CC-04 · Regulatory cybersecurity

NIS2 DORA

We coordinate the regulatory and procedural side of NIS2 and DORA; the technical part is covered by Summum Sistemas’ own SOC.

ClusterCons. + Sistemas
Applicabilitycritical sectors
Trans. deadlineend of 2026

NIS2 extends the scope of the original NIS directive to medium-sized companies and sectors previously exempt: postal services, waste management, manufacture of critical products, and digital service providers. DORA does the equivalent for the financial sector.

What both directives require goes well beyond installing antivirus software: an incident management policy, regulatory notification within deadlines, contracts with critical ICT suppliers containing specific clauses, an operational continuity plan, and training.

We handle the legal and procedural side; the in-house SOC at Summum Sistemas covers the technical layer (EDR, SIEM, incident response). One implementation, two coordinated disciplines.

EssentialEnergy
EssentialTransport
EssentialBanking
EssentialHealthcare
EssentialWater
EssentialDigital
ImportantPostal services
ImportantWaste management
ImportantChemicals
ImportantFood
ImportantManufacturing
ImportantInvestigation

The NIS2 DORA process.

The process · four stages
01

Applicability

We determine whether your company falls under NIS2 or DORA. The directive significantly expanded the scope.

02

Diagnosis

Requirements mapped against what you already have. Most organisations unknowingly meet 30–40% already.

03

Implementation

Incident management, ICT supplier contracts, continuity plan, training.

04

Notification

Procedures: 24h first alert, 72h initial report, 1 month final report.

What is included

What NIS2 DORA includes.

The operational detail: what we deliver as part of the engagement and what we keep active afterwards.

  • Applicability assessment

    NIS2/DORA tables by sector and size, with documented justification.

  • Incident management plan

    Detection, classification, containment, recovery. Aligned with your ISO 27001.

  • Notification procedures

    Templates for regulatory deadlines and client communication.

  • ICT supplier contracts

    Specific clauses required by the regulation in current and new contracts.

  • Operational continuity plan

    Aligned with ISO 22301. Annual drill.

  • Senior management training

    Explicit board responsibility under NIS2.

Regulatory framework

The regulatory framework.

NIS2 covers essential services. DORA covers the financial sector. Same skeleton.

EU NIS2 Applicable to this service
EU DORA Applicable to this service
INCIBE CCN-CERT Applicable to this service
ES trans. Applicable to this service

Frequently asked questions about NIS2 DORA.

How do I know if NIS2 applies to me?

Medium-sized companies (>50 employees or >€10M) in extended sectors. Initial assessment within 48 hours.

What about DORA?

DORA applies to financial entities and their critical ICT providers.

Does NIS2 overlap with ISO 27001?

~60%. If you already hold ISO 27001, NIS2 represents an additional 40%, not 100%.