Kymatio Isotype
Why Kymatio
Partners
Book a demo
Book a demo
EN
Kymatio Isotype
Why Kymatio
Partners
Book a demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

I acceptSettings
Cookie settings
Kymatio uses cookies to make your experience better. Check our Privacy Policy to learn more.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings
Close
articles
NIS2, ISO 27001 and DORA Compliance Manual (version 2026)
Cyberattacks
Cybersecurity Glossary

NIS2, ISO 27001 and DORA Compliance Manual (version 2026)

by
Kymatio
|
July 24, 2025

Align NIS2, DORA and ISO 27001:2022 with a practical roadmap—scope, roles, third-party risk, evidence, KPIs and human risk—turning compliance into resilience.

IN THIS article
Text Link
Book a demo

Whether you're a CISO, CIO, HR manager, or member of senior management, the 2026 horizon redefines the rules of the game in cybersecurity. Far from being a simple formality, regulatory compliance becomes a central component of the strategic approach that requires a comprehensive and proactive vision. This NIS2, DORA,  and ISO 27001:2022 compliance guide is your practical reference for navigating the convergence of these regulations and transforming obligation into a competitive advantage.

The new regulatory context in Europe

The level of demand has risen. It is no longer enough to react; It is now mandatory to build and demonstrate robust operational resilience. The NIS2 Directive, the DORA regulation  and the ISO 27001:2022 standard  define this new standard, overseen by entities such as ENISA and the EBA:

  • NIS2 Directive: Dramatically expands its scope to new "essential" and "important" sectors, strengthening safety obligations, incident reporting and the direct responsibility of the management body.
  • DORA Regulation: Establishes a binding digital operational resilience framework for the entire financial sector, harmonizing ICT risk management, stress testing and control over critical suppliers.
  • ISO 27001:2022: The ISO 27001:2022 update places a new emphasis on threat intelligence, cloud security and, crucially, human-centric controls, being a fundamental guide in this area.

The role of the human factor in compliance

Beyond technology, the common denominator of these regulations is the human factor. Compliance with NIS2 and DORA by 2026 depends directly on the cyber defense culture, the training of your teams, and the involvement of management. It is no longer enough to have policies; It is necessary to demonstrate that they function through people's behavior.

To achieve this, it is essential to understand how to manage human cyber-risk holistically, making each employee an active layer of defense. This involves moving beyond traditional awareness and adopting advanced simulation and training strategies that build measurable and real resilience.

The scope of compliance in 2026: Who needs to act and why

The first question in any conversation about compliance is always the same: "Does this affect me?" In 2026, the answer is, with high probability, "yes". The regulatory perimeter has expanded significantly, attracting thousands of companies that until now operated with less regulatory pressure. Forget the old classifications; the aim of the European digital strategy, detailed in official EU sources such as this one, is to raise the level of cybersecurity across the Single Market.

Which sectors are required under NIS2, DORA and the new ISO

Identifying whether NIS2, DORA or if you need an ISO 27001:2022 certification  is the first step, as each regulation has a different focus. As described in this guide, the key is to understand your role in the European digital ecosystem and how ISO 27001:2022 can help you.

Here's an overview to get your organization situated:

  • NIS2 Directive: This is the one with the widest scope. It abandons the old distinction between operators of essential services and providers of digital services to create two new categories: "essential" and "important" entities.
    • Essential Sectors: Energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration and the space sector.
    • Important Sectors (new additions): Postal services, waste management, chemical industry, food industry (production and distribution), manufacture of key products (healthcare, IT, electronics, machinery, vehicles) and digital suppliers (social networks, marketplaces).
  • DORA Regulation: Its application is vertical and focuses exclusively on the financial sector and its technological supply chain.
    • It applies to: Banks, insurers and reinsurers, investment firms, fund managers, crypto-asset service providers, rating agencies, and, crucially, the critical ICT providers that serve these entities.
  • ISO 27001:2022 standard: Unlike NIS2 and DORA, it is not a law, but a voluntary certification standard. However, ISO 27001:2022 has become the de facto standard for demonstrating due diligence and meeting the requirements of NIS2 and DORA. It is applicable to any organization that wants to follow the guidance of ISO 27001:2022 to manage its security robustly.

To find out exactly how these regulations interact and which one prevails in your case, here's a direct comparison between NIS2 and DORA.

