The Ultimate Compliance Checklist: NIS 2 and DORA Standards
Tabla de contenido
- NIS2 and NIST CSF 2.0 are not the same thing
- What NIS2 and DORA actually require, briefly
- Why the checklist itself is the trap
- The cascade effect: this reaches you even if you're out of scope
- What actually satisfies the 24-hour requirement
- A five-question readiness check
- Preguntas frecuentes
- Is NIS2 the same as NIST CSF 2.0?
- Can you be NIS2-compliant on paper and still fail an audit or an incident response test?
- Does NIS2 apply to my company if we're not in one of the 18 covered sectors?
- What's actually happening with France's NIS2 transposition right now?
- See your organization's real-time NIS2 and DORA exposure gaps
How compliant is your organization?
Only six of the EU’s 27 member states met the original 17 October 2024 deadline to transpose the NIS2 Directive into national law. As of mid-2026, 22 have finished the job. Ireland, Spain, France, and until last week, the Netherlands, have not, and the European Commission has now referred all four to the Court of Justice of the EU, asking for financial penalties until each one notifies full transposition.
If your organization operates in the EU, or has entities, suppliers, or customers that do, this piece covers what NIS2 and DORA actually require, and why the standard compliance checklist most guides hand you won’t be enough on its own.
You can complete every item on a standard NIS2 compliance checklist, documented risk management plan, written incident response procedure, signed-off governance structure, and still fail the part of the law that actually gets enforced: reporting a significant incident within 24 hours of becoming aware of it. That’s not a hypothetical gap. It’s a direct consequence of how most organizations approach compliance, and it’s worth understanding before you build a program around the wrong model.

GDPR compliance data like this is a useful baseline: even a mature, long-established EU regulation still shows real gaps in practice years after it took effect. NIS2 is newer, broader in scope, and backed by steeper penalties, so treat this as the floor, not the ceiling, of what full compliance actually looks like across an organization.
NIS2 and NIST CSF 2.0 are not the same thing
Worth stating plainly, because the two get confused constantly. NIS2 is a binding EU directive (Directive (EU) 2022/2555) that member states must transpose into national law, with financial penalties for non-compliant organizations and, in several member states, for governments that miss the deadline. NIST Cybersecurity Framework 2.0 is a voluntary U.S. framework published in February 2024. They are not related, and if you’re researching NIS2 obligations specifically, content about NIST CSF 2.0 will not answer your question. This piece is about NIS2, the EU directive, and DORA, its counterpart for the financial sector.
What NIS2 and DORA actually require, briefly
NIS2 covers 18 critical sectors, energy, transport, health, banking, water, and public administration among them, and splits regulated organizations into Essential Entities and Important Entities. Where the original NIS Directive covered roughly 500 operators EU-wide, NIS2’s expanded scope brings an estimated 15,000 organizations into regulated status in France alone. Sanctions reach €10 million or 2% of global annual turnover for Essential Entities, €7 million or 1.4% for Important Entities, and management bodies can be held personally accountable, not just the organization.
DORA, in force since 17 January 2025, is narrower in scope, financial entities and their ICT third-party providers specifically, but goes deeper on operational resilience: ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management, built to withstand disruption, not just prevent it.
Both share the provision that actually matters most for this argument: NIS2 requires an early warning within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within a month. DORA’s incident reporting timelines follow a comparable logic. Neither law asks whether you have a policy document. Both ask whether you can meet the clock.

Scale doesn’t exempt an organization from the clock either. Smaller Important Entities face lighter obligations than large Essential Entities, but both are held to the same 24-hour reporting timeline once an incident is significant enough to trigger it.
See what a 24-hour detection gap actually looks like in your environment. Request a demo.
Why the checklist itself is the trap
A standard compliance checklist, the kind every NIS2 guide online will hand you, asks you to determine scope, write a risk management plan, document governance, build an incident response plan, and schedule periodic audits. Do all of that well and you’ll have a defensible paper trail. What it won’t give you is the thing the 24-hour clock actually requires: knowledge that something happened, today, not at the next scheduled review.
This isn’t a knock on doing the paperwork. It’s a structural problem with treating the paperwork as the finish line. A quarterly vendor risk questionnaire cannot tell you about a credential exposed on a forum last Tuesday. An annual penetration test cannot tell you about a misconfigured cloud bucket that went public this morning. If your risk management process runs on a calendar instead of continuously, there is a real window, potentially months wide, where an exposure exists and you are compliant on paper while being unable to meet the reporting clock in practice.
