Why 2026 Is a Turning Point
Cybersecurity regulation in Europe has entered a new era. With DORA fully enforced since January 2025 and NIS2 now transposed into Cypriot law, businesses across the island face concrete obligations that carry significant penalties for non-compliance.
The numbers tell a stark story: 53% of Cypriot businesses reported suffering a cyberattack or breach in 2025, up from 47% the year before. Companies faced an attack on average every eight days, with financial losses averaging €12,000 per incident. Phishing alone accounted for 44% of attacks on businesses.
This is no longer a theoretical risk. For organisations in finance, hospitality, professional services, and technology, the regulatory and threat landscape has shifted from preparation to enforcement. This guide explains what each regulation requires, how they differ, and the concrete steps your business needs to take.
Understanding NIS2: The EU’s Expanded Cybersecurity Framework
The Network and Information Systems Directive 2 (NIS2) is the European Union’s updated cybersecurity framework, replacing the original 2016 NIS Directive. It significantly broadens the scope of organisations that must meet cybersecurity standards and introduces tougher enforcement mechanisms.
What Changed from NIS1 to NIS2
- Scope expanded from 7 to 18 sectors, now covering energy, healthcare, transport, water supply, digital infrastructure, managed IT services, and more
- Entities classified as “essential” or “important,” with different penalty thresholds for each
- Personal liability for senior executives who fail to ensure compliance
- Mandatory incident reporting within 24 hours of detection (Cyprus requires just 6 hours for early warnings)
- Supply chain security obligations, requiring organisations to audit and monitor their third-party vendors
NIS2 in Cyprus: Current Status
Cyprus transposed the NIS2 Directive into national law through Law 60(I)/2025, the Network and Information Systems Security (Amendment) Law, effective from April 2025. The Digital Security Authority (DSA) serves as the national competent authority responsible for oversight and enforcement.
Key Cyprus detail: Cypriot entities must submit early warnings within 6 hours of detecting an incident, well ahead of the NIS2 baseline of 24 hours. This is one of the strictest reporting timelines in the EU.
Who Is Affected
NIS2 applies based on both sector and size. Generally, medium and large enterprises in covered sectors fall within the scope, meaning organisations that meet both a staffing threshold (50 or more employees) and a financial threshold (annual turnover or balance sheet exceeding €10 million). Certain entity types, such as DNS providers and trust service providers, are in scope regardless of size. Covered sectors include:
- Critical infrastructure: Energy, transport, and water supply
- Healthcare: Hospitals, laboratories, pharmaceutical companies
- Financial services: Banks, insurance, and investment firms (also subject to DORA)
- Digital infrastructure: Cloud providers, data centres, managed service providers
- Digital services: DNS providers, domain registrars, online marketplaces
- Other sectors: Food production, chemicals, manufacturing
Understanding DORA: Digital Operational Resilience for Finance
The Digital Operational Resilience Act (DORA) is an EU regulation that has been fully applicable since 17 January 2025. Unlike NIS2, which is a directive requiring national transposition, DORA applies directly and uniformly across all EU member states.
What DORA Requires
DORA goes beyond traditional cybersecurity. It mandates that financial entities can demonstrate operational resilience, the ability to withstand, respond to, and recover from ICT-related disruptions. Core requirements include:
- A comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery
- Incident classification and reporting for major ICT-related incidents without undue delay
- Regular digital operational resilience testing, including threat-led penetration testing for significant entities
- Third-party risk management with contractual provisions for ICT service providers
- Information sharing arrangements to exchange cyber threat intelligence
Who Is Affected
DORA applies to virtually all regulated financial entities, regardless of size. Even a two-person fintech falls within scope. Covered entities include banks, credit institutions, investment firms, insurance and reinsurance companies, payment institutions, electronic money institutions, crypto-asset service providers, and critical ICT third-party service providers that serve the financial sector.
2026 Developments
While DORA has been enforceable since January 2025, regulators treated the initial period as transitional. In 2026, the landscape is shifting:
- The European Supervisory Authorities designated critical ICT third-party providers in November 2025
- The second annual Register of Information submission is due in March 2026
- The European Commission’s Article 58 review (due January 2026) is assessing whether to expand DORA’s scope to include statutory auditors
- Supervisory enforcement is moving from gap identification to active compliance checks
NIS2 vs DORA: Side-by-Side Comparison
While both frameworks aim to strengthen cybersecurity, they differ significantly in scope, enforcement mechanisms, and applicability. The table below summarises the key differences.
