NIS2 and DORA Compliance: What They Require for Third-Party Risk Management

JULY 3, 2026

Two regulatory frameworks now govern how European organizations manage third-party ICT risk, and both are actively enforced. NIS2, the Network and Information Security Directive 2, became applicable across EU member states in October 2024 and imposes supply chain security obligations on essential and important entities across 18 sectors. DORA, the Digital Operational Resilience Act, has applied to financial entities since January 2025 and imposes a more prescriptive and detailed set of ICT third-party risk requirements, including a mandatory Register of Information that regulators are already auditing.

The compliance story in 2026 is no longer about understanding what these frameworks require. It is about demonstrating that you have implemented what they require, continuously, with evidence. The second annual DORA Register of Information submission cycle closed in March 2026. Supervisors across Germany, the Netherlands, and France have signaled that persistent register deficiencies are an enforcement priority. NIS2’s October 2026 deadline for member state compliance is approaching, with national transposition laws now in force across the majority of EU jurisdictions.

For compliance and security teams, the operational challenge is the same regardless of which framework applies: third-party risk cannot be managed with periodic questionnaires, point-in-time audits, and static contract clauses. Both NIS2 and DORA, read carefully, require continuous visibility into the security posture of vendors and the exposure they create. This blog maps the specific requirements of each framework, identifies where compliance gaps most commonly appear, and explains what a program that satisfies both looks like in practice.

Oct 2024 NIS2 transposition deadline; requirements now applicable across EU member statesJan 2025 DORA application date for all in-scope financial entities19 Critical ICT Third-Party Providers (CTPPs) designated by ESAs in November 2025Oct 2026 NIS2 national enforcement deadline; active supervisory cycle now underway
Comparison of NIS2 and DORA third-party risk management requirements
Both regulations require continuous visibility into third-party ICT risks.

What NIS2 Requires for Third-Party Risk Management

NIS2 addresses supply chain and third-party risk primarily through Article 21, which requires essential and important entities to implement appropriate and proportionate technical and organizational measures to manage cybersecurity risks. Article 21(2)(d) explicitly includes supply chain security among the mandatory measures, covering security in the relationships between the entity and its direct suppliers and service providers.

This is broader than it may initially appear. NIS2 does not limit supply chain obligations to direct technology vendors. It covers any supplier or service provider whose compromise could affect the entity’s ability to maintain the security of its network and information systems. Physical security vendors, facilities management providers, and non-technology supply chain partners are all potentially in scope if their failure would have a material cybersecurity consequence.

NIS2 Article 21 TPRM Obligations: Specific Requirements

ObligationWhat It RequiresCompliance Evidence Expected
Supply chain risk assessmentEntities must assess and manage cybersecurity risks arising from their supplier and service provider relationships, including the security practices of each providerDocumented vendor risk assessments, tiering methodology, periodic review records
Supplier security practices evaluationEntities must consider the overall quality of the security products and practices of their suppliers, including secure development practicesVendor questionnaires, certification verification (ISO 27001, SOC 2), contractual security requirements
Shadow IT and digital asset inventoryA complete inventory of information systems including SaaS and cloud services is required; shadow IT must be detected and documentedAsset inventory records, discovery tool outputs, shadow IT identification process
Incident reporting to authoritiesSignificant incidents must be reported within 24 hours (early warning) and 72 hours (full notification); incidents originating in the supply chain are coveredIncident classification process, reporting templates, authority notification records
Management body accountabilityManagement bodies are personally responsible for approving and overseeing cybersecurity measures and must undergo training; liability for non-compliance is personalBoard approval records, cybersecurity training documentation, governance meeting minutes
Business continuity and crisis managementEntities must have measures addressing business continuity in the event of a significant cybersecurity incident, including supply chain disruptionBusiness continuity plans, vendor substitution procedures, critical supplier dependency maps
NIS2 Proportionality: What It Does and Does Not Mean NIS2 requires measures that are ‘appropriate and proportionate’ to the risk and the size of the entity. Smaller organizations in scope may have lighter documentation requirements. However, proportionality does not exempt any in-scope entity from the substance of the supply chain security obligation. It affects how the obligation is implemented, not whether it exists. In practice, proportionality arguments that result in no formal vendor risk assessment process, no incident reporting capability for supply chain events, and no documentation of supplier security practices are unlikely to withstand supervisory scrutiny. The 38% of Irish businesses that survey data showed would not be compliant by October 2024 did not generally cite proportionality as a defense.

What DORA Requires for Third-Party Risk Management

DORA’s third-party risk management framework is more detailed and prescriptive than NIS2’s supply chain security provisions. It occupies Chapter V of the regulation (Articles 28 through 44) and establishes a complete governance structure for managing ICT third-party dependencies from initial due diligence through contract execution, ongoing monitoring, and exit planning.

