NIS2 and DORA: what your EU customers will require of you

You probably aren’t regulated by either. Your EU customers are — and both regimes make their vendors’ security and resilience their legal problem, which makes it your commercial one.

What they are

NIS2 is the EU's cybersecurity directive for "essential" and "important" entities — energy, health, digital infrastructure, and more — implemented through national law. It puts personal accountability on management, mandates risk-management measures, requires fast incident reporting (an early warning within 24 hours), and — the part that reaches you — obliges covered entities to manage supply-chain security, including their service providers.

DORA — the Digital Operational Resilience Act, in force since January 2025 — does the same job for financial entities specifically, with more precision: prescriptive requirements for the contracts banks, insurers, and investment firms sign with their ICT vendors, and heightened obligations where a service supports critical functions.

Who actually needs them

Directly: companies operating in-scope services within the EU. Indirectly — the common case for Canadian SaaS — any vendor selling to covered EU customers. NIS2 arrives as security questionnaires and incident-notification clauses; DORA arrives as a contract addendum: audit and access rights, incident duties, exit and termination assistance, subcontracting transparency, and inclusion in the customer's register of information.

What it takes

For a vendor, readiness for both is mostly being able to demonstrate a real program: documented risk management, incident response with committed notification timelines you can actually meet, vulnerability handling, and business continuity. The new muscle for most startups is the incident-notification SLA — promising notice within 24 hours requires detection and escalation that works on a Saturday.

DORA adds the resilience layer: recovery objectives you've actually tested, a subcontractor chain you can disclose, and a credible exit story — how a customer gets their data and continuity if you fail or they leave. Most of the effort is evidence and contractual honesty, not new controls.

How they map to what you may already have

Both regimes' measures map closely onto ISO 27001 — EU customers routinely accept ISO certification as the backbone of a vendor's answer — and substantially onto SOC 2. One program covers both; the delta is contractual (notification clauses, DORA addenda) rather than technical.

The Canadian angle

The same logic is arriving at home: Canada's critical-infrastructure security legislation mirrors NIS2's approach, and OSFI's B-10 and B-13 guidelines impose DORA-like third-party-risk expectations on Canadian financial institutions. A program built for your EU customers answers OSFI-driven questionnaires from Canadian banks almost verbatim — one more case of building once and mapping outward.

How I help

I make sure NIS2- and DORA-driven requirements land in your existing program instead of spawning parallel projects, review the addenda against what you can actually deliver, and sit on the customer calls when their security team wants specifics. Enterprise deal support when a specific deal is in flight; compliance readiness to make the answers durable.

An NIS2 questionnaire or DORA addendum on your desk?

The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.