NIS2 and DORA: What mid-Sized European companies are actually doing about it in 2026

For two years, NIS2 and DORA felt like distant problems. Big regulations, long transposition timelines, lots of consulting noise, but few real consequences. That phase ended.

Across our client base in automotive, fintech, healthcare and manufacturing, the shift over the past six months has been unmistakable. As of 2026, the grace period is over. The informal tolerance period that characterised DORA supervision in 2025 is finished. National regulators across the EU are now in active enforcement mode, conducting supervisory reviews and issuing the first compulsion payments. The practical question is no longer whether to comply, it’s whether you can prove compliance on demand.

Who actually needs to comply with NIS2 and DORA in 2026?

NIS2 covers 18 critical sectors, including energy, transport, healthcare, manufacturing, food production, waste management, digital infrastructure, public administration and chemicals. The directive uses a size-cap rule: medium-sized and large entities operating in these sectors fall within scope automatically, regardless of whether they consider themselves “critical.”

This is the part that surprises companies most often. In our work across regulated industries, we’ve watched regional manufacturers, food producers, mid-sized healthcare providers and logistics companies discover they’re classified as “essential” or “important” entities under their national NIS2 laws, often without having received any explicit notification. The European Commission’s January 2026 simplification proposals affect roughly 28,700 companies across the EU.

DORA’s scope is more targeted but reaches further down the supply chain. It applies to financial entities and their ICT third-party service providers. For companies that provide software and operational services to financial entities, demonstrating DORA-aligned controls has become a contractual condition, not an optional credential.

The “I’m not in scope” assumption is the most expensive compliance mistake of 2026.

What are the actual penalties for non-compliance?

NIS2 allows fines of up to €10 million or 2% of total global annual turnover, whichever is higher. Member states can also introduce management accountability measures, meaning executives and board members can be held personally liable.

DORA carries similar weight: fines up to 2% of global turnover or €10 million for financial entities, individual fines up to €1 million for responsible persons, and up to €5 million for designated Critical ICT Third-Party Providers. National implementations vary, Italy has set ceilings up to €20 million or 10% of turnover.

The financial penalty is rarely the most damaging consequence. Public disclosure of enforcement actions, temporary suspension of senior managers and reputational damage with regulated counterparties typically matter more.

Why are mid-sized companies struggling more than expected?

Understanding the regulations has rarely been the problem. The gap regulators are now exposing is the distance between knowing what’s required and being able to prove it on demand.

From the gap assessments we’ve run for clients over the past year, the same patterns keep emerging:

• Controls that exist on paper but lack documented evidence. A policy that hasn’t been reviewed since 2023 doesn’t satisfy NIS2’s continuous improvement requirement. A security measure implemented but never tested doesn’t constitute operational readiness.
• Backup systems that don’t meet the new bar. If backups are mutable, network-connected, or accessible from production environments, they may already be non-compliant in practice. Recovery Time Objectives will be audited, not just declared.
• Incident response plans that have never been run. Plans without tested execution are documents, not capabilities.
• Supply chain risk that hasn’t been mapped. For DORA, the Register of Information has emerged as the single most challenging requirement, with Deloitte research showing 46% of financial entities citing it as their hardest obligation.

Regulators are looking less for technical perfection and more for demonstrable governance maturity.

What does compliance actually look like operationally?

The companies dealing with these regulations well aren’t the ones with the largest security budgets. They’re the ones that did the unglamorous work: mapping controls to specific articles of the regulation, assigning clear ownership, collecting evidence systematically and building incident response procedures that have actually been tested.

It happens to be how we’ve structured our own operations for years, long before NIS2 and DORA became enforceable. A few things we treat as non-negotiable across every client environment we operate:

• Immutable backup storage with documented restore testing
• 24-hour early warning capability for significant incidents
• Multi-factor authentication as a baseline technical measure
• Documented supply chain risk assessments, including cloud and SaaS providers
• Board-level cyber governance with documented executive training
• Continuous evidence collection, not annual audit panics

None of this is technically novel. What’s new is that “we have this somewhere” no longer counts. Documented evidence, tested procedures and clear ownership are the regulatory currency now.

The first step

For most mid-sized companies, the highest-value next step isn’t a new compliance tool. It’s an honest gap assessment: which controls exist, which are documented, which have been tested, and where ownership is unclear.

This is where Ascendro can help. We’ve spent 15+ years building and operating infrastructure for clients in exactly the industries NIS2 and DORA now regulate most heavily – automotive, fintech, healthcare and manufacturing. Our ISO 27001, ISO 9001, and TISAX certifications are the documented result of operating this way for years before the regulations made it mandatory.

If you’re trying to figure out whether your current infrastructure can actually support compliance demands, or you need a partner whose own operations already meet the bar your clients now require, we’re here to talk.