https://sovereignshift.eu/tags/dora/ Recent content in DORA on Sovereign Shift Hugo en Wed, 22 Apr 2026 00:00:00 +0000 https://sovereignshift.eu/blog/nis2-dora-digital-sovereignty/ Wed, 22 Apr 2026 00:00:00 +0000 https://sovereignshift.eu/blog/nis2-dora-digital-sovereignty/ <p>Two pieces of EU legislation, NIS2 and DORA, are fundamentally changing how European organisations must think about their technology suppliers. Neither regulation bans US cloud providers. But both make it legally necessary to understand, document, and manage the risks that come with depending on them.</p> <p>Most organisations are not ready. Here is what the regulations actually require, and what compliance looks like in practice.</p> <h2 id="nis2-supply-chain-risk-is-now-mandatory">NIS2: Supply Chain Risk Is Now Mandatory</h2> <p>The <strong>Network and Information Security Directive 2</strong> (NIS2), which EU member states were required to transpose into national law by October 2024, significantly expands the scope of cybersecurity obligations across Europe.</p> https://sovereignshift.eu/blog/dora-concentration-risk-exit-strategy/ Wed, 25 Mar 2026 00:00:00 +0000 https://sovereignshift.eu/blog/dora-concentration-risk-exit-strategy/ <p>The Digital Operational Resilience Act (Regulation 2022/2554), which applies from 17 January 2025, introduces a concept that no previous EU regulation stated so explicitly: financial entities must identify, assess, and manage the risk of depending too heavily on a single ICT provider. And they must have documented exit plans for their critical providers.</p> <p>This is not optional. DORA applies to credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and virtually every other regulated financial entity in the EU. The European Supervisory Authorities (EBA, ESMA, EIOPA) are developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to specify the details.</p>