Cyber Resilience Act vs NIS2 vs DORA: Which Regulation Applies to My Insured?

European cybersecurity regulation has entered a new era. In 2026, three overlapping directives now govern how organizations handle digital risk: the Cyber Resilience Act (CRA), the NIS2 Directive, and the Digital Operational Resilience Act (DORA). For cyber insurance underwriters, the question is no longer whether your insured is regulated — it’s which combination of regulations applies, what they require, and how that changes the risk profile you’re pricing.

Getting this wrong has real consequences. An insured that is subject to NIS2 but treats it like GDPR compliance will face penalties. A medical device manufacturer that ignores the CRA will be unable to sell in the EU. A financial institution that neglects DORA’s ICT third-party risk requirements will face supervisory action. For underwriters, understanding the regulatory overlap is not optional — it is core to accurate risk assessment.

This guide breaks down each regulation, maps their overlap, provides a decision framework for determining applicability, and explains what underwriters should ask every client.

The Three Regulations at a Glance

NIS2 Directive (EU 2022/2555)

What it is: The Network and Information Security Directive 2 is an EU-wide cybersecurity framework that replaced the original NIS Directive. It establishes comprehensive cybersecurity risk management, incident reporting, and governance requirements for essential and important entities.

Scope: Organizations in 18 sectors classified as “essential” or “important” entities based on size criteria (250+ employees or €50M turnover for essential; 50+ employees or €10M turnover for important). Sectors include energy, transport, banking, healthcare, digital infrastructure, public administration, and more.

Timeline: Entered into force October 17, 2024. EU Member States had until October 17, 2024 to transpose into national law. Enforcement is ramping through 2025-2026 with many Member States now actively enforcing.

Key requirements:

• Cybersecurity risk management measures (Article 21)
• Incident reporting within 24/72/168 hours (Article 23)
• Management body accountability and personal liability (Article 20)
• Supply chain security (Article 21(2)(d))
• Business continuity and crisis management

Penalties: Up to €10M or 2% of global turnover for essential entities; €7M or 1.4% for important entities. Personal liability for management.

Digital Operational Resilience Act (DORA — EU 2022/2554)

What it is: DORA is a sector-specific regulation focused on the financial services industry. It establishes a comprehensive framework for ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk management for financial entities.

Scope: Over 20 types of financial entities including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party service providers to the financial sector.

Timeline: Applied from January 17, 2025. Fully enforceable now.

Key requirements:

• ICT risk management framework (Chapter II)
• ICT-related incident management and reporting (Chapter III)
• Digital operational resilience testing including threat-led penetration testing (Chapter IV)
• ICT third-party risk management with register of information (Chapter V)
• Information-sharing arrangements (Chapter VI)

Penalties: Determined by national competent authorities but can include significant fines, restrictions on business activities, and withdrawal of authorization.

Cyber Resilience Act (CRA — EU 2024/2847)

What it is: The Cyber Resilience Act is a product regulation that establishes cybersecurity requirements for products with digital elements (hardware and software) before they can be sold in the EU market. Think of it as “CE marking for cybersecurity.”

Scope: Manufacturers, importers, and distributors of products with digital elements — essentially any connected hardware or software product sold in the EU. This includes IoT devices, operating systems, routers, security software, and industrial control systems.

Timeline: Entered into force December 2024. Most obligations apply from September 2027, with some provisions phased in through 2029.

Key requirements:

• Security by design and by default
• Vulnerability handling and disclosure processes
• Security updates for the expected product lifetime (minimum 5 years)
• Software bill of materials (SBOM)
• Incident reporting for actively exploited vulnerabilities
• Conformity assessment and CE marking

Penalties: Up to €15M or 2.5% of global turnover.

