6 min Reading Time

NIS2, DORA and the EU AI Act 2026 are taking effect simultaneously for the first time. A single security incident involving an AI system in the financial sector can trigger three distinct reporting obligations at once. CIOs now face a critical choice: launch three separate compliance projects – or adopt an integrated approach. Their decision will determine whether this wave of regulation becomes an opportunity or a cost trap.

TL;DR

Why Everything Converges in 2026

Over the past three years, the EU has rolled out a regulatory package that fundamentally reshapes IT governance across European enterprises. Three complex laws – each significant in its own right – will for the first time operate concurrently in 2026: the NIS2 transposition law (enforcement starting October 2026), the Digital Operational Resilience Act (DORA) for the financial sector (in force since January 2025), and the EU AI Act’s high-risk obligations (effective August 2026).

The challenge isn’t each law individually – it’s their overlap. A financial services provider deploying an AI system for credit scoring falls under NIS2 (as an operator of essential services), DORA (as a financial entity), and the EU AI Act (as an operator of a high-risk AI system). A security incident involving that system could therefore trigger three separate reporting duties – with differing deadlines, forms, and supervisory authorities.

According to an ADVISORI analysis, many companies misjudge the extent of overlap among these three regulations. They treat each as a standalone project and build three isolated compliance silos. This triples effort – and creates contradictions: NIS2 requires reporting within 24 hours; DORA mandates reporting of severe ICT incidents within just 4 hours. Maintaining two distinct reporting processes risks delaying both.

“NIS2 is law – not optional. Cybersecurity must be anchored as a core responsibility of executive management.”Bitkom President Ralf Wintergerst (2025)

NIS2: What Lies Ahead for 29,500 Companies

Germany’s NIS2 transposition law entered into force in December 2025. Enforcement begins in October 2026. The number of affected companies jumps from roughly 4,500 under the original NIS Directive to an estimated 29,500. Coverage extends to 18 sectors – and applies to companies with at least 50 employees or €10 million in annual turnover.

Core obligations include risk management measures aligned with Section 30 of the BSI Act (BSI – Federal Office for Information Security), an incident reporting system requiring initial notification within 24 hours, regular audits and evidence submissions, and supply chain security. For CIOs, one provision stands out: Executive management must supervise implementation – and faces personal liability in cases of gross negligence. NIS2 makes cybersecurity a leadership responsibility, not merely an IT concern.

Heise Online reported that German companies are largely ignoring their NIS2 obligations. Many don’t even know whether they fall under the law. While the BSI has published a self-assessment tool to determine applicability, corporate self-evaluations diverge significantly from legal reality. Supply chain requirements are especially underestimated: Even companies not directly subject to NIS2 may be drawn in indirectly – as suppliers to NIS2-covered entities. That chain extends all the way to the supplier’s IT service provider.

For CIOs, budgeting is central: According to Bitkom, affected companies estimate initial NIS2 implementation costs between €100,000 and €500,000 – depending on size and maturity. Firms already certified to ISO 27001 require less effort. Those starting from scratch should prepare for the upper end. Ongoing costs for audits, monitoring, and personnel add further pressure.

DORA: Heightened Oversight for the Financial Sector

The Digital Operational Resilience Act has applied across the European financial sector since 17 January 2025 – including banks, insurers, payment institutions, securities firms, and their critical ICT third-party providers. DORA focuses squarely on digital operational stability and mandates comprehensive ICT risk management.

Its obligations are concrete: Companies must identify, assess, and treat ICT risks; report severe ICT incidents to their supervisory authority within 4 hours; conduct regular resilience testing – including Threat-Led Penetration Tests (TLPT); and monitor and verify the resilience of critical ICT third-party providers.

For financial institutions also covered by NIS2, this means: dual reporting obligations for incidents, potentially conflicting risk management expectations, and two separate supervisory bodies demanding evidence. Although BaFin has signaled its intent to align oversight with NIS2, practical harmonization remains incomplete.

