NIS2 and DORA Compliance for SaaS: A Complete Guide for European Businesses

The NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act) regulations are fundamentally reshaping digital tool governance across European businesses. For CIOs, CISOs, and DPOs, managing SaaS and AI is no longer just a matter of efficiency — it's a legal obligation. This guide covers the requirements, timelines, and compliance strategies you need to know.

NIS2: What the Directive Changes for Businesses

What Is NIS2?

The NIS2 directive (EU 2022/2555), which came into effect in October 2024, significantly broadens the scope of mandatory cybersecurity across Europe. It replaces the 2016 NIS1 directive and now applies to a much larger number of organizations.

Who Is Affected?

NIS2 applies to "essential entities" and "important entities" across 18 sectors, including:

Size threshold: Any company with more than 50 employees OR revenue exceeding €10M in these sectors is affected, regardless of size if it is considered critical.

Key Obligations for SaaS Management

NIS2 imposes obligations directly related to SaaS and AI tool governance:

1. Supply chain risk management: Companies must identify, assess, and manage risks associated with their digital suppliers and service providers. This includes SaaS vendors and AI tools used by employees.

2. Digital asset mapping: A complete inventory of information systems, including SaaS applications, is mandatory. Shadow IT and Shadow AI must be detected and documented.

3. Incident notification: Significant security incidents must be reported to the competent authority (ANSSI in France) within 24 hours (early warning), with a full report within 72 hours.

4. Executive accountability: Senior management is personally responsible for overseeing cybersecurity measures. Executives must undergo cybersecurity training.

NIS2 Penalties

DORA: Digital Operational Resilience

What Is DORA?

The DORA regulation (EU 2022/2554), applicable since January 2025, is specific to the financial sector. It aims to ensure that financial entities can withstand, respond to, and recover from disruptions related to information and communication technologies (ICT).

Who Is Affected?

DORA applies to the entire European financial sector:

• Banks and credit institutions
• Insurance and reinsurance companies
• Asset management firms
• Investment firms
• Market infrastructures (exchanges, clearing houses)
• Payment service providers
• Fintech and crypto-asset companies
• Their critical ICT service providers (cloud, SaaS, infrastructure)

The 5 Pillars of DORA

Pillar 1: ICT Risk Management

Financial entities must establish a comprehensive ICT risk management framework, including:

• Identification and classification of all ICT assets (including SaaS)
• Continuous risk assessment
• Protection, detection, response, and recovery measures
• Business continuity plans

Pillar 2: Incident Management and Reporting

• Classification of ICT incidents using harmonized criteria
• Notification to authorities within 4 hours (major incidents)
• Mandatory interim and final reports

Pillar 3: Operational Resilience Testing

• Advanced penetration testing (TLPT — Threat-Led Penetration Testing) every 3 years for significant entities
• Regular continuity and recovery testing

Pillar 4: Third-Party Risk Management

This is the most impactful pillar for SaaS management:

• ICT provider registry: Complete inventory of all service providers, classified by criticality
• Risk assessment: Each SaaS and AI vendor must be evaluated (security, resilience, dependencies)
• Contractual clauses: SaaS contracts must include specific clauses (audit rights, incident notification, data portability, exit plans)
• Concentration: Entities must monitor the concentration of their dependencies on critical third-party providers

Pillar 5: Information Sharing

Voluntary exchange of cyber threat and vulnerability information between financial entities.

The Intersection of NIS2 × DORA × SaaS Management

The Problem: Shadow IT and Shadow AI Make Compliance Impossible

If your organization doesn't know which SaaS and AI tools are in use, it cannot:

• Maintain the ICT provider registry (DORA Pillar 4)
• Assess supply chain risks (NIS2)
• Classify AI systems (EU AI Act)
• Ensure personal data isn't processed outside the proper framework (GDPR)
• Report an incident if it doesn't know which tool has been compromised

According to Avanoo data, companies discover on average 8.65 times more tools than they thought they were using. Every unregistered tool is a gap in compliance.

The Solution: A SaaS and AI Governance Platform

A structured four-step approach:

Step 1: Full Discovery

Map all SaaS and AI tools used across the organization, including Shadow IT and Shadow AI. Avanoo cross-references SSO, billing, proxy, and browser extension data to deliver a comprehensive inventory in under 15 minutes.

Step 2: Classification and Risk Assessment

Each tool is evaluated against NIS2 and DORA criteria:

• Business criticality
• Type of data processed
• Hosting location (EU / non-EU)
• Vendor security policy
• Dependency and concentration level

Avanoo's application management lets you centralize this classification.

Step 3: Governance and Policies

Define policies by tool category:

• Approved: Compliant, audited, contract in place
• Restricted: Limited use with conditions
• Prohibited: Non-compliant, mandatory alternative

Issue management lets you track non-compliance and follow remediation plans.

Step 4: Ongoing Monitoring

Compliance isn't a one-off project. New tools appear every week, regulations evolve, and risks shift. Continuous analytical monitoring of the digital supply chain is essential.

Compliance Timeline

NIS2/DORA Compliance Checklist for SaaS

Governance

• Senior management is trained on cyber risks
• A Chief Information Security Officer (CISO) is appointed
• An ICT risk management policy is documented and approved
• Cybersecurity budgets are allocated and tracked

Mapping

• The complete SaaS application inventory is up to date
• Shadow IT is detected and documented
• Shadow AI is mapped
• Each SaaS vendor is classified by criticality level

Vendors

• SaaS contracts include mandatory DORA clauses
• Vendor risk assessments are documented
• Dependency concentration is monitored
• Exit plans exist for critical vendors

Incidents

• An incident notification process is in place
• Notification deadlines are met (24h for NIS2, 4h for DORA)
• Incident reports are archived
• Crisis management exercises are conducted regularly

Testing

• Resilience tests are performed annually
• Penetration tests (TLPT) are scheduled (every 3 years)
• Business continuity plans are tested

FAQ

What's the difference between NIS2 and DORA?

NIS2 is a directive that applies to 18 industry sectors and covers cybersecurity broadly. DORA is a regulation specific to the financial sector, focused on digital operational resilience. If you operate in the financial sector, you must comply with both.

Is my company with fewer than 50 employees affected by NIS2?

In principle, no — unless you are a critical ICT provider for an entity subject to NIS2 or DORA. If you provide SaaS services to banks, hospitals, or energy operators, you may be indirectly affected.

How do I prove compliance?

Compliance is demonstrated through documentation: ICT provider registry, risk assessments, security policies, incident reports, and testing evidence. A SaaS governance platform like Avanoo simplifies the production of this documentation.

What's the relationship between NIS2/DORA and GDPR?

GDPR protects personal data, NIS2 protects networks and information systems, and DORA protects the operational resilience of the financial sector. These three regulations complement each other: a non-compliant SaaS tool can violate all three simultaneously.

What budget should I plan for compliance?

The budget varies significantly depending on the size of the organization and its maturity level. The main cost areas are: tooling (SaaS governance platform), consulting (legal and technical advisory), training (executives and employees), and testing (penetration, resilience). An effective starting point: map your SaaS and AI usage to identify the most urgent compliance gaps.

Conclusion

NIS2 and DORA are not abstract regulations — they impose concrete obligations around mapping, assessing, and governing the digital tools used by your organization. Shadow IT and Shadow AI make compliance impossible until they are detected and brought under control.

Companies that invest now in structured SaaS and AI governance gain a competitive advantage: they reduce their risks, demonstrate compliance, and accelerate their digital transformation securely.

Discover how Avanoo can map your SaaS and AI ecosystem in 15 minutes →