The defining feature of DORA’s TPRM approach is the Register of Information: a mandatory, structured record of every contractual arrangement with an ICT third-party provider that must be maintained, updated, and submitted annually to national competent authorities. The register is not a document. It is a database with prescribed fields, and regulators are using it to identify concentration risk, subcontractor opacity, and missing contractual provisions at scale.

DORA Chapter V TPRM Obligations: Specific Requirements

ObligationArticleWhat It Requires
ICT third-party risk policyArt. 28(2)Financial entities must adopt and maintain a formal strategy for ICT third-party risk, reviewed at least annually, covering the full lifecycle of provider relationships
Pre-contractual due diligenceArt. 28(4)Before entering any ICT arrangement, entities must assess the provider’s security practices, financial stability, business continuity capability, and subcontracting arrangements
Register of Information (ROI)Art. 28(3)A complete, structured register of all ICT contractual arrangements, submitted annually to national competent authorities; must include subcontractor chains supporting critical functions
Contractual minimum provisionsArt. 30Contracts with ICT providers must include audit rights, incident cooperation obligations, data location and portability rights, subcontractor disclosure requirements, and exit plan provisions
Critical function provider designationArt. 28(5)Entities must identify which ICT providers support critical or important functions and apply enhanced oversight to those relationships
Concentration risk managementArt. 29Entities must assess and manage concentration risk arising from dependence on a single provider or a small number of providers for critical functions; multi-vendor strategies must be documented
Exit planningArt. 28(8)Entities must document exit strategies for ICT providers supporting critical functions, including transition timelines, alternative provider identification, and data portability procedures
Ongoing monitoringArt. 28(6)Entities must continuously monitor the performance and security posture of ICT providers supporting critical functions; periodic reviews are required at minimum annually
Incident reporting from providersArt. 30(2)(j)Contracts must require ICT providers to report incidents to the financial entity promptly, with defined timelines for notification of major incidents affecting the financial entity
Vendor monitoring program ensuring DORA compliance and ongoing oversight.
Vendor monitoring program supporting DORA and NIS2 compliance for third-party risk management.

The Register of Information: Where Most Organizations Are Failing

The DORA Register of Information has been the single most operationally challenging compliance requirement for in-scope financial entities. The 2025 pilot submission round exposed a consistent pattern: organizations that believed they had comprehensive vendor relationships documented discovered they lacked a centralized view of ICT contracts, with arrangements scattered across procurement teams, business units, and subsidiary operations.

The 2026 enforcement shift has made the register a priority audit target. Supervisors are looking for completeness (all ICT arrangements documented, not just the major ones), accuracy (subcontractor chains traceable for critical functions), and currency (updated to reflect contract changes within defined timeframes). A register that cannot answer the question ‘which of our ICT providers support critical functions, and who are their subcontractors’ is, as regulators have stated explicitly, a documented compliance failure.

The CTPP List: What It Means for Your Vendor Program In November 2025, the European Supervisory Authorities designated 19 Critical ICT Third-Party Providers (CTPPs) subject to direct ESA oversight. The list includes Amazon Web Services, Google Cloud, Microsoft, Oracle, SAP, and Deutsche Telekom among others. Financial entities that depend on any designated CTPP must demonstrate in their Register of Information that they have assessed and mitigated the concentration risk arising from those dependencies. This is not a one-time assessment. It is an ongoing obligation that must be reflected in both the register and in the entity’s concentration risk management documentation. For organizations using multiple cloud providers from the CTPP list, the concentration risk assessment must address the scenario in which two or more designated CTPPs experience simultaneous incidents, and the entity’s ability to maintain critical functions in that scenario.

NIS2 and DORA Side by Side: Where They Overlap and Where They Diverge

For organizations subject to both frameworks, the practical compliance question is which requirement controls where they overlap and what additional obligations each framework adds independently. The general rule is that DORA functions as lex specialis for the financial sector: where DORA and NIS2 address the same topic, DORA’s requirement is the binding one for in-scope financial entities.

