NIS2 and DORA Updates: How MFT Helps Support Directives

Keeping up with the latest compliance or regulatory directives is vital to ensure your organization won’t run afoul of measures designed to keep your organization, your customers, and your trading partners safer from cybersecurity threats. This article outlines where two key directives: NIS2 and DORA stand today and why it’s important to be in compliance. As with any compliance measure introduced, non-compliance can result in financial as well as reputational harm. In some cases, like with the NIS2 directive, these penalties can be as high as 10 million Euros.

For European Union (EU) members and those doing business with EU entities, two major directives to stay on top of are NIS2 (Network and Information Systems Directive) and DORA (Digital Operational Resilience Act). Both are designed to bolster the cybersecurity and operational resilience of essential and important industry sectors.

As progress towards meeting these regulations varies, staying up to date on requirements and actively working towards meeting them can better unify data security efforts.

"Whether you’re an essential or important organization in the EU or in partnership with an EU-based organization, putting robust technology to protect sensitive data in place can help you meet your increased obligations," said Eduard Sesaras, Lead Solutions Engineer, GoAnywhere MFT. "MFT, or Managed File Transfer, can help essential organizations exchange business-critical information securely, with less risk of human error."

NIS2 Basics

The first NIS directive, initiated in 2016, aimed to improve the cybersecurity of essential services in the EU. It set baseline security requirements for critical industry sectors and laid out several key objectives:  

1. Enhanced security requirements in the EU, especially for critical industry sectors
2. Expanded scope of sectors deemed essential and important and therefore, subject to NIS2 requirements
3. More stringent requirements around security and risk management, including better incident reporting, and securing network and information systems
4. A supply chain security focus, to help ensure third-party service providers are meeting cybersecurity standards
5. Empowering national authorities to levy penalties for non-compliance

NIS2, which came into being Jan. 15, 2023, seeks to expand upon these efforts. It broadens the list of sectors considered critical to the economy and essential for keeping countries financially stable, healthy and able to communicate. These vital functions necessitate compliance with the requirements detailed by NIS2.

These sectors include:

• Transportation
• Banking
• Energy
• Healthcare
• Digital infrastructure
• Postal services
• Space
• Public administration
• Public electronic communications providers
• Information and communication service management

In addition, NIS2 adds clarification to the entities covered as either essential or important, with more stringent oversight applied to “essential” sectors.

NIS2 also requires organizations to report any significant cybersecurity incidents within 24 hours. Regulations were adopted that detail what a significant incident entails, citing criteria like thresholds for financial loss and disruptions to operations.

Non-EU NIS2 Compliance

Organizations based outside the EU may also need to comply with NIS2. If your organization maintains a significant presence or operations within the EU, or if you provide digital services or are a supplier or partner to essential or important entities that are EU- based, you may have contractual compliance requirements. These obligations can vary depending on the specific nature of your interactions.

NIS2 Current Status and Why it Matters

The updated directives have been applicable in the EU since Oct. 2024. As of this writing, only a handful of the 27 members were in compliance with NIS2 directives, but many members are expected to complete the expected progress early in 2025. You can monitor the status of each EU member on this NIS2 Tracker. (As of March 6, 2025, only four EU member states—Belgium, Croatia, Italy, and Lithuania—have fully transposed the Network and Information Security Directive (NIS2) into national law.)

The amped up NIS2 also adds higher penalties for non-compliance, levying up to 10 million euros or 2% of annual turnover, whichever is higher. This can vary across EU member states, as implementing the directive into national law is the responsibility of each country.

Sanctions are also imposed if organizations do not report a significant cybersecurity incident within the 24-hour window. Public reprimands or warnings for non-compliance as well as operational restrictions are also on the table for non-compliant organizations.

Related Reading: How MFT Supports NIS2

Understanding DORA

DORA is the other EU regulation that is a focus in 2025. DORA debuted in January 2023 and its full effectiveness was applied Jan. 17, 2025. This directive aims to strengthen the IT security of a variety of financial entities to ensure that this industry sector is resilient to severe operational disruptions. It also aims to centralize the governance of the security of networks and information systems. 

