The EU’s Cybersecurity Balancing Act: Why DORA Is a Regulation but NIS2 Remains a Directive
Europe (its countries, organizations and citizens) faces a constant barrage of cyberattacks that threaten citizens, businesses, and critical infrastructure[i]. In response, the EU has added new cybersecurity arms to its already cluttered legislative arsenal – the NIS2 Directive, The Cyber Resilience Act and the DORA Regulation – to bolster defenses.
However, these texts take different legislative forms. Let’s take NIS2 and DORA – one a directive, the other a regulation – which raise questions about consistency. Cyber threats ignore national borders, and uneven application of the laws across EU countries can create weak links[ii]. Ensuring a uniform and robust cybersecurity framework is essential for protecting the European economy. Why, then, did the EU make DORA a regulation and NIS2 a directive? And should NIS2 have followed DORA’s path for the sake of unity and enforcement? In this article, I will explore these questions with an opinionated lens on the need for stronger legislative consistency in EU cybersecurity.
EU Regulations vs. Directives: A short primer
To understand the EU’s choice, let us dive into the EU legislative jungle and grasp the difference between a regulation and a directive. In EU law, a regulation is a binding legislative act that applies directly and uniformly in all member states[iii]. Once adopted, it becomes law across the EU without requiring any national legislation. In contrast, a directive sets out certain goals or standards that EU countries must achieve, but each member state decides how to implement those goals through its own lawsiii. In other words, a directive needs to be “transposed” into national legislation by each member state, allowing some flexibility (and potential divergence) in how the rules take effect. This fundamental difference means regulations tend to create one harmonized rulebook for Europe, whereas directives can result in a patchwork of national rules – all aiming for the same objectives, but not necessarily identical in practice.
DORA: A Uniform EU-wide Regulation for Financial Cyber Resilience
The Digital Operational Resilience Act (DORA) was deliberately crafted as an EU regulation, signalling the EU’s intent to impose uniform requirements for cybersecurity in the financial sector. DORA’s purpose is to strengthen the IT security and operational resilience of banks, insurers, investment firms, and other financial entities across Europe[iv]. By making DORA a regulation, the EU aimed at ensuring that these rules “must be applied in [their] entirety across the EU”iii without variation. This uniformity is crucial for the financial sector, which is highly interconnected and operates across borders. A cyber incident at one bank can ripple through the EU’s integrated financial markets, so regulators wanted a single, high standard of resilience everywhere. Indeed, DORA explicitly “lays down uniform requirements” to achieve a high common level of digital operational resilience for financial entitiesiv. In practice, this means a bank in Germany and a bank in Italy face the exact same cybersecurity obligations under DORA, overseen by a coordinated supervisory framework involving both national regulators and EU authorities like the European Banking Authority[v].
Why a regulation? The EU likely chose a regulation for DORA to eliminate regulatory fragmentation in financial cybersecurity. Before DORA, financial firms followed guidelines of their respective member states and EU recommendations for ICT risk, leading to many inconsistencies. Such divergence was seen as a “critical gap” in EU financial regulationiv. Financial institutions and their technology providers operate in multiple EU countries, and dealing with different cybersecurity rules in each jurisdiction was inefficient and potentially unsafe. As analysts noted, harmonization is especially important for financial entities that were previously hampered by “duplicative – or inconsistent – regulatory requirements” across bordersii. By promoting a common set of rules and standards, DORA removes these obstaclesii,[vi]. The regulation format ensures that a “single set of rules” governs digital resilience in finance EU-wide, with no need for 27 separate national laws. The result is a cohesive approach: DORA “brings harmonisation” across 20+ types of financial entities and their ICT service providersiv, creating legal certainty and a level playing field. In short, the EU wanted to “raise the bar” for cyber resilience in finance uniformly[vii], something best achieved through a directly applicable regulation.
NIS2: A Directive Building on National Implementation
The NIS2 Directive, formally Directive (EU) 2022/2555 or NIS1, takes a different route. NIS2 is the EU’s flagship cybersecurity law for a broad range of sectors – from energy, transport, and health care to digital infrastructure and public administration. It “establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU”[viii], updating and expanding the original NIS Directive of 2016. Despite its ambition to set common standards, NIS2 is just a directive, meaning it relies on EU member states to implement its provisions through national laws. The directive mandates each country to do things like adopt a national cybersecurity strategy, designate authorities, and enforce requirements on companiesviii. For example, under NIS2 each member state must define its own strategy for supply chain security and incident response, and identify the operators of essential services within its jurisdictionviii. This approach gives nations some leeway to tailor the rules to their domestic context (such as aligning with existing regulators or national infrastructure needs). It continues the model of NIS1, which trusted national governments to build up cybersecurity capabilities and oversight in line with a common EU baseline.
