DORA and NIS2 for US Companies: The 2026 Guide
DORA and NIS2 are the EU's flagship cyber-resilience laws, and 2026 is the year both grew teeth: the first NIS2 penalties were issued in Q1, DORA entered its first real supervisory enforcement cycle, and the second annual Register of Information submissions closed in March. If you serve EU financial entities or covered supply chains, obligations reach you — usually through customer contracts before any regulator calls.
- DORA has applied since Jan 17, 2025; 2026 Register of Information submissions ran through March 31.
- NIS2 issued its first administrative penalties in Q1 2026, with obligations culminating through October 2026.
- US vendors feel both laws through customer contracts, registers, and questionnaires.
- ISO 27001 covers most technical measures — the gaps are 24/72-hour incident clocks and Article 30 contract terms.
Which law applies to you?
| DORA | NIS2 | |
|---|---|---|
| What it is | ICT resilience rules for the EU financial sector | Cybersecurity baseline for critical/important entities across 18 sectors |
| In force | Applicable since Jan 17, 2025 | Transposition due Oct 17, 2024; compliance culminating through Oct 2026 |
| Who's covered | ~22,000 EU financial entities plus their ICT third-party providers | Essential and important entities in energy, transport, health, digital infrastructure, and more |
| US company hook | You sell ICT services to EU financial entities — you're in their Register and contract remediation scope | You operate EU entities in covered sectors, or supply covered entities |
| 2026 enforcement | Register deficiencies and incident-reporting failures are priority targets | First administrative penalties issued Q1 2026; management-body personal liability |
| Penalties | Critical ICT providers: periodic payments up to 1% of average daily worldwide turnover | Up to €10M or 2% of global turnover; managers can be barred |
DORA: what your EU financial customers need from you
- Register of Information data. Every EU financial entity files a complete register of ICT arrangements annually (2026 windows ran through late March; ESA consolidation by March 31). Supervisors flagged completeness, subcontractor-chain traceability, and currency as deficiencies — your customers will chase you for LEIs, service taxonomy, and subcontractor chains. Package it once; answer everyone.
- DORA-compliant contract terms. Article 30 mandates service descriptions, data locations, access and audit rights, incident cooperation, exit assistance, and subcontracting notification. Pre-2025 MSAs are coming back for remediation.
- Incident cooperation. Customers face tight reporting clocks for major ICT incidents; contracts will pass through rapid notification duties — often 24 hours or less.
- Resilience testing support. Threat-led penetration testing can require critical providers' participation.
If you are designated a critical ICT third-party provider, EU supervisors oversee you directly — with inspection powers and penalty payments up to 1% of average daily worldwide turnover.
NIS2: the supply-chain squeeze
NIS2 requires covered entities to manage supply-chain security — so even US-only vendors receive NIS2-derived questionnaires and clauses. Core measures: risk analysis and policies, incident handling with 24-hour early warning / 72-hour notification / one-month final report, business continuity, supply-chain security, vulnerability handling, cyber hygiene and training, cryptography, access control, and MFA. Management bodies must approve and oversee these measures personally — the source of the individual-liability pressure now driving urgency, with compliance audits beginning mid-2026 in several member states.
One program, both laws (and your US frameworks)
- Map once: a single control library mapped to DORA, NIS2, ISO 27001, and NIST CSF 2.0 removes most duplicate work.
- Fix incident response first: the 24/72-hour clocks are the requirement most US programs fail — build classification and notification to the strictest applicable clock.
- Know your chain: a live vendor register with tiering feeds customers' RoI needs and your NIS2 duties simultaneously.
- Contract playbook: pre-approved DORA Article 30 and NIS2 security-clause language keeps sales cycles out of legal limbo.
Compyl maps DORA and NIS2 into the same control library as ISO 27001, SOC 2, and NIST CSF — test once, satisfy many. Vendor Risk Management maintains the subcontractor-chain data Registers demand, contract management tracks Article 30 obligations, and continuous monitoring evidences resilience measures. Financial services teams: see the industry page.
Frequently asked questions
Does DORA apply to US companies directly?
What is the DORA Register of Information?
Has anyone actually been fined under NIS2?
We have ISO 27001 — are we DORA/NIS2 compliant?
Which comes first for a US SaaS company?
Answer EU customers with confidence
Compyl unifies governance, risk, compliance and audit on one source of truth — built by CISOs, with a human approving every consequential decision.
About this guide. By Compyl Research. This is general information, not legal advice — consult counsel for your specific obligations. Compyl is an AI-powered, agentic GRC platform built by CISOs.