DORA & NIS2: What Every SaaS Company Selling in Europe Needs to Know

If you sell SaaS to European enterprises — especially in financial services or critical infrastructure — two regulations are about to change your security requirements: DORA and NIS2.

Both are now in effect. Your European prospects are already asking about them.

DORA (Digital Operational Resilience Act)

Who it applies to: Financial entities (banks, insurers, investment firms) and their ICT third-party providers — which includes SaaS vendors. Effective: January 17, 2025 What it requires from SaaS vendors:

1. ICT Risk Management (Article 5-16)

• Regular testing of your ICT systems
• Vulnerability management and scanning
• Documented incident response procedures

2. Incident Reporting (Article 17-23)

• Classify ICT incidents by severity
• Report major incidents within tight timelines
• Root cause analysis and remediation tracking

3. Digital Operational Resilience Testing (Article 24-27)

• Regular vulnerability assessments
• Scenario-based testing
• For critical providers: threat-led penetration testing (TLPT)

4. Third-Party Risk Management (Article 28-44)

• Contractual requirements for ICT providers
• Concentration risk assessment
• Exit strategies and data portability

What this means for you: If a bank uses your SaaS product, they need evidence that you:

• Regularly scan for vulnerabilities
• Maintain security headers and TLS
• Have incident response procedures
• Can produce compliance-mapped reports

NIS2 (Network and Information Security Directive 2)

Who it applies to: "Essential" and "Important" entities across 18 sectors including energy, transport, health, digital infrastructure, and digital providers. Effective: October 17, 2024 (EU member states implementing into national law) What it requires:

1. Risk Management Measures (Article 21)

• Risk assessment procedures
• Incident handling
• Business continuity
• Supply chain security
• Security in network and information systems acquisition
• Vulnerability handling and disclosure
• Cryptography and encryption policies

2. Reporting Obligations (Article 23)

• Early warning within 24 hours
• Incident notification within 72 hours
• Final report within one month

3. Supply Chain Focus

NIS2 explicitly requires entities to assess and manage security risks in their supply chain. This means your customers will assess YOUR security posture as part of their compliance.

How DORA and NIS2 Compare

Aspect	DORA	NIS2
Scope	Financial sector	18 critical sectors
Focus	ICT operational resilience	Cybersecurity broadly
Testing	Mandatory resilience testing	Risk-based security measures
Penalties	Up to 1% global turnover	Up to €10M or 2% turnover
Third-party	Detailed provider requirements	Supply chain security focus

The Practical Impact on SaaS Sales

Enterprise buyers in regulated sectors will now ask:

"Do you have regular vulnerability assessments?" → Automated scanning with TrustGate

"Can you provide compliance-mapped reports?" → PDF reports with DORA/NIS2 mappings

"What's your security posture?" → Security score, headers, TLS configuration

"How do you handle incidents?" → Documented procedures, response timelines

What to Do Right Now

Scan your application — know your current security posture

Fix critical findings — security headers and TLS are quick wins

Generate compliance reports — TrustGate maps findings to DORA and NIS2

Document your procedures — incident response, change management, access control

Review your contracts — ensure they address DORA/NIS2 requirements

European enterprise sales aren't getting simpler. But the companies that embrace these requirements early will have a competitive advantage over those that scramble later.