The regulatory triple threat: conformità DORA NIS2 AI Act and what it means for your business
There is a precise moment when regulatory complexity stops being a problem for the legal department and becomes a first-level operational risk. For European small and medium businesses, that moment is now. The convergence of three major EU regulations — DORA, NIS2, and the AI Act — has created an unprecedented compliance landscape that no organisation can afford to ignore. Understanding conformità DORA NIS2 AI Act requirements is no longer optional: it is a matter of business survival.
These three frameworks were not designed in isolation, yet they landed on businesses almost simultaneously. Each carries its own deadlines, its own definitions, and its own enforcement teeth. Together, they form a regulatory geometry that demands a coordinated response — especially from companies that assumed cybersecurity compliance was someone else’s problem.
Why three regulations at once? The EU’s layered approach to digital resilience
The European Union has taken a deliberate, layered approach to securing its digital economy. Each regulation addresses a different dimension of the same underlying concern: the growing dependence of businesses and critical infrastructure on digital systems.
NIS2 (Network and Information Security Directive 2) broadens the scope of cybersecurity obligations across essential and important sectors. It entered into force in January 2023, with EU member states required to transpose it into national law by October 2024. In Italy, the legislative decree implementing NIS2 (D.Lgs. 138/2024) has introduced specific obligations for a much wider range of companies than the original NIS Directive ever covered.
DORA (Digital Operational Resilience Act) focuses specifically on the financial sector. It has been fully applicable since January 2025 and imposes strict requirements on banks, insurance companies, investment firms, and — critically — their ICT third-party service providers. The regolamento DORA obblighi extend far beyond traditional financial institutions, pulling technology vendors and managed service providers into its regulatory orbit.
The AI Act, meanwhile, is the world’s first comprehensive regulation of artificial intelligence. Its provisions are being phased in between 2024 and 2027, with prohibitions on unacceptable-risk AI systems already in effect since February 2025. For businesses deploying AI tools — from customer service chatbots to automated risk scoring — the compliance clock is ticking.
What makes this triple challenge unique is not the individual weight of each regulation, but their cumulative effect. A mid-sized financial services firm using AI-powered fraud detection, for example, must simultaneously satisfy NIS2 cybersecurity baselines, DORA operational resilience requirements, and AI Act transparency and risk management obligations. The overlap is real, and the penalties for non-compliance are severe.
NIS2 and Italian SMBs: broader scope, deeper obligations
The adeguamento NIS2 PMI conversation has shifted dramatically over the past year. Under the original NIS Directive, most small and medium businesses could safely assume they were out of scope. NIS2 changes that calculus entirely.
The directive now covers organisations across 18 sectors, including energy, transport, healthcare, digital infrastructure, public administration, food production, and manufacturing. Companies with more than 50 employees or annual turnover exceeding €10 million in these sectors are potentially in scope. In Italy alone, estimates suggest that tens of thousands of additional organisations now face direct NIS2 obligations.
The requirements are substantive. Organisations must implement risk-based cybersecurity measures covering at least ten specific domains: risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cyber hygiene practices, cryptography, human resource security, and access control. Management bodies bear direct responsibility and can face personal liability for non-compliance.
Incident reporting obligations are particularly demanding. Organisations must submit an early warning within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours and a final report within one month. The Italian national cybersecurity agency (ACN) oversees enforcement, with administrative fines reaching up to €10 million or 2% of global annual turnover.
For businesses that have not yet begun their compliance journey, the window for action is narrowing. A structured approach to cybersecurity — one that addresses governance, technical controls, and incident response capabilities simultaneously — is essential.
DORA: when financial resilience meets ICT supply chain reality
DORA introduces a concept that the financial sector has long needed but never fully operationalised: digital operational resilience. The regulation requires financial entities to identify, protect against, detect, respond to, and recover from ICT-related disruptions and threats.
What catches many businesses off guard is DORA’s supply chain reach. If your company provides ICT services to financial institutions — whether cloud hosting, software development, data analytics, or managed security — you are now part of the regulated ecosystem. Critical ICT third-party service providers can be directly supervised by European Supervisory Authorities (ESAs), a power that was previously reserved for the financial entities themselves.
Key regolamento DORA obblighi include:
- ICT risk management frameworks with documented policies and procedures
- ICT-related incident classification and reporting using standardised criteria
- Digital operational resilience testing, including threat-led penetration testing (TLPT) for significant entities
- ICT third-party risk management, including mandatory contractual provisions and exit strategies
- Information sharing arrangements for cyber threat intelligence
The testing requirements alone represent a significant operational and financial commitment. Larger financial entities must conduct advanced testing at least every three years, using frameworks aligned with the TIBER-EU methodology. Even smaller firms must perform regular vulnerability assessments and scenario-based testing.