Human risks as a common vector of vulnerability

It doesn't matter if your company manages a power grid under NIS2 or processes transactions under DORA. The most exploited attack vector with the highest damage potential is still your human team. You may have the best technology, but a single click on a phishing link  or a weak password can dismantle all your defenses.

A poor security culture is a critical vulnerability that no firewall can fix. Lack of awareness, resistance to following protocols or the absence of specific training expose employees as the main point of risk. This is not a technical issue, it is a business challenge that can lead to a serious breach of NIS2 or DORA. Therefore, the only sustainable strategy is to integrate human risk management into the core of your security program to transform that vulnerability into a defensive capability.

Critical roles to ensure compliance

Compliance  in 2026 is no longer the sole responsibility of the IT department. As detailed in this guide, compliance is now a team sport, with roles and responsibilities defined by frameworks such as ISO 27001:2022. Both NIS2 and DORA are explicit about this: the lack of management involvement is not an excuse, it is negligence.

Role of the CISO and cybersecurity team

The CISO acts as the central coordinator, but now with a strengthened mandate and increased visibility. Your role shifts from a technical gatekeeper to a risk strategist who must translate NIS2 and DORA requirements into measurable and effective controls.

Your direct responsibilities are:

  • Design, deploy and operate the cybersecurity threat control program , ensuring that it encompasses all vital assets and processes.
  • Lead incident response, ensuring that notification to authorities is made within the deadlines and formats required by law.
  • Collect and maintain evidence of compliance, preparing the organization for internal and external audits. You must be able to demonstrate, not just claim, that the measures work.
  • To organize this effort, it is vital to know in detail the schedule and the specific obligations that NIS2 imposes directly on you.

Necessary involvement of HR and Senior Management

This is where the most profound change lies. Under NIS2, the management body is ultimately responsible for cybersecurity, including approving policies and overseeing their implementation. This responsibility cannot be delegated and may lead to direct sanctions.

  • Senior Management (CEO and Board): Its mission, according to the ISO 27001:2022 standard, is governance. They must understand the risks, approve the strategy, allocate the necessary resources and demand  clear and continuous reporting on the state of security. Cybersecurity becomes a fixed point on the board's agenda.
  • Human Resources (HR): Becomes an indispensable collaborator for the CISO. HR is the architect of the safety culture. Their work is essential to:
    • Integrate cybersecurity into the entire employee lifecycle: from screening and onboarding to continuous training and the exit process.
    • Develop and implement effective awareness programs that modify behaviors.
    • To shape this collaboration, one of the best practices is to Using a global standard to define and measure human competencies, as detailed in frameworks such as the one in the official standard ISO 27001:2022.

New requirements for suppliers and third parties

Your security perimeter no longer ends at your own walls. NIS2 and DORA place an unprecedented focus on supply chain security. This means that you are only as secure as your weakest supplier.

The new requirement imposed by both NIS2 and DORA is active  and continuous due diligence, which involves:

  • Assess the security posture of your critical suppliers before signing any contract.
  • Include binding cybersecurity clauses in all trade agreements.
  • Monitor the security performance of your third parties proactively, requiring evidence and audits if necessary.
  • Increase accountability and ensure that your strategic partners meet the same standards that are required of you.

Practical roadmap to comply with NIS2, ISO 27001:2022 and DORA

Facing the implementation of NIS2, DORA and ISO 27001:2022 can seem like a challenge of enormous complexity. But it doesn't have to be. The key is to take a program approach: a  continuous  compliance roadmap for NIS2, DORA, and ISO 27001:2022, as detailed in this guide. This guide proposes a journey that begins with an honest diagnosis, following the principles of ISO 27001:2022, and evolves towards a culture of resilience.

Maturity Assessment and Initial Gaps: How to Diagnose the Starting Point

You can't plot a route without knowing where you are. The first step is a no-frills gap analysis to understand the distance between your current state and regulatory requirements. This diagnosis is the foundation of your entire regulatory adequacy plan.

Use this checklist as a starting point:

  • Scope Definition: First, first. Which regulations apply directly to you (NIS2, DORA, or both)? What business processes, data, and systems are critical to the continuity of your operations? The answer to this defines your perimeter of action.
  • Inventory of Current Controls: Take an honest inventory of the security measures you already have: technical (firewalls, EDR, MFA), organizational (policies, roles), and human (existing training programs).
  • Cross-Reference with Regulatory Requirements: Now, compare your inventory to the specific obligations of each framework. For example, Annex I of the directive, available in the full legal text of NIS2, details the "minimum risk management measures" that you must cover. This is where the gaps become visible.
  • Supply Chain Assessment: Analyze the contracts and security posture of your technology vendors and key partners. Your risk doesn't end with your own network.

