Compyl

DORA and NIS2 for US Companies: The 2026 Guide

July 08, 2026
Regulation · DORA & NIS2

DORA and NIS2 for US Companies: The 2026 Guide

By Compyl ResearchUpdated July 20265 min read

DORA and NIS2 are the EU's flagship cyber-resilience laws, and 2026 is the year both grew teeth: the first NIS2 penalties were issued in Q1, DORA entered its first real supervisory enforcement cycle, and the second annual Register of Information submissions closed in March. If you serve EU financial entities or covered supply chains, obligations reach you — usually through customer contracts before any regulator calls.

Key takeaways
  • DORA has applied since Jan 17, 2025; 2026 Register of Information submissions ran through March 31.
  • NIS2 issued its first administrative penalties in Q1 2026, with obligations culminating through October 2026.
  • US vendors feel both laws through customer contracts, registers, and questionnaires.
  • ISO 27001 covers most technical measures — the gaps are 24/72-hour incident clocks and Article 30 contract terms.

Which law applies to you?

DORA NIS2
What it is ICT resilience rules for the EU financial sector Cybersecurity baseline for critical/important entities across 18 sectors
In force Applicable since Jan 17, 2025 Transposition due Oct 17, 2024; compliance culminating through Oct 2026
Who's covered ~22,000 EU financial entities plus their ICT third-party providers Essential and important entities in energy, transport, health, digital infrastructure, and more
US company hook You sell ICT services to EU financial entities — you're in their Register and contract remediation scope You operate EU entities in covered sectors, or supply covered entities
2026 enforcement Register deficiencies and incident-reporting failures are priority targets First administrative penalties issued Q1 2026; management-body personal liability
Penalties Critical ICT providers: periodic payments up to 1% of average daily worldwide turnover Up to €10M or 2% of global turnover; managers can be barred

DORA: what your EU financial customers need from you

  1. Register of Information data. Every EU financial entity files a complete register of ICT arrangements annually (2026 windows ran through late March; ESA consolidation by March 31). Supervisors flagged completeness, subcontractor-chain traceability, and currency as deficiencies — your customers will chase you for LEIs, service taxonomy, and subcontractor chains. Package it once; answer everyone.
  2. DORA-compliant contract terms. Article 30 mandates service descriptions, data locations, access and audit rights, incident cooperation, exit assistance, and subcontracting notification. Pre-2025 MSAs are coming back for remediation.
  3. Incident cooperation. Customers face tight reporting clocks for major ICT incidents; contracts will pass through rapid notification duties — often 24 hours or less.
  4. Resilience testing support. Threat-led penetration testing can require critical providers' participation.

If you are designated a critical ICT third-party provider, EU supervisors oversee you directly — with inspection powers and penalty payments up to 1% of average daily worldwide turnover.

NIS2: the supply-chain squeeze

NIS2 requires covered entities to manage supply-chain security — so even US-only vendors receive NIS2-derived questionnaires and clauses. Core measures: risk analysis and policies, incident handling with 24-hour early warning / 72-hour notification / one-month final report, business continuity, supply-chain security, vulnerability handling, cyber hygiene and training, cryptography, access control, and MFA. Management bodies must approve and oversee these measures personally — the source of the individual-liability pressure now driving urgency, with compliance audits beginning mid-2026 in several member states.

One program, both laws (and your US frameworks)

  • Map once: a single control library mapped to DORA, NIS2, ISO 27001, and NIST CSF 2.0 removes most duplicate work.
  • Fix incident response first: the 24/72-hour clocks are the requirement most US programs fail — build classification and notification to the strictest applicable clock.
  • Know your chain: a live vendor register with tiering feeds customers' RoI needs and your NIS2 duties simultaneously.
  • Contract playbook: pre-approved DORA Article 30 and NIS2 security-clause language keeps sales cycles out of legal limbo.

Compyl maps DORA and NIS2 into the same control library as ISO 27001, SOC 2, and NIST CSF — test once, satisfy many. Vendor Risk Management maintains the subcontractor-chain data Registers demand, contract management tracks Article 30 obligations, and continuous monitoring evidences resilience measures. Financial services teams: see the industry page.

Frequently asked questions

Does DORA apply to US companies directly?
Directly only if you're designated a critical ICT third-party provider — then EU supervisors oversee you, with penalty payments up to 1% of average daily worldwide turnover. Most US providers feel DORA through customer contracts and Register of Information data demands.
What is the DORA Register of Information?
A mandatory register every EU financial entity keeps of all ICT third-party arrangements, filed annually with national authorities and consolidated to the ESAs by March 31. Your customers need your entity identifiers, service classifications, and subcontractor chains.
Has anyone actually been fined under NIS2?
Yes — the first administrative penalties were issued in Q1 2026. Fines reach €10M or 2% of global turnover for essential entities, and managers face personal liability including bans from management functions.
We have ISO 27001 — are we DORA/NIS2 compliant?
Not automatically, but you're most of the way. Common gaps: the 24/72-hour incident clocks, DORA Article 30 contract provisions, resilience testing, and subcontractor transparency.
Which comes first for a US SaaS company?
DORA contract and register readiness if you serve financial entities (demand is active now); NIS2 questionnaire readiness for other covered supply chains. Both start with one control library mapped to both laws.

Answer EU customers with confidence

Compyl unifies governance, risk, compliance and audit on one source of truth — built by CISOs, with a human approving every consequential decision.

Request a demo →

About this guide. By Compyl Research. This is general information, not legal advice — consult counsel for your specific obligations. Compyl is an AI-powered, agentic GRC platform built by CISOs.

Monitoring thousands of environments daily
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies