A CISO’s Compliance Playbook: Navigating the Complexity of NIS2, DORA, and CRA

By Chris Hutchins · April 13, 2026

Cyber risk regulations like the EU’s Network and Information Security Directive 2 (NIS2), Digital Operational Resilience Act (DORA), and Cyber Resilience Act (CRA) are a high water mark in strengthening cyber resilience, enforcing accountability, and implementing continuous risk management as a benchmark.

CISOs and boards now play more critical and visible roles than ever. Today’s best business leaders see these regulations as an opportunity to go beyond simple compliance, viewing them as foundational tools for achieving higher levels of cybersecurity.

The EU was right to address the continuous attacks on critical infrastructure and financial services players and, with CRA—a landmark piece that sets mandatory cybersecurity requirements for hardware and software products with "digital elements" sold in the EU—to improve the security of these products throughout their entire lifecycle.

This blog provides guidance, practical advice, and recommendations from our cyber risk advisors to use throughout your journey towards regulatory compliance.

We explore the requirements and capabilities needed to comply with NIS2, DORA, and CRA, providing proven strategies, resources, and solutions to leverage compliance as a strategic advantage.

Accelerate NIS2 compliance with Trellix

The NIS2 Directive aims to improve the security and resilience of network and information systems across the EU, extending the scope of the legislation to more entities and sectors and facilitating information sharing between countries and companies. NIS2 affects about 100,000 entities, up from about 1,000 in the first NIS.

NIS2 has increased compulsory enforcement requirements. A national cyber authority can inspect and audit an organization after a security incident or when non-compliance is suspected. If an organization is non-complaint, penalties can include binding instructions to change practices or policies, or adhere to compliance orders.

NIS2 also has strict cyber breach reporting rules. The regulation states that a breach notification is made “without undue delay.” The notice must be issued within 24 hours of becoming aware of a significant incident (“early warning”), and an initial assessment must be provided within 72 hours. The directive also gives supervisory authorities the authority to impose monetary fines.

NIS2 also specifically targets new governance and accountability obligations for management, with management now held liable if the entity fails to comply.

NIS2 doesn’t mandate specific security controls but requires a continuous risk management approach to consistently improve cybersecurity maturity, incident management, and information sharing across critical infrastructure companies and member states. NIS2 requirements can be mapped to the ISO27001 framework, for example, for more specific controls.

Trellix helps you meet NIS2 requirements faster:

• Trellix Helix unifies visibility of threats across your environment, with deeper detection of threats that point tools alone may miss.
• The Trellix Security Portfolio, empowered with GenAI and threat intelligence, delivers the advanced security controls required to improve cyber maturity across endpoints, servers, networks, data, cloud, and mobile devices.
• Trellix Wise GenAI capabilities relieve alert fatigue and surface stealthy threats.
• Trellix Guardians Services can assess your current security program against international and European standards, providing readiness assessments and threat intelligence for continuous risk analysis.

Three ways Trellix enhances DORA compliance

The DORA EU regulation is designed to increase cybersecurity and resilience across financial institutions and third-party service providers. Like the NIS2 Directive, it is not a framework for specific security controls. Instead, it mandates a continuous risk management approach to consistently improve cybersecurity maturity, incident management, and information sharing across financial institutions and their technology supply chain.

Its primary goal is to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions, such as cyberattacks and system failures, and prevent these from threatening the stability of the entire financial system.

The five key areas are:

• ICT Risk Management: DORA requires financial entities to implement a robust and comprehensive ICT risk management framework that covers all aspects of ICT risk, from identification and protection to detection, response, and recovery.
• Incident Reporting: The regulation standardizes the process for managing and reporting ICT-related incidents. Financial entities must establish processes to monitor, detect, and report major incidents to the relevant competent authorities in a timely manner.
• Digital Operational Resilience Testing: DORA mandates regular testing of ICT systems and protocols to assess their resilience and identify vulnerabilities, including vulnerability scans and penetration tests.
• ICT Third-party Risk Management: Financial entities are required to conduct due diligence, monitor performance, and ensure their contracts with these third-party providers contain specific provisions to ensure compliance with DORA.
• Information Sharing: DORA encourages financial entities to share information and intelligence on cyber threats and vulnerabilities.

DORA applies to a broad range of financial entities operating in the EU, including banks, insurance companies, investment firms, and crypto-asset service providers. It also holds their critical third-party technology service providers accountable, even if those providers are located outside the EU.

Non-compliance can result in significant fines. ICT vendors will no longer be just technology suppliers to a financial institution. Rather, they will become partners—subject to meeting the same operational resiliency tests and requirements, such as penetration testing, disaster recovery, and security controls.

Trellix can help financial services customers meet the requirements of DORA in three ways:

1. Speed up incident detection and investigations
2. Provide advanced controls to prevent business disruption caused by ransomware or other emerging threats
3. Offer services to assess and build a continuous information security management system (ISMS)

Optimize Cyber Resilience Act (CRA) compliance with Trellix Services

The CRA EU regulation generally applies to any product whose intended use includes a direct or indirect connection to a network or another device.

The act introduces several key obligations for manufacturers, including Trellix:

• Secure by Design: Products must be developed with cybersecurity in mind from the very beginning.
• Cybersecurity Requirements: Manufacturers shall provide essential cybersecurity requirements throughout a product's lifecycle.
• Secure Usage: Products must ensure an appropriate cybersecurity level, address vulnerabilities, and provide documentation on the products and user instructions for secure usage.
• Reporting: Active vulnerabilities and severe incidents must be reported via a single platform, with timelines for early warning, initial, and final reports similar to NIS2.
• Remediation: Moreover, manufacturers shall, in a timely manner, identify, document, and remediate vulnerabilities and report incidents to the relevant authorities (ENISA and national CSIRTs).
• Support: The support period is a minimum of five years or the expected usage duration of the product.
• Secure by Default: Products must be shipped with secure default settings, and users should have the ability to easily revert to these settings.
• Transparency: Manufacturers are required to provide clear and intelligible documentation to users about the product's security features and how to use them securely. A software bill of materials (SBOM) is also required.

Additionally, to demonstrate compliance with CRA, manufacturers must perform a conformity assessment. For most products, this is a self-assessment. However, for "important" and "critical" products, a third-party assessment by an authorized body is required.

Trellix Guardians Advisory Services can help your organization meet CRA requirements by:

• Training and creating a secure software development lifecycle (SSDLC) process, including processes for creating and maintaining SBOMs
• Formulating testing plans, including vulnerability assessments and other necessary tests
• Conducting comprehensive penetration testing and source code reviews, seamlessly integrated into the continuous integration and deployment (CI/CD) pipeline
• Performing a structured risk assessment and maturity evaluation that benchmarks against CRA requirements, identifying compliance gaps and delivering a prioritized roadmap, helping to ensure market-ready, lifecycle-secure products
• Establishing internal product security (PSIRT) permanent processes to manage and address vulnerabilities through vulnerability disclosure policies

In addition, CRA article 14 obliges customers to report "actively exploited vulnerabilities" to national authorities. Trellix Insights allows customers to analyze the CVEs associated with campaigns in their environments, enabling detailed analysis of the CVE(s).

In regard to internal controls to implement CRA, Trellix will comply with all applicable CRA requirements for our products with digital elements. We are implementing the necessary internal processes to provide an SBOM in accordance with CRA technical documentation requirements, and will comply with all applicable vulnerability management and reporting requirements within the timelines and in the manner required under CRA.

Learn more about Trellix Guardians Advisory Services.