Side-by-Side Comparison

Dimension	NIS2	DORA	CRA
Scope	Operators in 18 critical sectors	Financial entities	Products with digital elements
Focus	Organizational cybersecurity	Financial sector ICT resilience	Product security
Entity type	Essential and important entities	20+ types of financial entities	Manufacturers, importers, distributors
Primary obligation	Risk management measures	ICT risk framework	Security by design
Incident reporting	24h early warning / 72h incident / 168h final	4h initial / 72h intermediate / final	24h for actively exploited vulns
Supply chain	Article 21(2)(d) supply chain security	Chapter V ICT third-party risk mgmt	SBOM and vulnerability management
Testing	Not specified (recommended)	TLPT mandatory for significant entities	Conformity assessment
Governance	Management body personal liability	Management body accountability	Manufacturer responsibility
Max penalty	€10M / 2% turnover	Sector-specific	€15M / 2.5% turnover
Enforcement	2024-2026 (phased)	January 2025	September 2027+
Regulated by	National CSIRTs / competent authorities	Financial supervisors (ECB, national)	Market surveillance authorities

The Overlap Problem

The critical insight for underwriters is that these regulations are not mutually exclusive. A single insured can be subject to multiple frameworks simultaneously:

Scenario 1: A large European bank

• Subject to NIS2 as an essential entity (banking sector)
• Subject to DORA as a financial entity
• May be subject to CRA if they manufacture digital banking products (e.g., hardware tokens, trading platforms)
• Insurance implication: Three compliance frameworks mean higher compliance costs, more regulatory scrutiny, and greater risk of enforcement action if any framework is neglected

Scenario 2: A medical device manufacturer

• Subject to NIS2 as an essential entity (healthcare, if above size thresholds)
• Subject to CRA as a manufacturer of products with digital elements
• Not subject to DORA
• Insurance implication: Product liability exposure under CRA adds a new dimension to cyber coverage — first-party losses from product recalls, plus third-party liability from vulnerable products

Scenario 3: A cloud services provider

• Subject to NIS2 as an essential entity (digital infrastructure / ICT service management)
• Not subject to DORA directly, but may be a critical ICT third-party provider under DORA Chapter V if serving financial entities
• May be subject to CRA if providing packaged software products
• Insurance implication: Potential dual enforcement from NIS2 and DORA (as a critical third party), creating complex liability scenarios

Decision Framework: Which Regulation Applies?

Use this decision tree to determine applicability for any insured:

Step 1: Does the entity operate in the financial sector?

• Yes → DORA applies. Also check NIS2 (banks, financial market infrastructure are essential entities under NIS2)
• No → Go to Step 2

Step 2: Does the entity operate in one of the 18 NIS2 sectors?

• Yes → NIS2 applies if the entity meets the size threshold (50+ employees OR €10M+ turnover for important; 250+ employees OR €50M+ turnover for essential)
• No → NIS2 may still apply if the entity is a qualified trust service provider or DNS TLD registry

Step 3: Does the entity manufacture, import, or distribute products with digital elements?

• Yes → CRA applies. Check if the product is excluded (free/open-source software not developed commercially, products already covered by sector-specific regulations with equivalent requirements)
• No → CRA does not apply

Step 4: Is the entity an ICT service provider to financial entities?

• Yes → May be designated as a critical ICT third-party service provider under DORA Chapter V, even if not a financial entity itself
• No → No additional DORA obligations

Insurance Implications by Regulation

NIS2 Insurance Implications

For underwriters assessing NIS2-subject entities, the key considerations are:

1. Compliance gap analysis: Has the entity conducted a formal gap assessment against Article 21 requirements? Use our NIS2 compliance checklist to verify.

2. Incident reporting readiness: Can the entity meet the 24-hour early warning deadline? Most organizations cannot today, which creates regulatory risk.

3. Management liability: Article 20 creates personal liability for board members. This has implications for D&O insurance as well as cyber insurance.

4. Supply chain exposure: Article 21(2)(d) requires supply chain security. Underwriters should ask about vendor risk management programs and contractual security requirements.

5. Compliance cost: Our analysis shows NIS2 compliance costs range from €50K for small important entities to €2M+ for large essential entities.

DORA Insurance Implications

For financial sector insureds:

1. ICT risk register: DORA requires maintaining a comprehensive register of all ICT dependencies. Underwriters should request this document.

2. Third-party concentration risk: DORA Chapter V requires mapping all ICT third-party providers. This reveals concentration risk that could amplify losses.

3. TLPT results: Threat-led penetration testing is mandatory for significant financial entities. Results provide direct evidence of security posture.

