Alexandre Bloch
Co-founder & CTO, Engineering
Cybersecurity Compliance for Tech Companies in the EU: NIS2, DORA and Beyond
NIS2, DORA, the Cyber Resilience Act, and GDPR security obligations are creating the most complex cybersecurity compliance environment in history. Here is how tech companies can navigate it.
The overlapping cyber frameworks
NIS2
18 critical sectors, 160K+ entities, €10M max fines, 24h incident reporting, executive liability.
DORA
Financial entities + critical ICT providers, ICT risk management, resilience testing, third-party oversight.
Cyber Resilience Act
Products with digital elements, CE marking, vulnerability handling, security updates throughout lifecycle.
GDPR (Art. 32)
Appropriate technical and organizational measures, encryption, pseudonymization, regular testing.
A unified approach with Cleo
The challenge is not just compliance with one framework. It is managing the overlaps and intersections between NIS2, DORA, CRA, and GDPR simultaneously. Cleo maps all applicable cybersecurity frameworks to your specific company context and identifies where obligations overlap, conflict, or compound across regulations.
Frequently asked questions
What cybersecurity regulations apply to tech companies in the EU?
Tech companies in the EU face multiple overlapping cybersecurity regulations: NIS2 (for essential and important entities across 18 sectors), DORA (for financial services and their ICT providers), the Cyber Resilience Act (for products with digital elements), GDPR (data security obligations), and the AI Act (cybersecurity requirements for high-risk AI). The specific combination depends on your sector, size, and product type.
Related resources
Solutions
Product Compliance SolutionGuides
DORA Compliance GuideTry Cleo: free regulatory risk scan
See your regulatory landscape mapped in minutes. No signup, no credit card.
