Compliance Q&A

On 26 May 2026 the NIS2 Cooperation Group adopted common incident-reporting templates, with the European Commission committing to make them mandatory through an implementing act. Organisations that have built internal NIS2 reporting tooling around their current member-state portal are asking what changes — and when.

Mid-sized organisations across Europe are reading NIS2 paperwork and asking whether the 'essential' vs 'important' label changes anything operational, or just changes the headline. The short answer: it changes how you are supervised, how quickly, and how much you pay when something goes wrong.

If you sell software, infrastructure, or any digital service to EU banks, insurers, or investment firms, DORA's contract obligations have started flowing downhill from your customers — even though you are not a financial entity yourself. Here is what is actually being asked, and what you are obliged to provide.

The most common question we hear from mid-market organisations across Europe. Here's how to determine whether your company falls within the scope of the NIS2 Directive — and what that means in practice.