TPRM AreaNIS2 RequirementDORA RequirementWhich Controls for Financial Entities
Vendor inventoryDigital asset and supplier inventory required; shadow IT must be documentedRegister of Information: structured database with prescribed fields, annual submission to regulatorsDORA: more prescriptive, annual submission obligation
Due diligenceAssess supplier security practices; consider quality of security products and development practicesFormal pre-contractual due diligence covering security, financial stability, continuity, and subcontractor chainsDORA: more detailed scope and documentation standard
Contractual requirementsAppropriate security clauses in supplier contracts implied by risk management obligationsExplicit minimum provisions required under Article 30: audit rights, incident cooperation, subcontractor disclosure, exit planningDORA: explicit mandatory contract clauses
Ongoing monitoringPeriodic review of supplier security measures implied by continuous risk management obligationExplicit ongoing monitoring requirement under Article 28(6); at minimum annual formal reviewDORA: explicit obligation with minimum frequency
Incident reporting from vendorsVendors should cooperate with incident response implied by supply chain security obligationsContracts must require prompt vendor notification of incidents affecting the financial entity, with defined timelinesDORA: explicit contractual obligation
Concentration riskNot explicitly addressed; implied by supply chain resilience requirementExplicit concentration risk assessment and management requirement under Article 29DORA: unique obligation with no NIS2 equivalent
Exit planningBusiness continuity measures must address supply chain disruptionDocumented exit strategies for critical function providers required under Article 28(8)DORA: more specific; written exit plans required
Reporting to authoritiesSignificant incidents within 24h early warning, 72h notificationMajor ICT incidents within 4h initial notification, 24h intermediate, 72h final, 1 month follow-upDORA: stricter timeline; satisfying DORA automatically satisfies NIS2
DESIGNER NOTE: Compliance Overlap Diagram A horizontal table-style graphic showing the eight TPRM areas from the comparison table above as rows. For each row, two colored bars side by side: a blue bar for NIS2 requirements and a red bar for DORA requirements. Where DORA is more prescriptive, the red bar extends further right. The ‘Concentration Risk’ row has only a red DORA bar, no blue NIS2 bar, to show it has no NIS2 equivalent. Caption: ‘For financial entities, meeting DORA satisfies NIS2 on every shared obligation. Concentration risk and the Register of Information are DORA-only.’ Brand navy background.

How to Conduct a Compliance Gap Analysis: A Practical Framework

A compliance gap analysis for NIS2 and DORA TPRM obligations begins with determining which framework applies to which parts of the organization, then mapping current program capabilities against each specific requirement. The output is a prioritized list of gaps, organized by the severity of the supervisory risk they create.

Step 1: Determine Your Regulatory Scope

  • Confirm whether your organization is subject to NIS2 only, DORA only, or both, based on sector, entity size, and national transposition status
  • For groups with entities across multiple sectors, map each legal entity to its applicable framework separately; a non-financial subsidiary in the energy sector faces NIS2, not DORA
  • Identify whether you are an essential entity or important entity under NIS2 (determines penalty exposure and supervisory intensity)
  • Identify whether any of your ICT providers have been designated as CTPPs under DORA (creates specific concentration risk documentation obligations)

Step 2: Inventory Your Third-Party ICT Relationships

  • Collect all existing ICT contracts from procurement, legal, IT, and business unit owners; do not assume the central IT register is complete
  • Map each contract to the functions it supports and classify those functions as critical, important, or non-critical using documented criteria
  • For contracts supporting critical functions, identify subcontractor chains to at least the second tier; DORA’s Register of Information requires this for critical function providers
  • Identify gaps: any ICT service in use that does not have a formal contract is a shadow IT or procurement gap that creates both a compliance and a security risk

Step 3: Assess Each Requirement Against Current Capability

RequirementGap IndicatorTypical Finding
Vendor risk assessment processNo documented methodology for classifying vendors by risk; assessments exist but are not linked to criticality tiersAd hoc assessments for major vendors; no process for newly onboarded or lower-tier vendors
Register of Information completenessRegister covers main IT contracts but misses SaaS subscriptions, cloud services, and contracts held by subsidiaries60-80% completeness is common in first-year submissions; subcontractor data frequently absent
Contractual minimum provisionsExisting contracts lack audit rights, incident notification timelines, or subcontractor disclosure clausesLegacy contracts signed before DORA are the most common gap; renegotiation timelines can exceed 12 months
Ongoing monitoring cadenceVendor reviews happen at contract renewal only; no between-cycle monitoring for security posture changesMost organizations monitor financial stability and SLA performance but not cybersecurity exposure continuously
Concentration risk documentationNo formal analysis of dependence on individual providers for critical functions; CTPP list not mapped to internal vendor recordsCommon in organizations with cloud-heavy infrastructure; three CTPPs often support 80% of critical functions
Exit planningExit clauses exist in contracts but no tested exit procedures or alternative provider identificationPlans exist on paper but have not been rehearsed; data portability provisions untested
Incident reporting capabilityIncident classification process does not distinguish supply chain origin; 4-hour DORA timeline not built into response proceduresMost incident response plans are designed for internally originated incidents; vendor-initiated incidents follow a different and slower path
Where Are Your Largest NIS2 and DORA TPRM Compliance Gaps? Brandefense maps your vendor exposure against both frameworks and surfaces the gaps most likely to attract supervisory attention. Book a Demo