The pattern shows up at the state level too, which is instructive. On 8 July 2026, the European Commission referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the EU for failing to transpose NIS2, seeking financial penalties until each formally notifies transposition. The Netherlands resolved its position days before the referral, passing the Cyberbeveiligingswet, in force 15 August 2026. Ireland, Spain, and France have not. France’s transposition vehicle, the Loi Résilience, passed the Senate in March 2025 and has been stuck in parliamentary process since, its next reading pushed again this month to September at the earliest. Meanwhile, ANSSI, France’s own cybersecurity agency, has been pushing the roughly 15,000 affected French entities toward preparation regardless, because the compliance work doesn’t wait for the paperwork to finish, at the national level or yours.
The cascade effect: this reaches you even if you’re out of scope
NIS2’s Article 21 requires Essential and Important Entities to secure their supply chains, which means every regulated organization is about to start pushing security requirements down onto its vendors, contractually, not just as a suggestion. If your organization sits outside the 18 covered sectors, that doesn’t mean this doesn’t reach you. It means it reaches you through a customer contract instead of a regulator, on a timeline you don’t control and can’t negotiate down. Losing a contract because you couldn’t demonstrate continuous security visibility is a less visible version of the same penalty NIS2 imposes directly, and it’s arguably the more common way this actually costs a company revenue.
This is exactly the pattern CybelAngel’s Every Vendor Is a Vector report documents in depth: third-party breaches doubled as a share of all incidents in 2025, and compliance-driven vendor risk programs, the annual questionnaire model, consistently miss what a continuous monitoring approach catches. If Article 21’s supply chain requirement is the part of this piece most relevant to your situation, that report is the deeper resource, not this section.
Find out what your customers’ NIS2 obligations mean for your contracts. Talk to an analyst.
What actually satisfies the 24-hour requirement
Meeting a 24-hour detection clock requires the same thing whether the exposure is a leaked credential, an exposed cloud asset, or a vendor’s compromised system: continuous external monitoring, not periodic assessment. This is the specific gap between compliance-as-paperwork and compliance-as-capability, and it’s where CybelAngel’s platform is built to sit rather than compete with the paperwork itself:
- Gestión de la Superficie de Ataque for continuous visibility into exposed assets, the exact gap an annual audit leaves open between review cycles.
- Third-Party Risk Assessments for the Article 21 supply chain requirement, replacing the static vendor questionnaire with ongoing monitoring.
- Inteligencia de Credenciales for catching compromised credentials before they become the incident you have 24 hours to report, rather than finding out from the incident itself.
A five-question readiness check
Not a checklist to complete over a quarter, a test you can score against right now:
- If an employee credential were sold on a criminal forum this morning, would you know today, or at your next scheduled review?
- If a vendor holding your customer data were breached, would you find out from them, or from a news report?
- Could your team produce the 24-hour early warning notification right now, for an incident you don’t yet know about?
- Is your supply chain risk process a questionnaire sent once a year, or something that runs continuously?
- If a regulator asked for evidence of ongoing monitoring, not just a policy document, could you produce it today?
Two or more “no” answers means the gap isn’t a paperwork gap. It’s a visibility gap, and it’s the one a checklist won’t close.
Preguntas frecuentes
Is NIS2 the same as NIST CSF 2.0?
No. NIS2 is a binding EU directive with legal penalties. NIST CSF 2.0 is a voluntary U.S. framework. They share a similar-sounding name and nothing else.
Can you be NIS2-compliant on paper and still fail an audit or an incident response test?
Yes, and this is the core argument of this piece. Documented policies and scheduled assessments satisfy the paperwork requirements but not necessarily the 24-hour incident reporting clock, which requires continuous visibility rather than periodic review.
Does NIS2 apply to my company if we’re not in one of the 18 covered sectors?
Possibly, indirectly. Article 21 requires regulated entities to secure their supply chains, which means their vendors, including companies outside the 18 sectors, increasingly face NIS2-equivalent security requirements through customer contracts rather than direct regulation.
What’s actually happening with France’s NIS2 transposition right now?
France’s Loi Résilience passed the Senate in March 2025 and remains stuck in parliamentary process, with its next Assembly reading pushed to September 2026 at the earliest. France, along with Ireland and Spain, was referred to the CJEU in July 2026 over the delay. ANSSI is proceeding with preparation guidance regardless of the legislative timeline.
See your organization’s real-time NIS2 and DORA exposure gaps
Compliance-on-paper and compliance-in-practice are not the same test. CybelAngel’s continuous external threat intelligence is built to close that gap, not add another document to it.