4. Operational resilience testing: Regular scenario-based testing (including cyber incidents) provides better data for pricing than any questionnaire.

CRA Insurance Implications

For manufacturers and product companies:

1. Product liability exposure: The CRA creates a new category of product liability for insecure digital products. This affects both cyber and general liability coverage.

2. Recall and remediation costs: Vulnerability disclosure requirements and forced security updates create first-party cost exposure.

3. Supply chain cascading risk: SBOM requirements mean that a vulnerability in a component library could trigger obligations across thousands of products simultaneously.

4. Market access risk: Non-compliance means loss of CE marking, effectively prohibiting EU market access. For EU-dependent manufacturers, this is a business interruption risk.

What Underwriters Should Ask Every Client

Based on the regulatory landscape in 2026, here are the critical questions to ask:

For all clients:

1. Which EU cybersecurity regulations apply to your organization? (NIS2 / DORA / CRA / multiple)
2. Have you completed a formal regulatory applicability assessment?
3. Who is responsible for regulatory compliance within your organization?
4. Have you been subject to any regulatory inquiries or enforcement actions?

For NIS2-subject entities:

5. Are you classified as an essential or important entity? (Check with our NIS2 Checker)
6. Has your management body approved cybersecurity risk management measures per Article 20?
7. What is your incident reporting capability — can you meet the 24-hour early warning deadline?
8. How many ICT third-party providers do you have, and how do you manage supply chain risk?
9. Have you conducted a compliance gap analysis against all Article 21 requirements?

For DORA-subject entities:

10. Do you maintain a complete register of ICT dependencies as required by Chapter V?
11. Have you completed threat-led penetration testing (TLPT)?
12. What is your concentration risk profile for critical ICT third-party providers?
13. How do you test operational resilience for cyber scenarios?

For CRA-subject entities:

14. What is your process for security by design and by default?
15. Do you maintain a software bill of materials (SBOM) for all products?
16. What is your vulnerability handling and disclosure process?
17. How long do you provide security updates for each product category?

The Convergence Trend

Looking ahead, these three regulations are converging toward a unified EU cybersecurity framework. The European Commission has signaled intent to reduce regulatory overlap, particularly for entities subject to both NIS2 and DORA. For now, underwriters must treat them as distinct but overlapping obligations and assess compliance against each applicable framework independently.

The organizations that manage this regulatory complexity well — with unified governance, integrated risk management, and efficient compliance processes — will present lower risk profiles. Those that treat each regulation in isolation will face higher compliance costs, greater regulatory risk, and more potential for gaps that lead to incidents.

Use our Cyber Risk Calculator to estimate the financial impact of regulatory non-compliance for your clients, and our free NIS2 compliance checklist to assess readiness.

FAQ

Does NIS2 replace GDPR? No. NIS2 and GDPR are separate regulations with different scopes. GDPR governs personal data protection. NIS2 governs cybersecurity of network and information systems. An organization can be subject to both simultaneously, and a security incident may trigger reporting obligations under both frameworks.

Does DORA replace NIS2 for financial entities? No. DORA and NIS2 are both in force. Financial entities that meet NIS2 size thresholds are subject to both. DORA provides sector-specific ICT resilience requirements, while NIS2 provides broader cybersecurity governance requirements. There are provisions to avoid double reporting for the same incident.

When does the CRA become enforceable? The CRA entered into force in December 2024, but most obligations apply from September 2027. Some provisions, including the requirement for manufacturers to report actively exploited vulnerabilities, apply earlier. Full enforcement with penalties begins once the transition period ends.

How do I determine if my client is subject to NIS2? Check three things: (1) sector — is the client in one of the 18 NIS2 sectors? (2) size — does the client meet the employee or turnover threshold? (3) function — is the client a trust service provider or DNS TLD registry? Use our NIS2 Entity Checker for an automated assessment.

What is the penalty for non-compliance with the Cyber Resilience Act? The CRA provides for penalties of up to €15 million or 2.5% of the manufacturer’s global annual turnover, whichever is higher. For importers and distributors, penalties are up to €10 million or 1.5% of global turnover. Market surveillance authorities can also withdraw products from the market.