Why did the EU keep NIS2 as a directive? A key reason is the scope and nature of NIS2. It deals with critical infrastructure and services often tied to national security (and cyber defence) and public safety – areas where member states insist on a degree of autonomy and control. By using a directive, the EU sets the objectives (a “high common level of cybersecurity” across the Union)[ix] but lets each member state decide how to achieve them. This respects national differences; for instance, the administrative setup for supervising cybersecurity can vary (some member states use telecom regulators, others national security agencies). NIS2’s text explicitly allows what the EU calls the “minimum harmonisation,” meaning countries can adopt stricter measures than the directive as they see fitix. That flexibility was a political trump card to get all members on board. Additionally, NIS2 builds on the framework of cooperation among national authorities (through the NIS Cooperation Group and CSIRTs network[x]) rather than creating a single European cybersecurity regulator. Enforcement is left “entirely to national authorities” under NIS2v, in contrast to DORA’s blend of national and EU-level supervision. Some would argue also that NIS2 addresses a portion of the economy that exceeds by far the one covered by DORA.
Long story short, the EU likely judged that a directive could better accommodate the diverse cyber risk landscapes and regulatory structures in different countries, while still pushing them towards higher common standardsviii.
Shortcomings of NIS2’s Directive Approach
While the directive format of NIS2 allows flexibility, it comes with significant drawbacks and risks:
· Delayed and uneven implementation: As a directive, NIS2 does not automatically apply to companies – each member state must transpose it into national lawi. This process can be slow and inconsistent. In fact, the deadline for transposition (17 October 2024) passed with several countries missing the deadline or only partially implementing the rulesi. Some EU states (e.g. Bulgaria, Estonia, Portugal) made no progress in adopting NIS2 laws by the deadline, while others were rushing bills through their parliamentsi. This staggered rollout leaves gaps in coverage – a cyber incident in a country that’s late to implement NIS2 might not be handled with the new standards, undermining the “high common level” the directive seeks. At Abilene Advisors, we face these shortcomings on a daily basis, having to harmonize the deployment of NIS2 compliance framework in the various subsidiaries of our customers. If a member state hasn’t transposed the directive, the NIS2 requirements simply aren’t enforceable on companies there[xi], creating a temporary cybersecurity blind spot in that jurisdiction.
· Inconsistent rules and fragmentation: Even once all countries pass NIS2 laws, the risk of diverging adoptions of the directive remains. Directives by nature allow differences in wording and enforcement. NIS2 tried to tighten the uniformity compared to its predecessor (for example, by standardizing incident reporting timelines and criteria)[xii]. Yet, national variations can still emerge in how authorities interpret “significant” incidents, how they conduct audits, or the exact penalties imposed for violations (beyond the maximum caps set by NIS2). The original NIS1 directive suffered from “ambiguous and inconsistent” implementation across member statesxii; NIS2 reduces some ambiguity, but the possibility of a compliance patchwork persists. The directive explicitly permits member states to go above the EU baselineix, so a company operating in, say, France and Poland might end up navigating two slightly different sets of cybersecurity obligations. From the company standpoint, such fragmentation is burden and shows an EU-wide security level varying by country, with some nations potentially less strict than others.
· Weaker central enforcement: With NIS2, each national authority is the sole enforcer within its territoryv. There is no single European body ensuring that every member state’s cybersecurity oversight is equally rigorous. This can lead to uneven enforcement intensity – some regulators might be very proactive (or even zealous) with audits and fines, while others might be more lenient or simply under-staffed and under-resourced. Attackers could exploit this by targeting the path of least resistance (i.e. companies in countries with laxer or lagging enforcement). An EU regulation could have empowered a more unified enforcement mechanism (similar to how financial supervisors coordinate under DORA, or how data protection authorities cooperate under the GDPR). Under the current directive, cooperation mechanisms exist (the NIS Cooperation Group, peer reviews, ENISA support), but these rely on consensus and best-effort rather than legal mandate. In short, NIS2’s framework risks a “two-speed” cybersecurity Europe, where the effectiveness of the law depends on each nation’s diligence.
· Compliance complexity for businesses: From an industry perspective, the directive approach means multinational companies must keep track of up to 27 versions of NIS2 implementation. A large cloud provider or manufacturing company operating across Europe could face slightly different reporting templates, deadlines, or security requirements country by country. This complexity not only raises compliance costs, it also complicates incident response, compared to a single uniform rulebook. The irony is that NIS2 aimed at “establish[ing] a unified framework”viii, yet the method of a directive inherently introduces lack of uniformity in practical implementation. The risk is that some businesses might not invest equally in all jurisdictions’ compliance, especially if they perceive certain national laws as less demanding – which in turn defeats the very purpose of having an EU-wide standard!
