Last Updated on 5. March 2026
Cyber security, NIS2, and DORA – few topics are currently as important to decision-makers. But there is more to these buzzwords than just another regulatory exercise. Those who see the new requirements as an opportunity will not only strengthen their compliance, but also the operational resilience of their entire organization.
NIS2 and DORA are more than just buzzwords
The cyber security environment is similar to that of artificial intelligence: while everyone is talking about ChatGPT in AI, NIS2 and DORA dominate the discussion here. Ultimately, both are current entry points into an overarching topic – the systematic increase in the security level of organizations.
The core objective of both regulations is the same: to harmonize and strengthen IT security. DORA is specifically aimed at financial companies and their third-party ICT service providers, while NIS2 addresses numerous critical sectors across all industries. Regardless of which regulation applies to your organization, the underlying areas of action are largely identical.
The real challenge: from directive to effectiveness
IT security is not a new topic. Many larger organizations already have an established Information Security Management System (ISMS), some with ISO certification. This is a good starting point – but that’s all it is.
Because the crucial questions with NIS2 and DORA are:
- Are your guidelines and procedures truly effective – or do they only exist on paper? ISO certification may be limited to certain areas of an organization. What happens in the non-certified areas?
- Are your security measures implemented efficiently and effectively in day-to-day operations? Or do they require a disproportionate amount of manual effort, leading to workarounds and gaps in everyday use?
- Can you prove their effectiveness to the BSI in an emergency? Are you confident that your evidence will stand up to scrutiny?
- Are you satisfied with the implementation of your IT security projects? Are measures really being completed and embedded – or do they get stuck in the planning phase?
This is precisely where the gap lies that many organizations underestimate.
Where the need for action for NIS2 and DORA really lies
The path to NIS2 or DORA compliance follows a proven pattern: impact analysis, assessment, gap analysis, action planning, implementation, and finally review. Most organizations have already taken the first steps—finding out whether they are affected and where they stand—or can manage them with existing resources. An NIS2 assessment is used to determine the status quo of the organization. We have also developed an NIS2 assessment that enables a structured and practical assessment of the current situation. The real challenge begins after that: with the concrete implementation of measures. And here we see three areas in practice that are neglected by almost all larger organizations:
- Business continuity management (BCM): Many organizations have BCM concepts, but these are often incomplete or not integrated with actual business processes. Effective BCM requires solid process management – and this is often where the problem lies.
- Disaster recovery (DR) plans: Creating DR plans that go beyond generic templates and actually work in an emergency requires a deep understanding of the IT landscape and business requirements.
- DR test planning and execution: A DR plan that has never been tested is essentially useless. The systematic planning, execution, and evaluation of DR tests must not disrupt operations and are a separate project management undertaking that requires professional management.
Our approach to NIS2 and DORA: Effective solutions instead of paper tigers
Measures in the security environment are complex. Every organization has a different starting point, different priorities, and must involve various stakeholders—from IT and specialist departments to auditors and end users.
We therefore take a pragmatic, step-by-step approach:
- Solution design together with the customer: We don’t develop solutions in an ivory tower, but work closely with your teams. In doing so, we take into account your specific starting point and priorities – because what is urgent for one organization may be of secondary importance to another.
- Step-by-step implementation in stages: The desired level of security is rarely achieved in one fell swoop. We plan measures so that they are rolled out in sensible stages and are effective at all times – not just after the entire program has been completed.
- Professional project management for complex security programs: Security measures require precise but dynamic planning and close coordination with all parties involved. That is precisely our strength.
- Governance and compliance systems that work: Whether it’s creating, reviewing, or completing guidelines and work instructions, we ensure that rules and regulations not only exist but are also put into practice on a daily basis.
The right time is now
DORA has a head start over NIS2: Auditors are already taking a closer look, and this is giving rise to specific implementation requirements. The same dynamic will apply to NIS2 as soon as compliance is put to the test in annual audits.
Those who act proactively now, instead of waiting for the pressure of audits, will gain valuable time – and avoid hasty emergency solutions under time pressure.
Do you know that your organization is affected by NIS2 or DORA? Have you identified gaps, but implementation is stalling? Then let’s talk. We bring project management experience and technical depth to the table to work with you to develop and implement effective security solutions – pragmatically, step by step, and sustainably.
