NOXVERI Service
NIS2 and DORA impose specific, enforceable obligations on boards and management. NOXVERI helps translate regulatory requirements into practical, prioritised actions — and builds the documentation that demonstrates due diligence when it matters.
Regulatory context
NIS2 and DORA are not IT compliance exercises. Both place governance obligations — and in many cases personal liability — directly on boards and senior management. Understanding what each regulation actually requires, and where your organisation stands against it, is the starting point for everything else.
NIS2 applies to essential and important entities across a broad range of sectors — energy, transport, banking, health, digital infrastructure, public administration and more. Key obligations include: cybersecurity risk management measures (Article 21), mandatory incident reporting to competent authorities within tight timeframes (Article 23), supply chain security, and board-level oversight with personal liability for management body members (Article 20).
Member states are transposing NIS2 into national law. The obligation to comply is already in force — what differs is the pace and scope of national enforcement. Waiting for local enforcement guidance is not a compliance strategy.
DORA applies to financial entities — banks, insurance companies, investment firms, payment institutions, crypto-asset service providers and their critical ICT third-party service providers. It requires: a comprehensive ICT risk management framework, classification and reporting of major ICT-related incidents, Threat-Led Penetration Testing (TLPT) for significant entities, and structured management of ICT third-party risk including register maintenance and contractual requirements.
DORA applies from January 2025. Financial supervisors across the EU are actively reviewing compliance status. The expectation is documented, demonstrable operational resilience — not a set of policies that haven't been tested.
The shared challenge: Both regulations are specific about what organisations must do, but deliberately non-prescriptive about how to do it. This gives organisations flexibility — and responsibility. The audit determines not just whether requirements are met, but whether the controls in place actually work.
Audit approach
NOXVERI structures the audit in phases, each building on the last. The output isn't a compliance checklist — it's a clear picture of where the organisation stands, what the real risks are, and what to do about them in which order.
Assessment of the current security posture against NIS2 and/or DORA requirements. Interviews with key stakeholders, review of existing documentation, policies, procedures and technical controls. The output is a clear gap inventory — what is in place, what is absent and what exists on paper but not in practice.
Not all gaps are equal. Phase 2 maps identified gaps to risk — regulatory exposure, operational impact and likelihood of materialisation. This produces a prioritised view: what needs to be addressed first, what can follow and what is genuinely low priority. Prioritisation is risk-based, not alphabetical.
A practical action plan with specific owners, timelines and resource requirements. Every action is tied to a gap and a risk. The roadmap is designed to be implemented — not filed. Board-ready materials summarise the current state, the plan and the residual risk position in a format suited to governance review.
For organisations that need more than a plan — NOXVERI can remain engaged through implementation. This includes oversight of action delivery, escalation of blockers, verification that completed actions actually close the identified gaps, and ongoing risk register maintenance. The gap analysis becomes the foundation of a continuous compliance management process.
What the organisation receives: a structured assessment report, risk register with prioritised gap mapping, an implementation roadmap with ownership, and board-ready materials presenting the current state and the path forward. All deliverables are designed to be usable — by the team implementing them and by the board overseeing the process.
Board liability
NIS2 Article 20 is explicit: management bodies of essential and important entities are required to approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable for infringements. This is a departure from previous frameworks where liability typically rested with the organisation as a legal entity.
Who it's for
The audit is designed for organisations with a concrete regulatory obligation, a pressing governance question, or both. The common thread is the need for an honest, independent assessment — not a consultant confirming what the client wants to hear.
Organisations identified as essential or important under national NIS2 transposition that need to understand their current compliance position, the gap to full compliance and a credible path to get there. Particularly relevant where the board needs to demonstrate oversight to the competent authority or in the event of an incident review.
Banks, insurance firms, investment managers, payment institutions and other financial entities subject to DORA. The audit covers the ICT risk management framework, incident reporting readiness, third-party risk management practices and, where applicable, TLPT readiness. Aligned with EBA, EIOPA and ESMA supervisory expectations.
For organisations pursuing ISO 27001, the NIS2/DORA audit covers significant overlapping ground and can be structured to serve both purposes. The risk register and documented controls become part of the ISMS. Avoiding duplicate work while meeting both regulatory and certification requirements.
Other NOXVERI services
Contact
Send a brief description of your situation — which regulation applies, what you already have in place and what's driving the urgency. NOXVERI will come back with an honest assessment of how the audit can help. No commitment, no templated proposal.
Schedule a conversation