Why NIS2 Should Have Been a Regulation
Given those shortcomings, there is a strong argument that NIS2 should have been enacted as a regulation, not a directive. A regulation would have directly imposed the same cybersecurity obligations on all covered entities across every member state, with no transposition needed. This could have yielded several benefits:
· Immediate and harmonized enforcement: With a regulation, the October 2024 date would have been an enforcement deadline rather than just a transposition deadline. Companies EU-wide would have been subject to NIS2 requirements at the same time, avoiding the current limbo where some states have rules in force and others don’t. The high common level of security would truly apply EU-wide from day one. Uniform law would eliminate legal uncertainty – businesses wouldn’t wonder which national law to follow but rather comply with one EU regulation. This mirrors the success of the GDPR, which on its effective date (2018) replaced a patchwork of national data laws (under the old 1995 Data Protection Directive) with one set of rules for all. GDPR’s regulatory approach drastically improved consistency in data protection; similarly, an NIS2 regulation could ensure no member state falls behind in cybersecurity standards. Yes, there is room for improvement in the application of the GDPR[xiii] (just a small fraction of the complaints leads to actual punitive outcomes) but trends show a growing momentum to address all the gaps and it exists and it’s a regulation that Europe can be proud of as it has inspired many countries across the Globe.
· Consistent requirements and definitions: As a regulation, NIS2 could lock in identical definitions of risk management measures, incident severity, reporting timelines, etc., leaving no room for disparate national interpretations. Every company and regulator would speak the same language of compliance. This would address the issue NIS1 had with inconsistent incident reporting criteriaxiii – under a regulation, there would be one EU-wide interpretation. Uniform requirements also simplify compliance for firms operating cross-border, as they wouldn’t have to customize their cybersecurity programs for each country. Just as DORA “introduces clear rules” in a single stroke across the Unioniv, a NIS2 regulation would set clear, common rules for all critical sectors, achieving true pan-European harmonization of cybersecurity practices.
· Stronger oversight and accountability: An EU regulation could be coupled with a more centralized oversight mechanism to ensure it’s followed. For instance, it might have established a stronger role for the EU Agency for Cybersecurity (ENISA) or a new EU-level supervisory body to coordinate checks on compliance, similar to how the European Supervisory Authorities help enforce DORAv. Even without a new agency, the Commission could more rigorously monitor and take infringement action if a country failed to apply the regulation, whereas with a directive the initial delay in transposition is somewhat expected. Essentially, making NIS2 a regulation would signal that cybersecurity is so critical to the EU security and economy that it warrants a single, directly enforceable law (again, akin to GDPR’s philosophy for personal data). It would reduce reliance on the varying capacities of 27 national authorities and instead set a baseline that must be met everywhere. The outcome would likely be a more uniform level of cybersecurity readiness across the EU, with less disparity between member states.
· Eliminating the weakest-link problem: Cyberdefence is only as strong as the weakest link in the network. A regulation could better ensure no member state (and by extension, no critical operator) remains a weak link, because the requirements are universal and immediate. Under the directive approach, a country that’s slow or lenient (at this date only 9 member state have effectively transposed the directive) effectively becomes a haven for cyber threats to exploit, thereby endangering others. A regulation, by leveling up everyone together, would dramatically reduce this weakest-link risk. All critical sectors – whether energy grids in Eastern Europe or hospitals in Western Europe – would be held to the same high standards and timelines. This is crucial when threats (like ransomware or state-sponsored hacking) can propagate across borders in seconds. Europe’s digital infrastructure would be safer if baseline defences were uniformly strong rather than uneven.
Critics might argue that a regulation could be too rigid or intrusive for national systems. However, the severity and cross-border nature of cyber threats arguably justify an EU-wide rule. In the current context of geopolitical tensions, when we know that a significant portion of the cyberattacks are state sponsored and unarguably aimed at undermining our economies and the very foundations of our democracies, making NIS2 a regulation would have been the only reasonable posture.
We have seen the EU successfully use regulations for cross-border challenges (GDPR for data, the Cybersecurity Act for certification, etc.), aligning all members behind one law. In the case of NIS2, the goals of the directive are certainly laudable – but making it a directive relies on each member “doing the right thing” promptly and robustly. A regulation would have removed that uncertainty by forcing one coherent approach, ensuring that high-risk sectors in every country are equally prepared.
