Skip to content
CyberXplore - Xplore the Unseen
Compliance & GRC

NIS2 & DORA Readiness

Get audit-ready for the EU's NIS2 Directive and DORA with senior-led gap analysis, ICT risk controls, and threat-led testing.

Readiness snapshot - example.com
Sample · Illustrative
NIS2 / DORA · Governance controls
0 ready2 partial3 gaps
GOV-01Governance & risk management
PARTIAL
IAM-02Identity & access management
PARTIAL
MON-03Logging & monitoring
GAP
IR-04Incident response
GAP
TPR-05Third-party / supply-chain risk
GAP
Covered
Partial
Gap
Unassessed
What is NIS2 & DORA?

NIS2 & DORA readiness is the structured process of aligning your organisation with the EU NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (Regulation (EU) 2022/2554) - covering ICT risk management, mandatory incident reporting, supply-chain and third-party oversight, and operational resilience testing including threat-led penetration testing (TLPT). CyberXplore acts as your independent advisory partner: our senior, OSCP/CRTP/CREST-certified consultants run hands-on gap assessments, build the evidence and governance you need, and deliver TLPT mapped to the TIBER-EU framework. We are a specialist offensive-security and compliance consultancy, not a national competent authority - we get you genuinely ready for supervisory scrutiny rather than selling a paper checklist.

EU NIS2 Directive (2022/2555)DORA (Regulation 2022/2554)TIBER-EUISO 27001NIST CSFMITRE ATT&CK

Why CyberXplore

  • Senior-only testers (OSCP, CRTP, CREST)
  • ISO 27001 & ISO 9001 certified
  • Free retest + attestation letter
  • Tailored scope and quote in 24 hours

Why it matters

NIS2 dramatically widens scope to thousands of 'essential' and 'important' entities across energy, transport, health, digital infrastructure, finance, and managed service providers - with senior management held personally accountable and fines up to EUR 10 million or 2% of global turnover.

DORA imposes binding ICT risk, incident-reporting, and resilience-testing obligations on financial entities and their critical ICT third-party providers, with strict reporting deadlines measured in hours, not days.

Both regimes demand evidence of operational resilience under real attack conditions - DORA's advanced TLPT and NIS2's testing expectations cannot be satisfied by automated scans or self-attestation alone.

Supply-chain and third-party ICT risk is now a first-class legal obligation: regulators expect documented oversight, contractual controls, and concentration-risk analysis across your vendor estate.

Aligned with industry standards: EU NIS2 Directive (2022/2555) · DORA (Regulation 2022/2554) · TIBER-EU · ISO 27001 · NIST CSF · MITRE ATT&CK

Our methodology

  1. 01

    Applicability & Scoping

    We determine whether you fall under NIS2 (essential vs. important entity) and/or DORA (financial entity or critical ICT third party), map in-scope systems, services, and supplier dependencies, and agree the regulatory objectives for the engagement.

  2. 02

    Gap Assessment

    Our senior consultants assess your current ICT risk-management framework, governance, incident processes, and resilience testing against NIS2 Articles 20-23 and DORA's five pillars, producing a prioritised gap register with clear ownership.

  3. 03

    Remediation Roadmap & Control Design

    We translate gaps into a pragmatic, risk-ranked remediation roadmap - defining policies, risk treatment, third-party contract clauses, incident-classification and reporting workflows, and the evidence each control must generate.

  4. 04

    Threat-Led Penetration Testing (TLPT)

    For DORA's advanced testing requirement we run intelligence-led red team exercises aligned to TIBER-EU and MITRE ATT&CK, emulating realistic threat actors against your critical functions to validate detection, response, and resilience.

  5. 05

    Incident-Reporting & Resilience Validation

    We pressure-test your incident-reporting capability against DORA and NIS2 timelines (early warning, intermediate, and final reports) and validate business-continuity and recovery arrangements through tabletop and technical exercises.

  6. 06

    Audit-Readiness & Evidence Pack

    We assemble a supervisory-ready evidence pack, brief your management body on its accountability obligations, and provide a re-assessment to confirm remediated gaps are closed before any regulator or auditor engagement.

What we test

  • NIS2 / DORA applicability determination and entity classification
  • ICT risk-management framework, governance, and management-body accountability
  • Incident detection, classification, and mandatory reporting workflows and timelines
  • Supply-chain and ICT third-party risk oversight, contracts, and concentration risk
  • Digital operational resilience testing strategy and programme design
  • Threat-led penetration testing (TLPT) scoping aligned to TIBER-EU
  • Business continuity, ICT response, and recovery (backup, RTO/RPO) arrangements
  • Information-sharing, threat-intelligence, and vulnerability-handling processes
  • Asset, configuration, and identity & access management controls
  • Policy, evidence, and documentation review against NIS2 and DORA articles

What you get

  • Applicability and scoping memo confirming NIS2 and/or DORA obligations
  • Detailed gap-assessment report mapped to NIS2 Articles 20-23 and DORA's five pillars
  • Prioritised remediation roadmap with owners, effort estimates, and target dates
  • Incident-reporting playbook aligned to regulatory notification timelines
  • Third-party / supply-chain risk register and contract-clause guidance
  • Threat-led penetration testing (TLPT) report with attack narrative and resilience findings (when in scope)
  • Supervisory-ready evidence pack and a management-body accountability briefing
Sample deliverable

What you'll see in your report

Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.

Findings by severity

17 total
Critical
0
High
4
Medium
7
Low
6
High · CVSS 7.5CX-1902

MFA not enforced for administrative access

NIS2 Art.21(2)(j)Admin & VPN accountsOpen
High · CVSS 7.1CX-1908

No centralized logging & incident detection

NIS2 Art.21(2)(b)Production environmentOpen

Illustrative security control gap assessment sample - anonymized to example.com.

Want the full anonymized sample report? We'll include it with your quote.

See a sample report

Ready to scope your engagement?

Tell us what you need tested - get a tailored scope and quote within 24 hours.

Get a Quote
Proof, not promises

Teams that tested with us

0+
Security engagements delivered
0+
Vulnerabilities found & reported
0+
Organizations secured
0+
Years of offensive expertise

Cumulative figures across our team's combined engagement history

Shared under NDA · details anonymized
Senior testers, fast turnaround, and a free retest that actually proved our fixes worked. They made our SOC 2 audit painless.
SOC 2 passed first attempt
VP of Engineering
Series B FinTech · Payments platform
FinTech

Certifications held by our testers

  • OSCP
  • CRTP
  • CREST
  • CEH
  • eWPTX
  • ISO 27001
  • ISO 9001

Frequently asked questions

NIS2 applies to medium and large entities in 18 sectors deemed 'essential' or 'important' - including energy, transport, health, digital infrastructure, and managed service providers. DORA applies to financial entities (banks, insurers, investment firms, crypto-asset providers and more) and their critical ICT third-party providers. We start every engagement with an applicability assessment so you know exactly which obligations bind you, since some organisations fall under both.

Walk into your next audit with evidence, not promises.

Tell us your framework and timeline - we'll scope your readiness plan in 24 hours, from gap analysis to auditor-ready evidence.

  • Free retest on every fix
  • Scoped quote within 24 hours
  • Senior-only testers
  • ISO 27001
  • ISO 9001
  • OSCP
  • CRTP
  • CREST
Get a Quote