| Feature | NIS2 | DORA |
| Regulatory Type | Directive (transposed into national law) | Regulation (directly applicable EU-wide) |
| Scope | 18 sectors including energy, transport, healthcare, digital infrastructure | Financial sector only: banks, insurers, fintechs, payment providers |
| Size Threshold | Medium/large: 50+ employees AND €10M+ turnover | All entities, regardless of size |
| Enforcement | National competent authorities | European Supervisory Authorities (ESAs) |
| Penalties | Up to €10M or 2% global turnover (essential entities) | Up to 2% of annual worldwide turnover; 1% daily for critical ICT providers |
| Incident Reporting | 24-hour early warning (6 hours in Cyprus) | Major ICT incidents reported without undue delay |
| Status (2026) | Transposed in Cyprus (Law 60(I)/2025); enforcement active | Fully active since January 2025; 2026 supervisory review underway |
| Relationship | General cybersecurity baseline | Lex specialis takes precedence for financial entities |
Important: DORA is a lex specialis to NIS2. Financial entities that comply fully with DORA are considered to have satisfied their equivalent NIS2 obligations. However, if your organisation operates across sectors (e.g., a technology firm serving both financial and healthcare clients), you may need to comply with both frameworks independently.
How DORA and NIS2 Work Together
One of the most common questions businesses ask is whether compliance with one framework covers the other. The short answer: it depends on direction.
DORA Compliance Covers NIS2, But Not the Reverse
Article 1(2) of DORA establishes it as a lex specialis (special law) to the NIS2 Directive. This means that where the two frameworks overlap, ICT risk management, incident reporting, and resilience requirements, DORA takes precedence for financial entities. A bank, insurer, or fintech that fully complies with DORA is considered to have satisfied the equivalent NIS2 obligations automatically.
However, the reverse is not true. NIS2 sets a broader cybersecurity baseline but does not match the depth of DORA’s requirements. A financial entity that only meets NIS2 standards would fall short on DORA’s mandatory threat-led penetration testing, detailed ICT third-party provider registers, and specific operational resilience testing obligations.
The Hierarchy in Practice
- If you are a financial entity: DORA is your primary obligation. Full DORA compliance satisfies overlapping NIS2 requirements.
- If you operate in a non-financial sector (healthcare, energy, transport, etc.), NIS2 is your governing framework. DORA does not apply to you.
- If you operate across sectors (e.g., a technology firm serving both financial and healthcare clients): you may need to comply with both frameworks independently for different parts of your business.
What Both Frameworks Share
Despite their differences, NIS2 and DORA share a common foundation. Both require formalised risk management, timely incident reporting to authorities, supply chain and third-party oversight, executive accountability with personal liability, and business continuity planning. Organisations that build a strong compliance programme for one framework will find significant overlap that accelerates readiness for the other.
Why This Matters Now: The 2026 Enforcement Reality
The preparation phase is over. Both regulations are active, and 2026 marks the shift from awareness to accountability.
Regulatory Pressure Is Increasing
- National competent authorities are identifying regulated entities and conducting audits
- The European Commission sent reasoned opinions to 19 member states (including Cyprus, before its transposition) for delayed NIS2 implementation
- DORA supervisory reviews are actively assessing financial entities’ resilience frameworks
- Penalties are now enforceable, with several EU countries beginning systematic audits
The Cyber Threat Landscape Is Escalating
Cyprus-specific data paints a concerning picture. According to national cybersecurity surveys, ransomware attacks on Cypriot businesses rose significantly in 2025–2026. Nearly one in four businesses has not created or updated its cybersecurity policies, and 74% of businesses are unaware of available cybersecurity training. In the most recent incident data, phishing remains the dominant attack vector, accounting for the majority of successful breaches reported by affected organisations.
The combination of increasing regulatory enforcement and escalating threats means that non-compliance is both a legal risk and an operational one.
Six Steps to Compliance
Navigating DORA and NIS2 compliance requires structured execution, not guesswork. CDMA Services Ltd (cdma.com.cy) is an ISO 27001-certified managed security and IT services provider with over 20 years of operational experience in Cyprus’s regulated sectors. As a Sophos Platinum Partner and Sophos MSP Partner of the Year FY24, CDMA delivers each of these six steps as part of a comprehensive compliance engagement — from initial assessment through to ongoing managed security.
1. Conduct a Comprehensive Gap Analysis
Before you can comply, you need to understand where you stand. A gap analysis should assess your current cybersecurity posture against the specific requirements of NIS2, DORA, or both, depending on your sector.
This means evaluating existing policies, incident response capabilities, technical controls, and governance structures. Most organisations overestimate their readiness , a structured assessment reveals the real picture.
