gaps tend to hide

Most programmes have three failure points in common when they get stress-tested.

The first is IR plans that were never tested against the actual reporting timeline. A tabletop that runs for three hours and ends with a debrief is valuable. But it’s a different exercise from one that starts the 24-hour clock, forces every decision and handoff to happen in sequence, and produces a draft notification before time runs out. The first tells you whether people know their roles. The second tells you whether the plan works.

The second is static third-party inventories. DORA requires ongoing monitoring of ICT providers, not a one-time classification. Suppliers change their subcontractors, get acquired, and have their own incidents. An inventory with no review triggers doesn’t meet the requirement — and it won’t help you when a critical vendor goes down and you need to know your exposure immediately.

The third is board documentation collected once. A single resolution approving your cybersecurity programme isn’t ongoing oversight. If a significant incident leads to a regulatory investigation, the question won’t be whether the board approved something in 2024. It’ll be whether there’s a record of continuous, informed governance, and most organisations haven’t built that record.

Why NIS2 and DORA change the budget conversation

Security leaders have been making the case for investment for years. Risk scores, threat briefings, maturity assessments. Some of it lands. NIS2 and DORA add something different to that conversation: the CFO and the board now have personal legal exposure. Not just the CISO.

A programme gap that was previously a security team concern is now a liability question for the people who control the budget. If your 24-hour notification capability hasn’t been tested, or your third-party inventory hasn’t been reviewed since last year’s renewal cycle, that’s a documented gap in a regulated programme that senior management is personally accountable for. That framing tends to reach people who weren’t listening before.

The frameworks created the obligation. The CISO’s job is to make sure the people who share that obligation understand what the programme can and can’t do.

Where to focus

If you have gaps, the temptation is to write more policies. Three things tend to produce more meaningful shifts in actual readiness.

Test the notification timeline for real. Run a tabletop that starts the 24-hour clock at a simulated awareness moment and forces the team to produce a compliant notification before time runs out. You’ll find out exactly where the friction is — who’s missing from the room, what information you can’t get fast enough, which handoffs add delay. Fix those things in a training exercise, not during an incident.

Sort out your highest-risk suppliers. You don’t need a complete DORA-grade third-party programme overnight, but you should be able to identify your most critical ICT providers, confirm your contracts address the minimum ICT third-party requirements DORA sets out, and have a live process for flagging changes to their risk profile. Concentration risk — which providers, if they went down, would take several critical functions with them — is often the biggest unexamined exposure.

Make board engagement a regular cadence, not a once-a-year approval. Brief the board on material changes to the risk environment, on incidents and near-misses, on where the programme has gaps and what’s being done. Document it. That record of ongoing oversight is what demonstrates compliance with the governance requirements, and what protects everyone if something goes wrong.

Readiness doesn’t end at the deadline

The NIS2 and DORA deadlines produced useful forcing functions, and a lot of work got done. But neither framework was designed to be satisfied once and filed. They were designed to produce organisations that can function under pressure — report fast, recover fast, and show that the people at the top knew what was happening.

The security leaders who’ll be in the best position — tested by an incident, a regulator, or an investigator — are the ones who can show their programme held up, not just that it was documented.