Who is responsible for complying with DORA and NIS2?

Who is responsible for complying with DORA and NIS2

Personal responsibility for complying with DORA and NIS2

The entry into force of DORA (Digital Operational Resilience Act) and NIS 2 (Directive on Security of Network and Information Systems 2) regulations poses new challenges for the financial and other key economic sectors. However, many organizations are wondering who will be responsible for complying with these regulations and what the consequences are. This article aims to address these concerns.

DORA Regulation

DORA (Digital Operational Resilience Act) is an EU regulation aimed at strengthening the financial sector’s operational resilience in the context of dependence on information and communication technologies (ICT). DORA aims to strengthen the cyber security and operational resilience of all entities operating in the EU financial sector. This means that not only banks and financial institutions will have to comply with the new regulations, but also all providers of services critical to their business, such as cloud service providers and software vendors.

Responsibility for DORA compliance rests with the boards of these organizations. In practice, this means that boards must make decisions on security policies, provide adequate resources to implement those policies, and oversee compliance. The DORA regulation was published on December 14, 2022. It entered into force on January 16, 2023, and will begin to be applied on January 17, 2025.

Who is responsible for complying with NIS2 and DORA

NIS2 Directive

NIS2 (Directive of the European Parliament and the Council (EU) 2022/2555) was published on December 14, 2022. and its implementation deadline 2 is October 17, 2024. Like DORA, NIS2 aims to increase the digital resilience of key economic sectors but focuses on a broader spectrum of sectors, not just financial. With NIS 2, the responsibility also falls on the organization’s boards of directors, which must approve security policies, monitor compliance, and take steps to manage risks.

Who is responsible for complying with DORA

Consequences of violating NIS2 regulations

Violations of the NIS 2 directive carry a variety of consequences depending on the type of entity. Tougher sanctions are provided for key players that play a vital role in the digital security system. These include. The ability to perform remote inspections and surveillance, conduct audits, request information on risk management measures and cyber security policies. If violations are found, authorities can issue warnings, impose binding orders or administrative fines. For key players, the maximum administrative penalty is €10,000,000 or 2% of the company’s total annual worldwide turnover. In special circumstances, there is also the possibility of temporary suspension of certification or authorization, as well as a ban on management functions for those responsible. Individuals managing or representing a company can also be held liable for failure to comply with the directive, which applies to both key and important players. For valid entities, the penalties are slightly lower, at €7,000,000 or 1.4% of total annual turnover.

Consequences of not complying with DORA regulations

Failure to comply with DORA can lead to serious consequences for the company, including administrative sanctions by national regulators. Based on Art. 50 para. 4 of the DORA regulation, possible sanctions include requiring the cessation of certain practices or conduct deemed to be in violation of these regulations, taking measures to ensure continued compliance with legal requirements (including financial sanctions), making data transfer records available, and issuing public notices indicating the identity of the violator and the nature of the violation. The scale of these sanctions could significantly affect the company’s operations, including the potential termination of its operations. The nature of these sanctions is proportionate, effective and deterrent, and their application depends on the degree of violation and intent (whether the violation was intentional or not). Ultimately, in the event of a violation by an organization, liability may fall not only on the organization as a whole, but also on the members of the governing body and others who are liable for such violations under national law.


In summary, compliance with DORA and NIS 2 is the responsibility of the organization’s boards. They are the ones who must approve security policies, monitor compliance and manage risks. No matter how large your organization is, this is a task that cannot be neglected, given the potential consequences of a breach. Therefore, boards should play a key role in ensuring that their organizations are ready for the new regulations.

In both cases, liability is personal, meaning that individual board members may face consequences for failing to meet their obligations under these regulations. This should prompt boards to take proactive steps to understand, implement and comply with the new regulations.

The responsibility for complying with DORA and NIS2 is therefore great, but knowledge and proper preparation can help meet these requirements and minimize risks.

Ebook DORA and NIS2

Here’s a comprehensive ebook on the DORA and NIS 2 regulations. From the ebook you will be able to learn such things as:

  • Which organizations are covered by DORA and NIS2?
  • Who is responsible for implementing DORA and NIS2 in organizations?
  • What are the consequences of not complying with DORA and NIS2? Who bears them?
  • What is the “size-cap rule” in NIS2? How to find out if an organization is subject to it?

At Secfense, we focus on making it easy and efficient for our customers to move away from passwords and replace them with strong phishing-resistant with strong based on passwordless FIDO. Hence, we cannot leave this report unanswered on the key issues of strong authentication. Hence, the ebook will provide answers to questions such as:

  • Do DORA and NIS2 require strong authentication in an organization’s applications?
  • Are all applications covered by DORA and NIS2 regulations?
  • Does DORA limit strong authentication to only methods that use asymmetric cryptography?
  • Is every IT provider an “ICT third-party provider” according to DORA, and do they have to use strong authentication?

To download our ebook, we encourage you to sign up for our newsletter, in which we will announce its publication, as well as to follow our publications on Linkedin, Facebook and Twitter.

Antoni takes care of all the marketing content that comes from Secfense. Read More


We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk



We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director


Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera


Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT