Image credit: Created for TheCIO.uk by ChatGPT
One resilience model, three regimes
Most boards now face the same question in three different accents.
Are we ready for NIS2, for DORA and for the new UK Cyber Security and Resilience Bill, or are we quietly hoping nobody joins the dots across them?
The risk team sees overlapping regulations. The lawyers see different legal instruments and jurisdictions. The technology and security teams see the same incident queues, the same suppliers and the same systems that have to carry all of it.
If you treat NIS2, DORA and the UK bill as three separate projects, you end up with three piles of paperwork and one exhausted organisation. Treated properly, they are three views of the same thing: how critical services stay available, trustworthy and recoverable under stress.
This feature is written so that when a chair or regulator asks how you are aligning across the regimes, you can do more than point at a slide with logos. You can describe one operating model that everyone else will end up copying.
The same story told three ways
All three regimes grew out of the same anxiety. Digital systems now are infrastructure. Outages and compromises roll quickly into social, political and economic damage.
NIS2 is the European attempt to tighten the original NIS Directive. It widens the net to more sectors and more entities, increases the expectations on risk management and incident reporting, and makes senior management personally responsible for overseeing cyber security. It is aimed at the organisations that keep economies functioning: energy, transport, health, digital infrastructure providers, managed services and other essential operators.
DORA is the financial sector taking a hard look in the mirror. After years of fragmented rules that treated technology as a side topic under “outsourcing” or “operational risk”, DORA pulls everything into one digital operational resilience regime for banks, insurers, payment providers, investment firms and the infrastructure that connects them. It goes beyond the regulated entities themselves and pulls critical ICT providers into the supervisory spotlight.
The UK Cyber Security and Resilience Bill is the domestic answer. It updates the UK’s implementation of NIS, expands scope to include data centres and managed service providers, and gives regulators sharper powers on enforcement and incident reporting. It is also being introduced at a time when the UK government is signalling a tougher stance on ransomware and on the resilience of essential services.
Different instruments, slightly different philosophies, but the same underlying story. Regulators want critical services to prepare for disruption, limit the blast radius when things go wrong and recover in a predictable way, with senior leaders accountable for the outcome.
Who is actually in scope
The most important early step is deceptively simple. You need a clear answer to the question “who exactly are we, in regulatory terms?”
For NIS2, the story is about essential and important entities. Essential entities include obvious critical sectors: energy grids, gas operators, rail, aviation, ports, hospitals, major digital infrastructure, providers of drinking water and certain public administrations. Important entities extend into areas such as postal and courier services, waste management, manufacturing of key products, and a wide range of digital and managed services.
Size thresholds and detailed criteria vary by member state, but if you are mid sized or larger in one of those sectors, or you provide digital infrastructure or services that other critical entities depend on in the EU, NIS2 is no longer an abstract Brussels conversation. It is your day job.
For DORA, scope is defined by financial regulation. Credit institutions, investment firms, insurance and reinsurance undertakings, payment and e money institutions, certain crypto asset service providers, central securities depositories, trading venues and related infrastructure all sit under the regime. On top of that, any technology or cloud providers that are designated as “critical ICT third party providers” to the financial sector will find themselves directly supervised at European level.
The UK Cyber Security and Resilience Bill keeps the original NIS view on “essential services” but modernises it. Energy, transport, health, water and core digital infrastructure remain in focus. However, the bill explicitly pulls data centres, large managed service providers and other operators whose failure would create systemic disruption into the net. Suppliers who once felt safely in the background now realise they are part of the critical infrastructure conversation.
If you operate group structures across the UK and EU, or if you provide technology to critical sectors, you can very easily sit in all three worlds at once. A UK headquartered financial group with EU branches will face DORA duties for its European financial entities, NIS2 duties for certain digital services and infrastructure, and UK bill duties for its domestic operations and suppliers. A cloud or data centre provider with regional presence in both markets may find itself in scope under NIS2, DORA and the UK bill simultaneously.
You cannot sensibly manage that by spinning up three separate programmes.
The obligations that rhyme
Once you stop reading the regimes as legal text and start reading them as operating expectations, a pattern appears.
First, all three place cyber and technology resilience at board and senior management level. NIS2 talks explicitly about the “management body” approving and overseeing cyber risk measures and undergoing regular training. DORA makes the management body responsible for defining the ICT risk framework and integrating it into business strategy. The UK bill reinforces regulator expectations that boards treat cyber resilience as a principal risk, with real financial penalties where they do not.
Second, all three are built on the idea of structured risk management. They are not a static checklist of controls. They expect you to understand the services that matter most, the assets and processes that support them, the threats they face and the measures you have chosen to manage that risk. They also expect those measures to be “appropriate and proportionate” given your role and impact.
Third, they all care more about incidents and continuity than they do about neat documentation. Classification, reporting, containment, communication and recovery are central themes. Regulators are prepared for the fact that you will have imperfect information in the first hours of a major incident. What they will not accept is silence, delay or a lack of structure.
Fourth, they converge on the supply chain. You are expected to understand who you depend on, under what terms, with what monitoring and with what fall back options. This is where DORA’s focus on critical ICT providers, NIS2’s emphasis on supply chain risk and the UK bill’s inclusion of data centres and MSPs all meet. Regulators are no longer willing to accept “our supplier let us down” as an explanation without seeing how you governed that relationship.
Fifth, they expect continuous testing and learning. That includes technical testing, such as penetration tests and resilience exercises, but also scenario and crisis simulations that involve the board, executives and key suppliers. Paper readiness is not enough.
The themes rhyme strongly. If you design once against those themes, you can evidence compliance across all three regimes with far less duplication.
The tyranny of the 24 and 72 hour clocks
The most tangible pressure that NIS2, DORA and the UK bill impose on operations is the acceleration of incident reporting.
NIS2 sets a three step model for significant incidents. There is an early warning within 24 hours, a more detailed notification within 72 hours, and a final report within a month when investigations have matured. That cycle is designed to get regulators into the picture early, even if details are still emerging.
DORA does something similar for major ICT related incidents in financial services. It sets out common criteria for classification, pushes firms towards harmonised assessment of severity and expects timely initial reports followed by structured updates. The precise mechanics are being crystallised through supervisory guidance and technical standards, but the expectation is already clear. You will not be waiting a week before informing your supervisor that core payment services have been disrupted.
The UK Cyber Security and Resilience Bill lands in the same place. It moves UK incident reporting from “as soon as reasonably practicable” to a model that mirrors 24 hour initial reporting and 72 hour follow up for significant incidents, alongside existing data protection duties to the Information Commissioner’s Office.
This is where a single operating model really matters. You cannot afford one incident team trying to decide whether to report under NIS2, a second team thinking about DORA, a third debating whether the UK bill applies and a fourth worrying about data protection timelines. By the time they align, your 24 hours are gone.
The practical answer is to adopt one classification scheme, one set of triggers and one reporting engine. That engine should be designed to meet the tightest common clocks. When severity thresholds are crossed, the default becomes early engagement with relevant regulators, with tailored updates as facts sharpen, rather than a nervous wait for more certainty.
The regulators know that your first 24 hour report will be imperfect. They want to see that you have understood the impact, started sensible containment and are being honest about what you know, what you do not know and what you are doing next.
Governance and personal accountability
One of the most significant shifts in this new landscape is cultural. ICT and cyber resilience are no longer topics that boards can delegate entirely to a single executive and then forget.
NIS2 is blunt about this. The management body must approve and oversee cyber risk management measures. Senior figures are expected to receive training, to keep their knowledge current and to be able to demonstrate this when challenged. In serious cases, personal sanctions such as temporary bans from management functions are on the table.
DORA takes a slightly different tone, but the effect is the same. Management bodies in financial entities must define and approve the ICT risk management framework, allocate resources, set risk tolerance and integrate digital operational resilience into the broader risk and business strategy. Supervisors will not be impressed if the board treats DORA as a niche technology compliance issue.
The UK bill, combined with the existing NCSC Cyber Assessment Framework and the trend in enforcement, reinforces this direction. When something goes wrong in a hospital, a utility or a major transport operator because of a cyber incident, attention quickly moves from the specialist teams to the executives and non executives who signed off the risk posture.
For technology and security leaders, this shift creates both pressure and opportunity. On the one hand, expectations of clarity and competence at board level are rising. On the other, you have a strong lever to secure time on the agenda, to influence risk appetite discussions and to attach budgets to tangible regulatory and resilience outcomes.
The most effective organisations will be those where the board can explain, in their own language, how NIS2, DORA and the UK bill apply, what the main exposure points are and what is being done about them. That only happens if you build a structured education programme for senior leadership, supported by regular reporting that tracks meaningful indicators rather than vanity metrics.
The supply chain is where it gets painful
Ask anyone who has lived through a sizeable cyber incident and they will tell you. It is not the well segmented core system or the high profile public website that trips you up. It is the third party remote access tool, the forgotten integration, the shared service that sits just out of sight.
NIS2 forces entities to think about supply chain security across the lifecycle of their products and services. That runs from procurement through contracting, onboarding, monitoring, assurance and, if necessary, exit. It recognises that systemic risk often accumulates in the dependencies that everyone assumes “just work.”
DORA devotes a whole pillar to ICT third party risk. It sets clear expectations on how financial entities identify critical providers, what must go into contracts, how rights of access and audit should work, how incident cooperation will function and how concentration risk will be assessed. It also creates an oversight framework for those critical providers at European level.
The UK Cyber Security and Resilience Bill closes a gap that many practitioners have worried about for a decade. By bringing data centres, managed services and similar operators squarely into the regulatory perimeter, it acknowledges that resilience depends as much on those firms as it does on the traditional “operators of essential services.”
If you are a CIO or CISO, this presents a challenge. You are being asked to take accountability for a landscape you do not fully control. Contracts, procurement habits, legacy sourcing decisions and business unit relationships all shape your third party risk.
The only sustainable answer is to treat your extended supply chain as part of your architecture, not an externality. That means a single tiering model for suppliers that reflects regulatory concepts like “essential entity”, “important entity”, “critical ICT provider” and “critical infrastructure supplier.” It means standard terms for high tier contracts that incorporate the most demanding of the regulatory expectations, and a joint assurance approach that looks at evidence, not just questionnaires.
It also means bringing critical suppliers into your testing and exercising programme. There is little point running an impressive internal crisis simulation if the cloud provider that underpins your key service is not involved in the scenario.
From three rulebooks to one operating model
So how do you translate all of this into something that can actually be run?
One useful way is to think about six interconnected layers of an operating model.
At the top sits strategy and risk appetite. Here, you are clear that digital operational resilience is a strategic topic, not a narrow technology issue. You define what level of disruption is tolerable, for how long, in which services, and you recognise that NIS2, DORA and the UK bill sharpen the boundaries of that tolerance.
Below that is your control framework. You select a primary framework that fits your organisation, such as the NCSC Cyber Assessment Framework, ISO 27001, NIST CSF or a blended approach, and you map regulatory articles and expectations onto that structure. The control exists once. The tags indicating that it supports NIS2, DORA or the UK bill sit on top.
The third layer is architecture and engineering. This is where you design networks, identity, access, applications, data flows, logging, monitoring, backup and recovery in a way that reflects your risk appetite and control framework. It is easier to evidence compliance when your architecture is deliberately built to support containment, detection and recovery.
The fourth is operations and incident management. Here you define how you detect abnormal activity, how you classify incidents, how you assemble and run response teams, how you communicate internally and externally and how you coordinate regulators across regimes. The 24 hour and 72 hour clocks live here.
The fifth is third party and ecosystem management. This is where your supplier tiering model, contract standards, assurance processes and joint exercises sit. It is also where you look at shared sector services, such as payments infrastructure, utilities, health platforms or transport control systems, and understand how your resilience depends on them.
The final layer is testing, assurance and continuous improvement. Regular scenario exercises, technical tests, audits and reviews all feed into one learning loop. Evidence of these activities and the decisions they inform becomes the material you use with regulators and boards.
The alignment question then becomes much simpler. Each of the three regimes has slightly different expectations at each layer. Your job is to design each layer once, at a level that satisfies the strictest relevant requirement, and then explain that design in the language of each regime where necessary.
An alignment roadmap for the next year
If you are looking for a practical way to move, think in quarters rather than trying to boil the ocean.
In the early phase, the focus is on mapping and framing. Confirm which entities, services and locations are in scope for NIS2, DORA and the UK bill. Identify the regulators and supervisory bodies you will deal with. Build a unified view of critical services and supporting assets, even if each regime uses different terminology. Brief the board and executive team so they understand the overall picture in plain language.
The next phase is about design. Choose your primary control framework and run a structured mapping of regulatory requirements into it. Identify obvious gaps and quick wins. Design a single incident classification and reporting model that can carry all three regimes. Design or refine your supplier tiering and contract standards.
The third phase is about embedding. Update policies, playbooks and standard operating procedures so that teams see one consistent set of expectations. Tune monitoring, logging and case management tools so they naturally collect the evidence you will need when reporting incidents or demonstrating control effectiveness. Start to adjust architectural patterns where clear weaknesses appear.
The final phase is about proving and refining. Run integrated exercises that combine cyber scenarios, operational disruption and regulatory reporting. Involve senior management and critical suppliers. Capture lessons honestly, feed them back into design and show progress over time. Use internal audit and external review selectively to challenge your own view.
Throughout, keep the communications simple. The board does not need to read every article of every regulation. They do need to see that you understand where you stand today, where you need to be and how you intend to get there.
What good looks like when it works
Look ahead twelve months and imagine what a well aligned organisation could confidently say.
It can describe, without hesitation, which parts of its business fall under NIS2, which under DORA, which under the UK bill and where the overlaps are. The board and executive team can explain, in their own words, what they are personally on the hook for and how they discharge that responsibility.
There is one risk and control framework rather than three. Controls are designed with resilience in mind and carry clear references to the regulatory expectations they support. Incident response teams can move from detection to meaningful, regulator facing communication inside the 24 hour window without panic.
Supplier conversations have matured. Critical providers understand that they are part of the regulatory picture, not just vendors, and contracts and joint processes reflect that reality. Exercises and real incidents alike produce structured learning that flows back into design, not just glossy debrief slides.
Perhaps most importantly, the regulatory lens has become a way to have better conversations about investment, trade offs and risk appetite, rather than a threat used only when budgets are under pressure.
That is the kind of organisation others will benchmark against.
Final thought
NIS2, DORA and the UK Cyber Security and Resilience Bill are not separate storms that happen to be passing at the same time. They are three vantage points on the same weather system.
Treat them as competing demands and you will drown in mapping spreadsheets and arguments over wording. Treat them as a combined mandate to build one clear, testable and evidence rich resilience model and they become a useful forcing function.
The choice sits with technology and security leaders.
What is your take on the alignment journey? Are these regimes helping you win better decisions on architecture, investment and operating model, or are they adding noise to an already crowded risk landscape?
Let us share the good, the bad and the messy middle so that others can reference real practice, not just read the regulations and hope for the best.
