NIS2 and DORA: Why Cybersecurity Has Become a Board-Level Responsibility

The introduction of the NIS2 Directive and the Digital Operational Resilience Act (DORA) marks a fundamental shift in how cybersecurity is regulated across Europe. Cyber risk is no longer treated as a technical issue managed solely by IT teams. It is now explicitly recognised as operational risk, with accountability placed on executive management and boards.

For organisations operating in regulated or critical sectors, these directives raise expectations around prevention, availability, and demonstrable control. Regulators will assess not just what security tools are in place, but whether incidents were prevented, how risks are monitored, and how leadership governs cyber resilience.

Email systems, domain infrastructure, and DNS are central to these expectations, as they represent some of the most exploited and business-critical attack surfaces.

Organisations that rely on baseline security or reactive response models may struggle to meet the new standards.

In this article, we explain why NIS2 and DORA matter, what they mean in practice, and how your organisation can address the requirements in a pragmatic, sustainable way.

Why These Regulations Exist

The EU’s NIS2 Directive and Digital Operational Resilience Act (DORA) Regulation were introduced in response to a fundamental shift in the cyber threat landscape, as well as the real-world impact of cyber incidents on economies, societies, and critical services.

NIS2 expands and strengthens the original NIS framework, significantly widening the scope of organisations required to manage cybersecurity risk. Its objective is to raise the overall level of cyber resilience across essential and important entities, particularly those delivering services critical to society, the economy, and public trust.

DORA applies to the financial sector regardless of size and extends to ICT and digital service providers that support financial institutions, including cloud, infrastructure, and managed service providers. Some suppliers may fall under direct regulatory oversight.

Together, NIS2 and DORA reflect a shared reality: cyber incidents are no longer isolated IT failures. They disrupt essential services, impact supply chains, and undermine confidence in critical infrastructure. Attacks are increasingly targeted, persistent, and designed to bypass traditional, perimeter-based defences.

Attack techniques have evolved accordingly. Phishing and impersonation campaigns, domain abuse, and DNS-based disruptions are now among the most common entry points for serious incidents, often slipping past baseline or default security controls.

These regulations respond to that reality by shifting the focus from:

•  Individual tools → systemic resilience
•  IT responsibility → executive accountability
•  Reactive response → prevention and demonstrable control

In short, regulators are no longer asking what security products you use. They are asking what risks you have reduced, what incidents you have prevented, and how you can prove it.

What This Means for Organisations

One of the most significant changes introduced by NIS2 is the redefinition of accountability. Cybersecurity is no longer treated as an internal operational concern. Executive management is explicitly responsible for ensuring that cyber risks are understood, governed, and mitigated.

This does not mean executives are expected to manage technical details. It means they are expected to understand how cyber risk affects business operations, what preventive measures exist, and how incidents would be reported and explained.

DORA reinforces this by framing cyber resilience as a prerequisite for operational continuity. The expectation is not only that organisations respond to incidents, but that they design systems and processes to withstand disruption.

Who Is Most Affected by NIS2 and DORA?

NIS2 and DORA significantly broaden the scope of EU cybersecurity regulation. They apply not only to critical and financial organisations, but also to the digital and infrastructure providers that support them.

NIS2 covers organisations deemed Essential or Important Entities, including energy, transport, healthcare, banking and financial infrastructure, public administration, and digital infrastructure such as cloud, data centres, and DNS. Many supporting industries, including IT services, logistics, manufacturing of critical products, and research, are also in scope.

DORA applies to the financial sector regardless of size and extends to ICT and digital service providers that support financial institutions, including cloud, infrastructure, and managed service providers. Some suppliers may fall under direct regulatory oversight.

Many organisations fall under both directives, particularly those providing digital infrastructure or security services to financial or essential entities. In all cases, accountability extends to executive management, supply chains are included, and regulators expect clear evidence of control, not just technical safeguards.

The Consequences of Non-Compliance

The consequences of non-compliance extend beyond fines. Organisations that experience incidents without being able to demonstrate adequate controls may face regulatory audits, enforced remediation, and reputational damage.

There is also a leadership dimension. When cyber incidents occur, responsibility no longer stops with technical teams. Executive management is expected to account for decisions, preparedness, and oversight. In this context, reliance on baseline security or reactive models becomes increasingly difficult to justify.

Addressing the Requirements Without Adding Complexity

Meeting the expectations of NIS2 and DORA does not require radical transformation. In many cases, it involves strengthening prevention and visibility in areas that are already critical to daily operations.

Email security is a clear example. As the most common entry point for cyber incidents, email requires controls that can stop modern, targeted attacks before they reach users. This reduces both operational risk and compliance exposure.

Domain management is another often underestimated area. Over time, organisations accumulate old and adjacent domains that remain active and exploitable. Continuous monitoring and centralised oversight help reduce impersonation risk and improve accountability.

DNS resilience plays a similarly important role. DNS failures can instantly disrupt digital services, making availability and continuity key regulatory concerns. Designing DNS infrastructure for resilience and scale supports both operational stability and compliance expectations.

Compliance Is About Control, Not Checklists

A central theme of NIS2 and DORA is the emphasis on evidence and control. Organisations are expected to show:

•  What risks were identified
•  What incidents were prevented
•  How availability and resilience are ensured
•  Who is accountable

Approaches that integrate smoothly into existing environments and reduce operational burden help organisations move from reactive security to proactive governance. This shift not only supports compliance, but also strengthens overall resilience.

Next Steps: A Practical Starting Point

For many organisations, the most valuable first step is gaining a clear, evidence-based view of current exposure across email, domains, and DNS, without committing to large-scale change.

A focused assessment or proof-of-concept can help answer questions such as:

•  Which threats are currently being missed?
•  Where are the biggest compliance gaps?
•  What evidence could be presented in an audit or incident review?

These insights enable informed decisions at both technical and executive levels and help move compliance discussions from theory to practice.