Compounding this is the requirement to manage ICT third-party risk. DORA obliges financial firms to identify, assess, and oversee their critical ICT service providers. Cloud providers, SaaS vendors, and managed service providers must be contractually bound to meet defined security standards. European supervisory authorities (ESAs) may directly supervise particularly critical third parties. For CIOs, this transforms vendor management from best practice into a formal compliance obligation.

Sources: BSI, BaFin, EU Official Journal

EU AI Act: The Third Layer in the Compliance Stack

The EU AI Act adopts a risk-based approach with four tiers: prohibited practices (in force since February 2025), high-risk systems (starting August 2026), limited-risk systems (transparency obligations), and minimal-risk systems (no obligations). For CIOs, the high-risk category is decisive: AI systems used in recruitment, credit scoring, critical infrastructure, or law enforcement face strict documentation, testing, and oversight requirements.

The challenge for CIOs? Many companies still don’t know which of their AI systems qualify as high-risk. An AI-powered HR screening tool that pre-sorts job applications is high-risk. An internal IT helpdesk chatbot likely is not. The boundary isn’t always clear – and misclassification carries heavy consequences: fines up to €35 million or 7% of global annual turnover.

In practice, this means CIOs must compile a complete inventory of all AI systems, classify each, and – for high-risk systems – build extensive technical documentation. This includes risk management systems, data governance rules, technical documentation, record-keeping obligations, transparency requirements, human oversight mechanisms, and robustness and cybersecurity safeguards. The EU AI Act also requires conformity assessments before placing high-risk systems on the market. General-purpose AI models like GPT or Claude face additional transparency obligations – regardless of the risk level of their specific application.

The AI literacy requirement has been in force since February 2025: Companies must ensure staff operating AI systems possess adequate knowledge. Training programs should already be underway. In practice, most DACH-region companies still lack them.

For organizations already subject to NIS2 and DORA, the EU AI Act adds a third compliance layer. A bank’s AI-powered fraud detection system touches all three regulations: DORA (ICT risk management), NIS2 (security of essential services), and the EU AI Act (high-risk AI). That demands either an integrated governance framework – or three separate teams generating substantial redundancy.

The Integrated Approach: One Framework for Three Laws

Experts estimate integrated compliance management saves significant implementation effort versus siloed projects. The key lies in a shared foundation: ISO 27001 covers core requirements of all three regulations – risk management, incident response, documentation, and continuous improvement.

Step 1: Unified risk analysis. Rather than conducting three separate analyses for NIS2, DORA, and the AI Act, CIOs should develop one integrated assessment covering all three perspectives. An AI system is evaluated simultaneously for IT security risks (NIS2), operational resilience (DORA), and AI-specific risks (AI Act).

Step 2: Consolidated reporting. A single incident response team trained and authorized to handle all three reporting obligations. The shortest deadline (DORA’s 4-hour window) becomes the standard. Meeting that automatically satisfies NIS2’s 24-hour requirement.

Step 3: Shared documentation. A centralized compliance register covering all AI systems, IT systems, and ICT third-party providers. Each system is catalogued once and assessed against all three regulations – eliminating duplication and ensuring no gaps remain.

Step 4: Consolidated board reporting. The board doesn’t need three separate compliance reports. A unified report showing maturity across all three regulations delivers strategic oversight – and cuts reporting burden for the IT organization.

What CIOs Must Do in the Next Six Months

Deadlines are non-negotiable. CIOs choosing the integrated path should complete a compliance mapping exercise by April 2026: Which requirements from NIS2, DORA, and the AI Act overlap? Where are the gaps? Which existing controls can serve multiple purposes?

By June 2026, the AI inventory must be finalized. Every AI system must be classified: high-risk or not? DORA-relevant or not? NIS2-critical or not? Without this inventory, no compliance strategy can succeed.

By August 2026, high-risk AI systems must comply with the EU AI Act. By October 2026, NIS2 implementation must be demonstrably complete. Missing these deadlines risks not only fines – but personal liability for executive management. This regulatory collision is no theoretical exercise. It’s the real-world stress test for digital governance across European enterprises.

Frequently Asked Questions

Header Image Source: Christian Wasserfallen / Pexels