Conclusion: Toward Uniform Cybersecurity Laws in Europe
Cybersecurity is a collective endeavour: an attack on one is an attack on all in today’s interconnected EU. That reality puts a premium on having uniform, strong defences across the Union. The EU recognized this with DORA, opting for a regulation to unify financial-sector cyber resilience and avoid weak linksii,iv. In contrast, NIS2’s status as a directive, while improving on its predecessor, still leaves room for fragmentation and delayi,xii. This article has argued that NIS2 should have followed DORA’s example – a single EU regulation could have cemented consistent cybersecurity protections in all critical sectors, rather than hoping 27 different transpositions come out equal.
Winston Churchill once said that “the sound of boots is the sound of war approaching”. When Europe is considering a hasty remilitarisation, addressing the security of the cyberspace, in 2025, is THE priority.
With 60’000+ laws and regulations, the EU is slowly but surely regulating itself into bureaucratic irrelevance. So, for crying out loud, in an EU desperately seeking a common identity and purpose, failing to impose compulsory regulations in favor of an EU strong cybersecurity posture, is nothing but an inexcusable missed opportunity committed by a cybernaive and spineless legislator.
While NIS2 is a big step forward for EU cyber strategy, its directive form may prove a limiting and very dangerous factor in the (not so) long run. The first lesson from DORA is that regulations can drive harmonization and rigorous enforcement where it matters most. Achieving true digital resilience across the EU likely requires embracing more stringent regulations (or at least very tightly scoped directives) to ensure no member state or sector falls behind.
In the end, legislative consistency is as important as technological sophistication in the cybersecurity fight and in the probable cyberwar to come. The EU’s goal of a high common level of cybersecurityix cannot be fully realized if commonality falters in implementation. It may be time for policymakers to consider whether the directive approach is sufficient, or whether a more uniform regulatory approach is needed for the next evolution of NIS (or maybe much before). Europe’s citizens and businesses would be better protected by a cybersecurity framework that is iron-clad and uniform across all countries – because attackers will always find and exploit the weakest link, and it’s incumbent on the EU to eliminate those weak links through cohesive law and action.
It is probably time for a new start. As Spanish Prime Minister Pedro Sanchez recently said “Only Europe will know how to protect and take care of Europe”.
————————————————————————————————————————————————
[i] Skadden LLP – NIS2 Directive Implementation Update (uneven national transposition status) (Navigating the New Cybersecurity Landscape: Key Implications of the EU’s NIS 2 Directive | Insights | Skadden, Arps, Slate, Meagher & Flom LLP) (Navigating the New Cybersecurity Landscape: Key Implications of the EU’s NIS 2 Directive | Insights | Skadden, Arps, Slate, Meagher & Flom LLP)
[ii] PIFS International – DORA insights (importance of cross-border harmonization in financial sector) (The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial Companies | PIFS)
[iii] European Union definitions of regulations vs directives (Types of legislation | European Union) (Types of legislation | European Union)
[iv] Digital Operational Resilience Act – EU Regulation (EU) 2022/2554 (DORA) official summary (Digital Operational Resilience Act (DORA) - EIOPA) ( Digital Operational Resilience Act (DORA) | Updates, Compliance, Training)
[v] ActiveMind Legal – NIS2 vs. DORA supervisory frameworks (national vs EU-level) (NIS2 vs. DORA: differences and common misconceptions | activeMind.legal) (NIS2 vs. DORA: differences and common misconceptions | activeMind.legal)
[vi] DORA – Digital Operational Resilience Act – regulation memo (DORA – Digital Operational Resilience Act – regulation memo BNP Paribas)
[vii] Understanding the Digital Operational Resilience Act (DORA) (Understanding the Digital Operational Resilience Act (DORA) - Entrust)
[viii] NIS2 – Directive (EU) 2022/2555 on high common level of cybersecurity, EU official policy overview (NIS2 Directive: new rules on cybersecurity of network and information systems | Shaping Europe’s digital future) (NIS2 Directive: new rules on cybersecurity of network and information systems | Shaping Europe’s digital future)
[ix] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EUR-Lex - 02022L2555-20221227 - EN - EUR-Lex)
[x] NIS Cooperation Group (Network and Information Systems Cooperation Group)
[xi] Understanding the registration and reporting requirements of the EU NIS2 Directive, December 09, 2024 (Understanding the registration and reporting requirements of the EU ...)
[xii] SailPoint – From NIS1 to NIS2 (inconsistencies under NIS1 and NIS2’s improvements) (The NIS2 Directive: From NIS to NIS2 - Article)
[xiii] Data Protection Day: Only 1.3% of cases before EU DPAs result in a fine - NOYB (Data Protection Day: Only 1.3% of cases before EU DPAs result in a fine)