Cybersecurity regulations are expanding rapidly across Europe. Two of the most significant, NIS2 and DORA, now directly affect a broad range of companies and their supply chains. If your organisation is subject to either regulation, the CyberVadis assessment can support your compliance efforts in a meaningful way.
What are NIS2 and DORA?
NIS2 (Network and Information Security Directive 2)
NIS2 is a European Union directive that requires organisations in critical and important sectors, including energy, transport, healthcare, financial services, digital infrastructure, and others, to implement robust cybersecurity risk management measures. Crucially, NIS2 also extends obligations to the supply chains of these organisations, meaning vendors and suppliers may be indirectly subject to its requirements through their clients.
DORA (Digital Operational Resilience Act)
DORA is a European Union regulation specifically targeting the financial sector and its ICT service providers. It requires financial institutions and the technology companies that support them to demonstrate operational resilience against cybersecurity threats, including through structured risk assessments, incident reporting, and third-party risk management.
How the CyberVadis assessment maps to these regulations
The CyberVadis methodology is built to align with multiple major regulatory frameworks simultaneously, including NIS2, DORA, ISO 27001, NIST, GDPR. This means that by completing the CyberVadis assessment, your company is evaluated against the security controls and risk management practices that these regulations require, without needing to undergo separate assessments for each framework.
Your scorecard and improvement plan reflect your performance against both frameworks, giving you a clear picture of where your security posture meets regulatory expectations and where gaps remain.
How your scorecard supports compliance
Your CyberVadis scorecard can be used in several ways to support your NIS2 and DORA compliance efforts:
As evidence of third-party risk management for clients subject to NIS2 or DORA supply chain requirements
As a structured baseline assessment to identify gaps relative to regulatory requirements
As a reference document in internal compliance reviews or regulatory audits
As a communication tool to demonstrate to clients, auditors, and regulators that your cybersecurity posture has been independently validated
An important distinction
Completing the CyberVadis assessment supports your compliance journey but does not in itself certify or guarantee NIS2 or DORA compliance. Regulatory compliance involves obligations beyond cybersecurity assessment, including governance, incident reporting, contractual requirements, and more. The CyberVadis assessment addresses the cybersecurity risk management component of these obligations.
If you have specific questions about how your CyberVadis results relate to your regulatory obligations, we recommend consulting your legal or compliance team alongside your scorecard and improvement plan.
Questions
If you have questions about how the CyberVadis methodology maps to NIS2, DORA, or any other regulatory framework, contact your account manager or reach out to us at support@cybervadis.com.