All financial organizations in, or operating in, the EU are subject to DORA requirements. These include banks, payment institutions, insurers, credit rating agencies as well as investment companies. In addition, third-party ITC (Information and Communications Technology) vendors or providers who support these organizations also must comply.

Compliance with DORA means that these organizations must have established processes to manage their risks and to detect and report any related incidents. They must also share threat intelligence with others in the financial community and perform regular resilience testing.  

DORA’s Key Aspects (Effective January 17, 2025)

The financial industry in the EU, as well as elsewhere worldwide is a key target of cyberthreats, so enhancing the protection around this sensitive data requires adding layers of protection where possible. DORA’s focus on third-party information and communications technologies and service providers can help thwart continued threats to financial data.

Key DORA Initiatives

• Scope Expansion: DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, payment and trading platforms, and their third-party ICT service providers.
• Operational Resilience Requirements: DORA requires applicable financial institutions to implement robust and comprehensive strategies to guard against, respond to and recover from disruptions from ICT-related incidents. This can involve regular testing as well as instituting reporting mechanisms.
• Third-Party Risk Management: DORA places strict requirements on how to manage risks when working with third-party ICT providers. Financial organizations are held liable for their vendors' operational resilience, entailing regular auditing and vulnerability assessments.
• Mandated Incident Reporting: Major ICT incidents must be reported promptly for better transparency and more coordinated responses.

MFT Plays Vital Role in Meeting EU Data Security Requirements

Compliance with NIS2 directives and DORA can be streamlined with a comprehensive, robust managed file transfer (MFT) solution. MFT can ease some of the manual burden and risk of human error that can come with processes needed to securely exchange sensitive data.

"With an MFT solution, organizations in the EU and those working with them can be assured that financial and other sensitive files are secure in motion and at rest.  In addition, essential and important organizations can more easily comply with NIS2 requirements and with DORA when a centralized solution for file transfers is in place," added Seseras. "Features such as encryption protocols, as well as proactive security to ensure bad actors are stopped before they can even enter the MFT environment can be added to each step in the file transfer process. Plus, the chances of human error drop substantially when these security measures are automatically implemented," he added.

Robust MFT efficiently addresses these major compliance requirements:

• Incident Reporting: Auditing and reporting adds visibility to help organizations conduct prompt incident response investigations and reporting. This is a key tenet of both NIS2 and DORA.
• Risk Management Measures: Data is protected in transit in motion and at rest through strong encryption protocols, helping meet requirements around how data is stored, transmitted and protected.
• Secure Data Storage and Retention: GoAnywhere secures files both while in motion as well as at rest. It protects data in motion with end-to-end encryption via TLS, SSH, FTPS and protects that data at rest via AES (Advanced Encryption Standard)
• Supply Chain Security: Organizations can limit or define who can send, receive or access files with granular control over who can access data. Both NIS2 and DORA require third-party security vigilance around data.
• System Security: GoAnywhere is secure by Design and acts as a secure gateway for file transfers, limiting direct access to internal systems and data. It offers various configuration options to fine-tune security settings, such as automatic IP blocking, unique proactive security, password policies, access controls, and encryption algorithms.
• Data Governance in the Event of a Crisis: GoAnywhere can be configured for high availability with load balancing and clustering, as well as set up for disaster recovery sites to ensure critical information remains secure in a crisis.
• Protection of Personal Data (per the GDPR): The strong encryption protocols built-in to GoAnywhere help ensure personal data is protected per GDPR and other data privacy regulations.
• Data Access and Integrity Controls: Strong authentication requirements in GoAnywhere help satisfy this requirement. With GoAnywhere MFT, multi-factor authentication is supported. In addition, you can tailor the level of access and authentication granted for each user in your organization. A dashboard-style interface allows for quick customization of user access.
• Audits and Accountability: The detailed audit and reporting functionality helps satisfy this requirement as well.

GoAnywhere MFT’s Proactive Security Benefit

Also helping to address Risk Management is proactive security from Threat Brain, a one-of-its-kind threat intelligence feature in GoAnywhere. This built-in feature aggregates indicators from Fortra’s deep portfolio of cybersecurity solutions to continuously identify and block IPs with bad reputation or malicious intent before those threats enter the MFT environment. 

Related Reading: Stop IP Addresses With Bad Reputations Before They Enter Your Environment