Cyber-attacks are on the rise. According to the UK Department for Science, Innovation and Technology (DSIT)’s Cyber Security Breaches Survey 2025, 67% of medium-sized businesses and nearly three-quarters (74%) of large businesses suffered some form of cyber breach or attack in 2024. Emerging technologies like quantum computing and AI are making the situation even more complex.
For organizations of all sizes, across all sectors, it’s not viable to be without a clear cybersecurity strategy and plan. Not having measures in place not only presents huge risk to a business, but in many territories it represents a regulatory breach.
Implementing regulations like the EU’s Network and Information Security (NIS2) and Digital Operational Resilience Act (DORA) has never been more important. While vital in providing guardrails, they can feel confusing and demand major process changes within tight timeframes.
Only when organizations understand how regulations and protocols actively strengthen their cybersecurity protections will they feel empowered to invest in them.
This is not only critical for cybersecurity, but also for business competitiveness.
NIS2 in Focus
NIS2 is the updated EU-wide law on cybersecurity, existing to improve the overall cybersecurity and resilience of essential services and key industries across Europe.
Under NIS2, medium and large organizations must implement strong security measures such as risk management and incident response, report major breaches and ensure that any suppliers and partners are also working to good cybersecurity standards.
The purpose of the directive is to protect essential services like healthcare, energy and transport across the board. Yet in Ireland – one of Europe’s most digitally advanced economies – 38% of businesses admitted they are unprepared to follow NIS2. This is likely mirrored across the EU, especially among SMEs and non-financial entities now facing stricter accountability and reporting obligations.
NIS2 introduces stricter sanctions than its predecessor in the event of non- compliance. Dependent on the type of organization, fines can reach up to €10m ($11.6m) or 2% of annual turnover, whichever is higher. This applies to ‘essential’ entities, for example medium and large organizations operating in sectors such as energy, utilities, transport and health.
For ‘important’ entities, for example medium and large businesses that operate in sectors such as digital and ICT services, waste management, or postal and courier services, fines can reach up to €7m ($8.1m), or 1.4% of annual turnover, whichever is higher.
These more stringent measures are designed to ensure cybersecurity is treated as a board level issue.
DORA for Financial Services
The purpose of DORA is to prepare financial institutions for digital disruptions such as cyber-attacks, ensuring that they can withstand and recover as swiftly and effectively as possible.
It applies to almost all financial services firms operating in the EU as well as critical third-party tech providers, and the onus is on them to manage ICT risks, test resilience regularly and ensure comprehensive incident reporting happens quickly.
Like those sectors implicated under NIS2, financial institutions that fail to adhere to the rules set out by DORA face a significant and proportionate cost, and the impact of non-compliance includes bans on operations and significant corrective measures.
In extreme cases, persistent non-compliance could lead to loss of authorization to operate certain regulated financial services.
Where to Begin with Compliance
Awareness is one thing; understanding the practicalities of implementation is another. Organizations must identify how these regulations apply to their operations, adopt robust risk management frameworks, and develop controls policies and processes supported by a governance model that provides senior management oversight.
The shift of cybersecurity responsibilities from a business’ IT team to board-level can feel daunting, but the first step is to educate those accountable on which policies their organization must follow. For example, just because your business is not in the EU, it might still be affected due to where those in your supply chain are based.
Be prepared to report any incidents within a certain timeframe. Sharing details of an attack is helpful for the wider industry to take learnings from the experience. NIS2 requires preliminary notice to be given within 24 hours, and DORA’s rules say that major ICT incidents require reporting within four hours of their classification.
Having processes in place to report a breach within the given timeframe and delegating reporting responsibilities to individuals or teams within the business helps as a starting point.
The requirement of both NIS2 and DORA to ensure adequate vendor and supply chain management also means it’s important that procurement and supplier management teams understand how to spot and mitigate risk.
Why Training is the Strongest Defense
However, processes and frameworks only go so far. Leadership and staff should be adequately trained to understand cybersecurity risks and protocols, so that proactive measures can be implemented and businesses ensure compliance with regulation. Training should include scenario testing and be continuous, engaging and role-specific
ISACA’s research found that 61% of European cybersecurity professionals say that their organization’s cybersecurity team is understaffed, and over half (52%) believe that their organization’s cybersecurity budget is underfunded. Not tackling these problems means that businesses are setting themselves up to fail and face subsequent penalties as a result.
Training also builds a culture of resilience, where every employee understands their role and feels empowered to act.
Regulation is Protection, Not Punishment
Regulations like DORA and NIS2 are significant milestones for the EU, placing the region as a global leader in prioritizing cybersecurity and making it the top of the agenda for important infrastructure and organizations in the market.
Being confronted with a new policy to comply with within a certain timeframe can feel overwhelming for business leaders, but to eliminate stress and extra costs, taking the time to become educated and investing in upskilling is crucial.
This is a business imperative, not just to avoid fines and remedial measures, but to build trust with partners, customers and regulators and to protect the business’ reputation. Compliance is also a market enabler, especially for financial services organizations where non-compliance could block access to critical EU markets.
Businesses that thrive in the future will be those that view regulation not as a hurdle, but as a catalyst for building an educated and well-trained workforce, and a cyber-aware culture, that protects employees, customers and the wider economy.