European cyber compliance: NIS2, DORA, AI Act

The European regulatory landscape in 2026

The European Union has deployed an unprecedented regulatory framework for cybersecurity. Three major regulations converge in 2026, creating overlapping obligations for most organizations operating in or selling into the EU.

This convergence represents a fundamental shift in how the EU regulates digital risk. Where previous frameworks were advisory or sector-specific, NIS2, DORA, and the AI Act establish binding obligations with substantial penalties, mandatory management accountability, and harmonized reporting requirements across member states. For organizations that previously treated cybersecurity as an IT matter, these regulations elevate it explicitly to a board-level governance obligation.

The 3 pillars of European cyber compliance

NIS2 (Network and Information Systems Directive 2)

  • Deadline: national transposition required before October 2026
  • Scope: 18 sectors, essential and important entities
  • Penalties: up to EUR 10M or 2% of global annual turnover

DORA (Digital Operational Resilience Act)

  • In force: since January 2025
  • Scope: financial sector exclusively
  • Key requirement: mandatory Register of Information (RoI) for ICT third-party providers

EU AI Act

  • Full application: August 2026
  • Scope: all high-risk AI systems
  • Penalties: up to EUR 35M or 7% of global annual turnover

GDPR: the foundational layer

GDPR continues to underpin data protection requirements across all three frameworks. Any security incident involving personal data triggers parallel GDPR breach notification obligations. Organizations implementing NIS2 or DORA compliance programs must account for GDPR requirements, as incident response procedures and security controls must satisfy both regulatory sets simultaneously.

The interaction between GDPR and NIS2 is particularly important: a network and information systems incident that also involves personal data triggers both NIS2 reporting timelines (24-hour early warning) and GDPR reporting timelines (72-hour notification to the supervisory authority). These are separate obligations reported to different authorities.

NIS2 in depth

NIS2 significantly expands the scope of the original NIS Directive, adding sectors and lowering size thresholds. The directive establishes a two-tier entity classification:

Essential entities face direct supervision and can be subject to on-site inspections. Important entities face lighter supervision, primarily reactive (in response to incidents or complaints).

The key policy innovation in NIS2 is personal liability for senior management. Directors who fail to ensure NIS2 compliance can be held personally responsible, including through bans from management positions. This provision is designed to ensure that cybersecurity receives board-level attention rather than being delegated entirely to technical teams.

DORA in depth

DORA addresses a specific gap in financial services regulation: operational resilience to ICT disruptions, including cyberattacks. It applies to banks, insurance companies, investment firms, payment processors, and the ICT service providers that serve them.

The Register of Information (RoI) requirement is DORA’s most distinctive element: financial entities must maintain a detailed inventory of all ICT third-party service providers, including contractual terms, criticality assessments, and concentration risk analysis. This register must be submitted to supervisory authorities on request.

DORA also mandates digital operational resilience testing, including Threat-Led Penetration Testing (TLPT) for significant entities — a red team exercise conducted by qualified testers against live production systems.

EU AI Act in depth

The AI Act classifies AI systems by risk level. Prohibited systems (social scoring, real-time biometric surveillance) are banned outright. High-risk systems face stringent requirements for transparency, human oversight, accuracy testing, and technical documentation.

Many security applications may qualify as high-risk under the AI Act: AI-based fraud detection, threat assessment systems, access control, and vulnerability analysis tools could all fall under scrutiny depending on their application context. Organizations deploying AI in these areas should conduct a formal classification assessment.

Convergences and synergies

These three regulations share common requirements: risk management, incident reporting, technical documentation, management accountability, and supply chain security. A unified compliance approach — building a shared risk management framework, shared incident response procedures, and shared vendor assessment process — allows organizations to satisfy all three frameworks simultaneously rather than running three parallel compliance programs.

The practical implementation advantage is significant. Organizations that build incident response procedures for NIS2 can adapt them for GDPR and DORA with targeted modifications rather than building three separate procedures. Risk assessment frameworks for NIS2 can be extended to cover DORA ICT risk and AI Act risk assessments. Vendor security assessments can satisfy NIS2 supply chain requirements, DORA third-party requirements, and AI Act supply chain requirements in a single process.

In this guide