Prioritization of technical, organizational and human actions: Roadmap in phases

With the gap map in hand, it's time to act. But not everything has the same urgency. Prioritize based on risk and impact. A  phased roadmap allows you to achieve high-impact initial results while working on long-term goals.

Phase 1: Short Term (First 6 Months) – Foundation and Control 

The goal here is to establish governance and meet the fundamental requirements.

  • Organizational: Formally designate the roles and responsibilities for the governance of NIS2 and DORA, creating a crisis committee and a clear channel of reporting to management.
  • Technical: Implement fundamental controls such as  universal Multi-Factor Authentication (MFA), robust backup policies (3-2-1), and basic network segmentation.
  • Human: Launch a baseline awareness program for all staff, communicating new responsibilities and key threats such as phishing.

Phase 2: Medium Term (6-18 months) – Strengthening and Measurement 

Now it is a matter of consolidating the initial base and starting to measure the real effectiveness

  • Organizational: Conduct  thorough security due diligence of critical suppliers and renegotiate contracts to include cybersecurity clauses.
  • Technical: Deploy advanced visibility tools such as SIEM/SOAR and perform the first formal vulnerability scans.
  • Human: Evolve from awareness to competence. This means measuring behavior through hands-on exercises. To do this, it is key to implement a robust attack simulation strategy and continuous training.

Phase 3: Long Term (18+ months) – Resilience and Continuous Improvement 

The ultimate goal: for security to be inherently integrated into the company's culture and processes.

  • Organizational: Integrate security into the software development lifecycle  (DevSecOps) and procurement processes.
  • Technical: Perform advanced resilience tests, such as network team exercises  or full penetration tests.
  • Human: Automate the measurement of safety culture maturity. Formalizing this process is easier if you use this guide and know how to how to map your team's capabilities against ISO 27001:2022 human controls.

Evidence and reporting: how to demonstrate real compliance?

In the world of regulation, what cannot be proven, does not exist. Your ability to generate and present evidence is just as important as the controls themselves.

  • Living Documentation: Policies and procedures must be up-to-date, approved, and most importantly, communicated. They are work tools, not archival documents.
  • Internal Audit: Establishes a schedule of internal audits to identify deviations before a third party does.
  • Impact Metrics (KPIs): Define KPIs to measure the effectiveness of your NIS2, DORA, and ISO 27001:2022 controls (e.g., average detection time, click-through rate in phishing simulations, etc.). This is what transforms reporting  from a to-do list to a strategic conversation with management.

Where does the human factor fit into these regulations?

Imagine you've invested hundreds of thousands of dollars in the most advanced security technology. You comply with all of DORA's technical controls, but your CFO authorizes a fraudulent transfer after receiving a spear phishing email  impersonating the CEO. This scenario is not a technological failure; It is a failure of the "human firewall". Both NIS2 and DORA explicitly require organizations to manage this human cyber risk, and ISO 27001:2022 provides you with the perfect framework to do so.

The challenge of managing digital human risk

As stated in this guide, managing the human factor is no longer about sending out an annual awareness course and assuming that it will be enough. The new regulatory paradigm requires proactive and continuous management. The goal is for your employees to stop being a risk vector and become your most effective threat sensor.

This challenge involves an evolution on three levels:

  1. Awareness: Let your team know what a threat is (e.g. phishing, social engineering).
  2. Competence: That they are able to identify it in a real situation and know how to act.
  3. Culture: That they feel safe and motivated to proactively report any anomaly, turning safety into a shared value.

Achieving this goal requires a structured program that combines awareness, simulation, and measurement. To understand how to build this management system, you can check out our ultimate guide to managing Human Cyber Risk.

Specific controls in ISO 27001:2022 (Annex A)

You don't need to start from scratch. Annex A of ISO 27001:2022 is the ideal structure to build your people-centric security program. Although it is a voluntary standard, its controls are the best way to demonstrate due diligence to NIS2 and DORA regulators.

Some  key human controls include:

  • A.5.1 - Policies for information security: They must be clear, accessible and communicated. They are of no use if no one knows about them.
  • A.6.3 - Training, education and awareness: It requires a continuous programme adapted to the different roles and risks of the staff.
  • A.6.8 - Incident Management Procedures: Ensures that employees know to whom and how to report a security incident.
  • A.8.2 - Access privileges: Implementing the principle of "least privilege" depends on both the technology and the HR processes that support it.