For technology providers serving the financial sector, this means that your clients will increasingly demand evidence of your own security posture. Having a robust IT infrastructure with documented resilience capabilities is no longer a competitive advantage — it is a market access requirement.
The AI Act factor: a new compliance dimension
While NIS2 and DORA focus on cybersecurity and operational resilience, the AI Act adds an entirely new regulatory dimension. Any organisation deploying or developing AI systems within the EU must now consider where those systems fall on the Act’s risk classification scale.
The regulation distinguishes four risk levels: unacceptable (banned), high, limited, and minimal. High-risk AI systems — which include those used in employment decisions, credit scoring, law enforcement, and critical infrastructure management — face the heaviest requirements: conformity assessments, technical documentation, human oversight mechanisms, and ongoing monitoring obligations.
Even for systems classified as limited risk, transparency obligations apply. If your business uses AI chatbots, automated content generation, or emotion recognition systems, you must ensure that users know they are interacting with an AI system.
The enforcement regime is among the most aggressive in EU regulatory history. Fines for deploying prohibited AI practices can reach €35 million or 7% of global annual turnover — whichever is higher. For other infringements, the ceiling is €15 million or 3% of turnover.
Where the three regulations intersect
The real complexity emerges at the intersection of these frameworks. Consider a practical scenario: an Italian mid-sized company in the healthcare supply chain uses AI-powered predictive analytics for inventory management and relies on cloud-based IT infrastructure.
This single company could simultaneously face:
- NIS2 obligations as a healthcare supply chain participant, requiring comprehensive cybersecurity measures and incident reporting
- DORA implications if any of its financial partners or insurers consider it a critical ICT provider
- AI Act requirements for its predictive analytics system, potentially classified as high-risk depending on its application
Each regulation has its own governance structure, its own reporting timelines, and its own supervisory authority. Without a coordinated compliance strategy, businesses risk duplicating efforts, creating conflicting policies, or — worse — falling through the gaps between regulatory requirements.
Building a unified compliance strategy for normativa cybersecurity aziende
The good news is that these three regulations share common foundations. Risk-based thinking, governance accountability, incident management, documentation, and supply chain awareness run through all of them. A smart compliance strategy builds on these shared principles rather than treating each regulation as a separate silo.
Start with a gap analysis
Map your current cybersecurity and governance posture against the requirements of all three frameworks simultaneously. Identify where existing controls satisfy multiple obligations and where gaps exist. This single exercise can save months of redundant work.
Consolidate governance
Rather than creating separate committees or reporting lines for each regulation, establish a unified digital risk governance structure. NIS2’s management accountability requirements, DORA’s ICT risk management framework, and the AI Act’s human oversight obligations can all feed into a single governance model.
Invest in foundational capabilities
Certain investments pay dividends across all three frameworks. Robust incident detection and response capabilities satisfy NIS2 reporting requirements, DORA’s incident management obligations, and the AI Act’s monitoring requirements. Similarly, a mature approach to cybersecurity risk management addresses core requirements across the board.
Address supply chain risk holistically
All three regulations emphasise supply chain and third-party risk. Rather than conducting separate vendor assessments for each framework, develop a comprehensive third-party risk management programme that covers cybersecurity, operational resilience, and AI-related risks in a single process.
Document everything
Documentation is the common currency of compliance. Policies, procedures, risk assessments, test results, and incident reports must be maintained, kept current, and made available to supervisory authorities upon request. Invest in systems that make documentation a natural byproduct of operations rather than an afterthought.
The cost of inaction
The penalty regimes across these three regulations are not designed to be gentle. NIS2 fines can reach €10 million or 2% of turnover. DORA empowers supervisory authorities to impose periodic penalty payments and require specific remediation actions. The AI Act’s fines of up to €35 million or 7% of turnover set a new high-water mark for EU regulatory enforcement.
But the financial penalties are only part of the picture. Non-compliance can result in management liability, reputational damage, loss of business partnerships, and — in the case of DORA — direct supervisory intervention that can disrupt your operations. According to a 2024 survey by the European Union Agency for Cybersecurity (ENISA), over 40% of EU organisations reported that regulatory compliance was their primary driver for increasing cybersecurity investment.
For European SMBs, the message is clear: compliance cybersecurity Italia is not a cost centre — it is a strategic imperative. The organisations that move early, build integrated compliance frameworks, and treat regulatory requirements as an opportunity to strengthen their operational foundations will emerge stronger. Those that delay will find themselves scrambling to meet deadlines with incomplete solutions and escalating costs.
The regulatory collision of DORA, NIS2, and the AI Act is not a temporary disruption. It is the new baseline for doing business in Europe. The sooner your organisation recognises this reality and begins building the capabilities to meet it, the better positioned you will be — not just for compliance, but for genuine digital resilience.