Step 4: Prioritize by Supervisory Risk

  • Register of Information gaps are the highest priority for DORA-covered entities: regulators are actively auditing these and have flagged deficiencies as enforcement priorities in 2026
  • Incident reporting capability gaps are the second priority: a 4-hour DORA notification timeline requires pre-built processes and templates; it cannot be improvised
  • Contractual provision gaps in legacy agreements should be addressed in a structured renegotiation program; prioritize contracts covering critical functions
  • Ongoing monitoring gaps are harder to close with documentation alone; they require either a tooling solution or a resource-intensive manual program
  • Concentration risk documentation can typically be addressed within a compliance program; the analytical work is bounded and the output is documentable

How Continuous Vendor Monitoring Satisfies Both Frameworks Simultaneously

The most operationally efficient approach to NIS2 and DORA TPRM compliance is to build a continuous monitoring program that generates the evidence both frameworks require, rather than running separate compliance initiatives for each regulation.

The core insight is this: DORA’s Article 28(6) ongoing monitoring requirement and NIS2’s implied continuous risk management obligation both point to the same operational capability. An organization that continuously monitors the security posture of its ICT vendors, detects changes in their exposure, and documents that monitoring produces compliance evidence for both frameworks at once. An organization that relies on annual questionnaires satisfies neither.

Monitoring CapabilityNIS2 Obligation It SatisfiesDORA Obligation It Satisfies
External attack surface monitoring of vendor infrastructureSupply chain security assessment; ongoing risk management measures (Art. 21)Ongoing monitoring of ICT third-party performance and security (Art. 28(6))
Dark web monitoring for vendor credential exposureSupplier security practices evaluation; incident detection for supply chain eventsPre-contractual and ongoing due diligence; incident detection capability for vendor-originated events
Vendor vulnerability and CVE trackingSupply chain risk assessment; security in supplier relationships (Art. 21(2)(d))ICT risk management for third-party dependencies; critical function provider oversight
Incident notification from vendor monitoringSignificant incident reporting within 24h/72h; supply chain incident detectionMajor ICT incident reporting within 4h initial notification; vendor incident cooperation (Art. 30)
Concentration risk visibilityBusiness continuity measures; supply chain resilienceConcentration risk assessment and management (Art. 29); CTPP dependency documentation
Continuous asset discovery including shadow ITDigital asset inventory requirement; shadow IT detection under NIS2 SaaS governance obligationsRegister of Information completeness; ICT arrangement inventory (Art. 28(3))

How Brandefense Supports NIS2 and DORA TPRM Compliance

Brandefense CapabilityCompliance Function
External Attack Surface Management (EASM) for vendor domainsContinuously discovers and monitors the external security posture of your ICT vendors, providing the ongoing monitoring evidence required under DORA Art. 28(6) and NIS2 Art. 21
Dark web vendor credential monitoringDetects exposed credentials and data belonging to your ICT vendors on dark web markets and forums, surfacing supply chain compromise indicators before they become incidents
Vendor vulnerability and exploit intelligenceTracks CVEs and active exploitation affecting your vendors’ technology stacks, providing the security posture assessment evidence required for both pre-contractual due diligence and ongoing monitoring
Ransomware group targeting intelligenceMonitors threat actor activity targeting your vendors’ sectors and specific organizations, providing early warning of supply chain attack campaigns
Shadow IT and asset discoveryIdentifies ICT services in use by your organization that may not be captured in your Register of Information, reducing completeness gaps before supervisory review
Continuous 24/7 monitoring with real-time alertingProvides the monitoring cadence required by both frameworks and the detection speed needed to meet DORA’s 4-hour incident notification timeline for supply chain events
RELATED READING Third-Party Risk: How Your Supplier’s Vulnerability Becomes Your Breach:  https://brandefense.io/blog/third-party-risk-management-vendor-breach-cascade/ : The operational risk dimension that underpins NIS2 and DORA’s TPRM requirements Why Vendor Security Questionnaires Do Not Work: https://brandefense.io/blog/why-vendor-security-questionnaires-dont-work/  Why periodic assessments fail to satisfy continuous monitoring obligations under both frameworks The 5-Day Breakout:  https://brandefense.io/blog/breakout-time-vs-dwell-time/ : The threat timeline that gives context to incident reporting deadlines under NIS2 and DORA
Map Your TPRM Program Against NIS2 and DORA Requirements for Compliance.
Visual guide to mapping your third-party risk management program with NIS2 and DORA standards.

SHARE THIS

Get insight, Analysis &
News Straight to Your
Inbox

By submitting this form, you agree to our Privacy Policy

Latest News