The true value of ISO 27001:2022 is not in implementing these controls in isolation, but to integrate them into a system consistent with the objectives of NIS2 and DORA. Know How to map these controls to your organization's specific roles and risks it is what determines the effectiveness of the program.

Measurement and improvement: key metrics to demonstrate impact

In security, what is not measured, cannot be managed or improved. To demonstrate real compliance and ROI to senior management, you need data, not anecdotes. Reference bodies such as the UK's NCSC insist on this evidence-based approach.

Key KPIs for your dashboard:

  • Click-through rate in phishing simulations: The basic metric. It should show a decreasing trend and be segmented by department or role.
  • Threat Reporting Rate: This is the golden metric. It measures proactive engagement and a healthy culture. An increase here is a victory.
  • Average reporting time: How long does it take for an employee to raise their hand after detecting something suspicious? Speed is key.
  • Cultural maturity score: Measured through periodic surveys of perception and knowledge.
  • Training Coverage and Completion: A critical compliance KPI to demonstrate organizational diligence.

Conclusion: Moving from compliance to competitive advantage

Throughout this comprehensive guide, we've walked through the new European regulatory map, and one thing is clear: the approach of treating compliance as a simple checklist has become obsolete. Addressing the mandates of NIS2, DORA and ISO 27001:2022 solely as an obligation is a strategic mistake. The real opportunity lies in using this regulatory push to build a stronger, safer and more resilient organisation from its core: people.

Beyond the check: compliance as a strategic differential

The companies that will lead in 2026 will be those that turn compliance into a competitive advantage. A  well-executed NIS2 strategy not only avoids fines, but builds trust with customers and partners. Demonstrating robust digital operational resilience, as required by DORA, becomes a sales pitch and a key asset for brand reputation.

The real objective is to integrate security into daily operations and corporate culture, creating a dynamic of continuous improvement where governance, processes and people reinforce each other. This is the vision that inspires security leaders, as often discussed in strategic forums for CISOs like CSO Online.

Recommended first steps for 2026

This compliance guide for NIS2, DORA,  and ISO 27001:2022 has shown you the way. Now, the key is to start the process with well-defined actions. If you have to start today, focus on these three points:

  1. Diagnosis and Scope: You can't act blindly. The first thing is to understand your starting point. Perform a gap analysis and, if you still have doubts, use this comparison to clarify which regulation, NIS2 or DORA, has the most impact on you.
  2. Leadership and Governance: The impulse must originate from senior management. Present a clear plan to senior management, using this guide to support securing the necessary resources for ISO 27001:2022 compliance. Know the timeline and the obligations that NIS2 imposes on the CISO and the CISO team. Compliance It's your best tool for this conversation.
  3. Immediate focus on Human Risk: Technology is crucial, but culture is decisive. Make human factor management the central axis of your strategy from day one. It is the investment with the highest return on real resilience.

The path to digital resilience and compliance is mapped out. The question is no longer what to do, but when to start. If you're ready to transform human risk management from a regulatory requirement to your greatest strategic advantage, it's time to act.

related articles

Explore more articles

Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
Cyberattacks
Cybersecurity Prevention
Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
by
Kymatio
|
August 19, 2025
NIS2 vs. DORA comparison — what applies to your organization
Cyberattacks
Cybersecurity Glossary
NIS2 vs. DORA comparison — what applies to your organization
by
Kymatio
|
August 1, 2025
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
Cyberattacks
Cybersecurity Prevention
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
by
Kymatio
|
July 29, 2025
ACTIVATE YOUR HUMAN FIREWALLS

Ready to uncover the real risk within your organization

Book a demo
Know the real risk
4.8 in Capterra

Join the Kymatio® newsletter and get the latest insights, research, and practical tips on cybersecurity awareness prevention straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Services
HRMAssessment  & AwarenessAttack SimulationsBreach ScanDigital Wellbeing
Use cases
Public SectorFinancial SectorHealthcare SectorLarge enterprises
About us
Why KymatioKnow KymatioOur valuesSuccess Stories
Resources
BlogWebinarsWhitepapersNews
Get in touch
ContactLinkedInXFacebookYoutube
© 2025 Kymatio. All Rights reserved.
Privacy policy
·
Compliance
·
Cookies Policy
·
Legal Notice
·
AI Policy