NIS2 & DORA readiness is the structured process of aligning your organisation with the EU NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (Regulation (EU) 2022/2554) - covering ICT risk management, mandatory incident reporting, supply-chain and third-party oversight, and operational resilience testing including threat-led penetration testing (TLPT). CyberXplore acts as your independent advisory partner: our senior, OSCP/CRTP/CREST-certified consultants run hands-on gap assessments, build the evidence and governance you need, and deliver TLPT mapped to the TIBER-EU framework. We are a specialist offensive-security and compliance consultancy, not a national competent authority - we get you genuinely ready for supervisory scrutiny rather than selling a paper checklist.
EU NIS2 Directive (2022/2555)DORA (Regulation 2022/2554)TIBER-EUISO 27001NIST CSFMITRE ATT&CK
Why CyberXplore
Senior-only testers (OSCP, CRTP, CREST)
ISO 27001 & ISO 9001 certified
Free retest + attestation letter
Tailored scope and quote in 24 hours
Why it matters
NIS2 dramatically widens scope to thousands of 'essential' and 'important' entities across energy, transport, health, digital infrastructure, finance, and managed service providers - with senior management held personally accountable and fines up to EUR 10 million or 2% of global turnover.
DORA imposes binding ICT risk, incident-reporting, and resilience-testing obligations on financial entities and their critical ICT third-party providers, with strict reporting deadlines measured in hours, not days.
Both regimes demand evidence of operational resilience under real attack conditions - DORA's advanced TLPT and NIS2's testing expectations cannot be satisfied by automated scans or self-attestation alone.
Supply-chain and third-party ICT risk is now a first-class legal obligation: regulators expect documented oversight, contractual controls, and concentration-risk analysis across your vendor estate.
Aligned with industry standards: EU NIS2 Directive (2022/2555) · DORA (Regulation 2022/2554) · TIBER-EU · ISO 27001 · NIST CSF · MITRE ATT&CK
Our methodology
01
Applicability & Scoping
We determine whether you fall under NIS2 (essential vs. important entity) and/or DORA (financial entity or critical ICT third party), map in-scope systems, services, and supplier dependencies, and agree the regulatory objectives for the engagement.
02
Gap Assessment
Our senior consultants assess your current ICT risk-management framework, governance, incident processes, and resilience testing against NIS2 Articles 20-23 and DORA's five pillars, producing a prioritised gap register with clear ownership.
03
Remediation Roadmap & Control Design
We translate gaps into a pragmatic, risk-ranked remediation roadmap - defining policies, risk treatment, third-party contract clauses, incident-classification and reporting workflows, and the evidence each control must generate.
04
Threat-Led Penetration Testing (TLPT)
For DORA's advanced testing requirement we run intelligence-led red team exercises aligned to TIBER-EU and MITRE ATT&CK, emulating realistic threat actors against your critical functions to validate detection, response, and resilience.
05
Incident-Reporting & Resilience Validation
We pressure-test your incident-reporting capability against DORA and NIS2 timelines (early warning, intermediate, and final reports) and validate business-continuity and recovery arrangements through tabletop and technical exercises.
06
Audit-Readiness & Evidence Pack
We assemble a supervisory-ready evidence pack, brief your management body on its accountability obligations, and provide a re-assessment to confirm remediated gaps are closed before any regulator or auditor engagement.
What we test
NIS2 / DORA applicability determination and entity classification
ICT risk-management framework, governance, and management-body accountability
Incident detection, classification, and mandatory reporting workflows and timelines
Supply-chain and ICT third-party risk oversight, contracts, and concentration risk
Digital operational resilience testing strategy and programme design
Threat-led penetration testing (TLPT) scoping aligned to TIBER-EU
Business continuity, ICT response, and recovery (backup, RTO/RPO) arrangements
Information-sharing, threat-intelligence, and vulnerability-handling processes
Asset, configuration, and identity & access management controls
Policy, evidence, and documentation review against NIS2 and DORA articles
What you get
Applicability and scoping memo confirming NIS2 and/or DORA obligations
Detailed gap-assessment report mapped to NIS2 Articles 20-23 and DORA's five pillars
Prioritised remediation roadmap with owners, effort estimates, and target dates
Incident-reporting playbook aligned to regulatory notification timelines
Third-party / supply-chain risk register and contract-clause guidance
Threat-led penetration testing (TLPT) report with attack narrative and resilience findings (when in scope)
Supervisory-ready evidence pack and a management-body accountability briefing
Sample deliverable
What you'll see in your report
Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.
Findings by severity
17 total
Critical
0
High
4
Medium
7
Low
6
High · CVSS 7.5CX-1902
MFA not enforced for administrative access
NIS2 Art.21(2)(j)Admin & VPN accountsOpen
High · CVSS 7.1CX-1908
No centralized logging & incident detection
NIS2 Art.21(2)(b)Production environmentOpen
Illustrative security control gap assessment sample - anonymized to example.com.
Medium · CVSS 5.6CX-1914
Incident response plan untested
DORA Art.11IR programOpen
Want the full anonymized sample report? We'll include it with your quote.
Cumulative figures across our team's combined engagement history
Shared under NDA · details anonymized
“Senior testers, fast turnaround, and a free retest that actually proved our fixes worked. They made our SOC 2 audit painless.”
SOC 2 passed first attempt
VE
VP of Engineering
Series B FinTech · Payments platform
FinTech
Certifications held by our testers
OSCP
CRTP
CREST
CEH
eWPTX
ISO 27001
ISO 9001
Frequently asked questions
NIS2 applies to medium and large entities in 18 sectors deemed 'essential' or 'important' - including energy, transport, health, digital infrastructure, and managed service providers. DORA applies to financial entities (banks, insurers, investment firms, crypto-asset providers and more) and their critical ICT third-party providers. We start every engagement with an applicability assessment so you know exactly which obligations bind you, since some organisations fall under both.