Skip to content
Horizon Scanner
Book a demo

For whom

CISO

DORA, NIS2 and the ICT third-party duties in one view — every new RTS, every ESA Q&A, every national transposition classified and routed to your security team on the day it is published. So the 4-hour reporting clock never runs against outdated rules.

As of:

Your reality

You own the digital operational resilience of a financial institution: the ICT third-party register, the sub-outsourcing chain to level N, major-incident reporting within four hours, threat-led penetration testing, and the NIS2 boundary for the group subsidiaries that fall outside DORA. The rulebook entered into force in 2025 — but it keeps moving: new RTS, ITS, ESA Q&As, national CSIRT requirements. If your team misses a change to the reporting template, in a real incident it reports against outdated rules.

01Your week as a financial-services CISO

Monday, 8:00. SOC review. Overnight an ICT third-party provider had a service outage — and the first question is not “what broke” but “is this a major incident under DORA, and if so, is the 4-hour clock already running?”. Classification decides the reporting duty; the rules for it sit in an RTS that was last sharpened in 2025.

Tuesday through Thursday. DORA inspection prep and TLPT scoping in parallel. Supervisors no longer test whether an ICT third-party register exists, but whether it is complete — including the sub-outsourcing chain and consistency with incident reports. At the same time, group legal asks which subsidiaries actually fall under NIS2 rather than DORA.

Friday, 15:00. Cyber report to the board. Under DORA and NIS2, cybersecurity is a board-level topic with personal accountability — and the honest question is: did the team see every relevant supervisory change this week, or are we reporting on whatever happened to land in the inbox?

02What changes for your role in 2026

First: DORA inspections leave setup mode. More than a year after the date of application (17 Jan 2025), the ESAs and NCAs test completeness, not existence — the sub-outsourcing chain in the Art. 28 register, consistency with incident reports, the board-briefing trail [1].

Second: the reporting mechanics are now hard-wired. Classification of major incidents sits in RTS (EU) 2024/1772, the deadlines and content in RTS (EU) 2025/301 (Art. 5: 4 hours from classification / 24 from awareness, 72-hour intermediate report, one-month final), the templates in ITS (EU) 2025/302 [2][3]. Any later change to these templates changes your incident playbook.

Third: NIS2 is in force nationally. Germany (NIS2UmsuCG / new BSIG, since 6 Dec 2025) and Austria (NISG 2026, since 24 Dec 2025) have transposed [4]. For financial entities, DORA as lex specialis displaces the NIS2 ICT duties — but group subsidiaries that are not DORA financial entities (captive IT providers, energy or telecoms arms) can fall directly under NIS2. You must draw that boundary per legal entity.

03What your board actually wants to see from you

DORA makes the management body expressly responsible for the ICT risk-management framework; NIS2 Art. 20 requires the management body to approve the cyber measures, oversee their implementation and be liable for them — plus mandatory training. The German BSIG sharpens a non-fully-delegable personal responsibility [4].

That shifts the expectation on the CISO: not “we have tools deployed”, but a demonstrable, auditable governance thread — when a requirement was detected, who was informed, what was decided. A manual detection layer that relies on inbox sorting does not reliably produce that evidence.

What changes

Six tasks Horizon Scanner takes off your desk

Concrete mechanics against the five friction points of your week. Each item is live in the tool — not on a roadmap.

  • 01

    Track the entire DORA instrument stack in parallel

    DORA (Reg. (EU) 2022/2554) plus the downstream RTS/ITS, the ESA Q&As and national supervisory expectations all run through the same capture. Every new or changed requirement — classification, reporting, register, TLPT, third parties — is detected and assigned to the right security function instead of disappearing into the compliance inbox.

  • 02

    Keep the 4-hour reporting clock current

    Horizon Scanner does not file incidents for you — but it keeps the rules you file against current: every change to the classification RTS (2024/1772) and the reporting RTS/ITS (2025/301, 2025/302) is captured and routed to your incident team, so the playbook never rests on an outdated threshold or template.

  • 03

    Watch the ICT third-party register and register of information

    The Art. 28 third-party register and the register-of-information ITS (EU) 2024/2956 have their own evolving requirements. Changes to formats, fields and submission deadlines are detected and routed to third-party risk and procurement — the most common inspection gap in 2026.

  • 04

    Tag the DORA-NIS2 boundary per legal entity

    Findings are tagged “DORA”, “NIS2” or “both”. A topic already covered by DORA’s lex-specialis status does not generate a parallel NIS2 finding — but the non-ICT NIS2 duties (Art. 20 management-body responsibility, supply-chain security) and the NIS2-liable non-financial subsidiaries reach the right owner correctly.

  • 05

    Route to IT-Sec, third-party risk and legal

    Technical risk-management measures to the security team, third-party clauses to procurement/legal, management-body and training items to the governance function, reportable-incident topics to the incident team. Defaults are in place from day one; every rule is editable.

  • 06

    Auditable governance trail — “when did you know?”

    Every action — capture, classification, routing, acknowledgement, escalation — is logged immutably with timestamp and actor, 5 years, CSV/JSON export. The inspection question “when did you become aware of this requirement?” thereby has an objective answer instead of an “around then”.

The numbers your board sees

Translated from compliance language into board language.

  • < 4 hours

    Median time from supervisory publication to a confirmed entry at the responsible security function — designed to match the DORA reporting logic.

  • ≥ 90 %

    Day-one default routing accuracy — the share of findings reaching the right security/risk/legal function without manual correction.

  • 5 years

    Immutable audit-trail retention for every capture, classification and routing action — covers the DORA and NIS2 documentation expectation.

  • 0 FTE

    Additional headcount per new rulebook in your scope. The detection layer scales through technology, not headcount.

Questions you will ask

  • Do you file our incident reports for us?

    No. Horizon Scanner is a regulatory-intelligence and routing tool, not a notification gateway. We keep the rules you file against current (classification 2024/1772, reporting 2025/301, templates 2025/302) and document auditably when you became aware of a change. The filing itself stays with your incident team.

  • Do we fall under DORA or NIS2?

    For a DORA financial entity, DORA as lex specialis (Art. 4 NIS2 / Art. 1(2) DORA) displaces the NIS2 ICT duties — you report through the DORA channel to your financial supervisor, not via NIS2 to the CSIRT. Group subsidiaries that are not DORA financial entities can fall directly under NIS2. We tag every finding accordingly.

  • How exactly do you help with the 4-hour deadline?

    We do not run the clock — you do. We ensure your classification and reporting procedure reflects the current RTS/ITS, so a changed threshold or new template is detected and routed to your team before the next incident — not when the supervisor flags an outdated filing.

  • Does this integrate with our SIEM/GRC?

    Yes — one webhook per routing rule (from Professional), full API access from Enterprise for Archer, ServiceNow GRC or a bespoke register. We deliver regulatory-change events, not security telemetry — the two streams complement rather than duplicate each other.

Sources

  1. [1]DORA — Regulation (EU) 2022/2554 (Art. 28 third-party register) — EUR-Lex
  2. [2]Classification RTS — Commission Delegated Regulation (EU) 2024/1772 — EUR-Lex
  3. [3]Reporting RTS/ITS — Commission Delegated Regulation (EU) 2025/301 (Art. 5) + Implementing Regulation (EU) 2025/302 — EUR-Lex
  4. [4]NIS2 — Directive (EU) 2022/2555 (Art. 20) + German NIS2UmsuCG/BSIG (BGBl. 2025 I No. 301)

Let's walk through the reality of your week.

Twenty minutes. Concrete use cases from your group.

Book a conversation