Securing Europe’s Future: Building Resilience with DORA, NIS2, and CER Directive
On 28 April 2025, cascading voltage instabilities plunged mainland Portugal and peninsular Spain into darkness for more than 10 hours. Daily life came to a standstill, with metros grinding to a halt, airports shutting down, banks and ATMs out of service, and shops and businesses forced to close. Spain’s business lobby estimated losses of €1.6 billion (0.1% of GDP), with some forecasts reaching as high as €4.5 billion.
Disruption at this scale is expected to become more frequent. The European Environment Agency projects losses from heatwaves and floods alone could reach €1 trillion per annum by the end of the century. And climate risk is only one part of the picture. Critical entities across the bloc face a widening spectrum of threats—digital, physical, natural, and human—whose impacts increasingly overlap.
Emerging and hybrid threats expose the limitations of siloed risk management. In response to these compounding risks, European authorities have introduced a swathe of policies aimed at improving the systemic resilience of critical sectors. Key regulations on firms’ radars include the Network and Information Security Directive 2 (NIS2), the Digital Operational Resilience Act (DORA), and the Critical Entities Resilience (CER) Directive.
While these regimes share a common focus on resilience, each has its own scope, requirements, and emphasis. The rules are designed not to overlap, but to complement. NIS2 provides a cybersecurity baseline across sectors, DORA establishes a sector-specific framework for financial services, and CER sets all-hazards obligations for critical entities. Taken together, they provide firms with the building blocks of a truly integrated resilience framework.
Complete the form to download the ebook ⇨