2. Implement a Risk Management Framework
Both NIS2 and DORA require formalised risk management. This includes continuous vulnerability management, regular risk assessments, and security controls aligned with recognised standards such as ISO 27001 or the NIST Cybersecurity Framework.
For DORA-regulated entities, the ICT risk management framework must cover the full lifecycle: identification, protection, detection, response, and recovery.
3. Strengthen Incident Detection and Response
Both regulations impose strict incident reporting timelines. NIS2 requires a 24-hour early warning (6 hours in Cyprus), while DORA mandates reporting of major ICT incidents without undue delay.
Meeting these timelines requires 24/7 monitoring, automated detection capabilities, clear escalation procedures, and staff who know exactly what to do when an incident occurs.
4. Secure Your Supply Chain
Supply chain security is one of the most significant changes introduced by NIS2. Organisations must evaluate the cybersecurity practices of their IT vendors, ensure contractual compliance provisions, and continuously monitor third-party access points.
Under DORA, financial entities must maintain detailed registers of their ICT third-party arrangements and ensure that contracts include provisions for audit rights, exit strategies, and incident notification.
5. Build Genuine Business Continuity and Resilience
This is where many organisations fall short. Compliance requires more than having a backup; it requires a tested, documented continuity plan that includes disaster recovery procedures, redundancy systems, and regular resilience testing.
DORA specifically requires threat-led penetration testing for significant financial entities, going beyond standard business continuity planning.
6. Establish Governance and Executive Accountability
Both NIS2 and DORA place responsibility squarely on senior management. Under NIS2, executives can face temporary bans from management functions for failing to ensure compliance. This means cybersecurity must be a standing board-level agenda item, with defined responsibilities, adequate budgets, and ongoing training programmes.
The Cost of Non-Compliance
Financial Penalties
- NIS2: Up to €10 million or 2% of global annual turnover for essential entities under NIS2 (whichever is higher)
- NIS2: Up to €7 million or 1.4% of global annual turnover for important entities under NIS2
- DORA: Up to 2% of total annual worldwide turnover for financial entities; critical ICT third-party providers face periodic penalties of up to 1% of average daily worldwide turnover
Beyond Fines
Financial penalties are only part of the picture. Non-compliance can result in:
- Personal liability and temporary management bans for executives
- Mandatory public disclosure of compliance failures
- Reputational damage that erodes customer and partner trust
- Operational disruptions that compound the original incident
With Cypriot businesses facing an attack every eight days on average, the question is not whether a compliance gap will be tested, but when.
Why Many Cyprus Businesses Are Not Yet Ready
Despite growing awareness, significant gaps remain. Research indicates that nearly one in four Cypriot businesses has not created, updated, or revised its cybersecurity policies. 74% are unaware of available training resources. Many still rely on reactive IT support rather than proactive, compliance-aligned strategies.
Common shortcomings include:
- No formalised incident response plan
- Outdated infrastructure that cannot support continuous monitoring
- Lack of documented risk assessments
- No supply chain security programme
- Cybersecurity treated as an IT issue rather than a business priority
Each of these gaps represents both a regulatory exposure and a direct operational risk. Addressing them is not a compliance exercise – it is a business decision.
Compliance as a Strategic Advantage
DORA and NIS2 are often framed as regulatory burdens. In practice, they represent an opportunity for businesses that act decisively.
Organisations that invest in resilience now will reduce operational risk, build stronger relationships with customers and partners who increasingly demand demonstrable security practices, and position themselves favourably in a market where trust and governance credibility are genuine differentiators. Those who delay will face mounting regulatory pressure, increasing threat exposure, and the growing likelihood that a single incident causes disproportionate damage.
Assess Your Compliance Posture – Talk to CDMA
CDMA Services holds ISO 27001 certification, operates a 24×7×365 managed security capability, and brings over 20 years of experience supporting regulated organisations across Cyprus. As a Sophos Platinum Partner and Sophos MSP Partner of the Year FY24, CDMA combines certified security operations with practical compliance delivery — including dedicated vCISO and IT Compliance services designed for organisations navigating DORA and NIS2.
Whether you are a financial institution subject to DORA, an essential service provider under NIS2, or a business operating across both frameworks, CDMA can help you:
- Assess your current compliance posture against NIS2 and DORA requirements
- Design and implement a tailored compliance roadmap
- Deploy 24/7 monitoring, incident response, and business continuity solutions
- Provide ongoing vCISO leadership and strategic IT guidance
Book a compliance assessment. Contact CDMA to arrange an initial conversation with one of our compliance specialists. Most assessments are completed within two weeks and result in a clear gap report and prioritised action plan.
