In May 2026, the European IT regulatory landscape became a real structure determining the operating model of thousands of businesses. The full implementation of the DORA (Digital Operational Resilience Act) regulation and the NIS2 directive marked a new caesura in risk management. For the financial sector, critical infrastructure operators and their suppliers, digital resilience is no longer the domain of IT departments alone. It has become a foundation of market confidence and a prerequisite for business continuity.
The end of ‘compliance on paper’
For years, compliance in the area of cyber security was seen as a formal process – filling in questionnaires and periodic audits that rarely affected the day-to-day architecture of systems. The year 2026 brought a brutal verification in this matter. Regulators such as BaFin and national supervisory authorities have moved away from declarative control to operational verification.
The pressure is now on CIOs and security officers due to the fact that DORA and NIS-2 impose an obligation to demonstrate an actual ability to repel an attack, rather than just having procedures in place. Market statistics indicate that organisations that have been too late in mapping their critical processes are today facing not only legal risks, but more importantly operational vulnerabilities, which in the age of advanced ransomware threats are becoming a critical hotspot.
The financial and operational ‘to be or not to be’
In light of the new regulations, the costs of non-compliance go far beyond administrative fines, which in the case of NIS-2 can be as high as EUR 10 million or 2% of total annual turnover. The real threat to boards of directors is the possibility of supervisory authorities imposing temporary bans on executive functions or restrictions on business activities.
From a business perspective, financial and insurance institutions are de facto technology companies with a licence to trade capital. In this ecosystem, every hour of downtime of critical systems generates losses running into millions of euros. DORA therefore forces a change in thinking: digital resilience is not an expense, but an insurance policy for operational continuity. The implementation of an advanced ICT risk management framework makes it possible to identify bottlenecks that have hitherto been ignored in spreadsheets and which, in a crisis situation, could paralyse an organisation.
Personal accountability: Management on the front line
One of the most groundbreaking aspects of NIS-2 and DORA is the definitive end of the era of delegating responsibility for security solely to the ‘operational level’. Article 20 of NIS-2 and the relevant provisions of DORA make it clear that management bodies are responsible for approving risk management measures and overseeing their implementation.
In practice, this means that board members can be held personally liable for gross negligence in the area of cyber security. This legal change has forced a massive professionalisation of management. We are seeing a trend where knowledge of the basic concepts of digital resilience has become a competence required on a par with the ability to analyse financial statements. Organisations that have been successful in adapting to the new requirements are those where the CISO has a direct reporting line to the board and cyber security is a standing agenda item in strategy meetings.
Supply chain management: The knock-on effect
Third-party risk management has proven to be the biggest challenge for medium and large companies. NIS-2 introduces a kind of ‘domino effect’. Key and important players are required to verify security standards with all their suppliers. This makes a smaller software house or cloud provider that does not meet security standards a toxic link in the supply chain.
For many companies, compliance has become a powerful sales tool. In 2026, DORA compliance certification or demonstration of a high level of maturity according to NIS-2 are more important arguments than price in B2B procurement processes and tenders. Companies that have not invested in the auditability of their systems are being systematically squeezed out of lucrative contracts in the critical infrastructure, finance and energy sectors. From a market perspective, there is a natural selection: security has become a prerequisite (entry barrier) for cooperation with major market players.
Modernisation of technology debt through regulation
Paradoxically, stringent regulatory requirements have become the ideal argument for many CIOs in the battle for budgets to modernise legacy systems. Legacy systems, often lacking vendor support, are now the biggest barrier to achieving digital resilience. DORA, by requiring regular resilience testing (including advanced testing of
Rather than building layer upon layer of security ‘layers’ on a fragile foundation, market leaders have opted for a deep redesign of the technology landscape, which in the long term lowers IT TCO.
Resilience as the new currency of trust
In 2026, the trust of customers and business partners is a paramount value. A security incident at one financial firm can shake the stability of the entire sector, which is why regulators are placing so much emphasis on collaboration and reporting.
Market insights show a correlation between an organisation’s cyber security transparency and its market valuation. Investors are increasingly including a ‘digital resilience indicator’ in ESG-type assessments. Compliance has thus ceased to be seen as a burden and has started to be regarded as evidence of operational maturity.
