The European Union has quietly assembled the most ambitious digital regulatory architecture in history. Three frameworks — NIS2, the EU AI Act, and DORA — are now simultaneously in force or entering enforcement, affecting over 180,000 organizations across every sector. And most of them aren’t ready.
This isn’t hyperbole. A CSSF Luxembourg survey of 389 financial entities found that exactly one considered itself fully DORA-ready. PwC Luxembourg reports only 4% of financial institutions are executing DORA requirements as business-as-usual. And as of June 2025, only 14 of 27 EU Member States had fully transposed NIS2 into national law — with infringement proceedings open against the remaining 13.
The question isn’t whether your organisation is affected. It is. The question is whether you’ll treat these as three separate NIS2 AI Act DORA compliance projects — or recognise them for what they are: a single, interconnected regulatory stack that demands a unified response.
1. The Three Pillars: What Each Regulation Actually Demands
NIS2 — Network and Information Security Directive
The broadest of the three. NIS2 applies to approximately 160,000 companies across 18 sectors, from energy and transport to healthcare and digital infrastructure. It mandates cybersecurity risk management, incident reporting within 24 hours, supply chain security, and board-level accountability. Maximum fines: EUR 10 million or 2% of global turnover.
DORA — Digital Operational Resilience Act
Sector-specific to finance, covering approximately 22,000 financial institutions plus their ICT service providers. DORA goes deeper than NIS2 on ICT risk management, requiring threat-led penetration testing (TLPT), detailed third-party risk oversight, and incident classification with strict reporting timelines. In November 2025, the European Supervisory Authorities designated 19 Critical ICT Third-Party Providers — including AWS, Google Cloud, Microsoft Azure, Oracle, and SAP — now subject to direct EU-level oversight.
EU AI Act — Artificial Intelligence Act
The world’s first comprehensive AI regulation. While the May 2026 Omnibus simplification deferred high-risk AI deadlines by 15 months (to December 2027), the fundamental obligations remain: risk classification, transparency requirements, human oversight mandates, and fundamental rights impact assessments. Maximum fines for prohibited practices: up to 7% of global annual turnover — the highest of all three.
2. The Convergence Problem: When One Incident Triggers Three NIS2 AI Act DORA Compliance Obligations
Here is where most compliance strategies fail. Organisations treat NIS2, DORA, and the AI Act as separate workstreams — separate budgets, separate teams, separate technology stacks. But the regulations don’t operate in isolation.
Consider a realistic scenario: a compromised AI model in a financial institution’s credit scoring system. This single incident simultaneously triggers:
Under the AI Act — a high-risk AI system failure requiring notification, documentation of the failure mode, and review of the conformity assessment.
Under DORA — a major ICT incident requiring classification, reporting to competent authorities within prescribed timelines, and root cause analysis.
Under NIS2 — a significant security incident requiring notification within 24 hours, with potential supply chain implications if the AI model was provided by a third party.
Three regulations. Three reporting timelines. Three materiality tests. Three regulatory bodies. One incident.
Research from the European Parliament’s ITRE Committee (Graux et al., October 2025) confirmed this overlap, finding that AI Act obligations “frequently overlap” with NIS2, DORA, and GDPR. Their recommendation: short-term joint guidance, medium-term legislative amendments, and long-term consolidation of the EU digital regulatory architecture.
The EU itself acknowledges the problem. The Digital Omnibus package launched in November 2025 targets EUR 5 billion in administrative savings by reducing regulatory duplication. But that’s a 2029 horizon. Organisations need solutions now.
3. The Cost of Getting It Wrong — and Getting It Right
The cost of fragmentation
Compliance costs across the EU financial sector alone are estimated at $181 billion annually, with individual institutions potentially spending up to $10,000 per employee. UniCredit has allocated an additional EUR 2.5 billion in incremental IT investments for 2025-2027, with DORA and regulatory compliance as key drivers. A Bruegel mapping exercise identified over 100 different digital regulations now applicable to EU companies.
Deloitte‘s 2025 European DORA Survey found only 25% of financial entities report full compliance on the ICT Risk Management pillar. Over half encountered difficulties identifying supply chain dependencies beyond first-tier providers. McKinsey‘s research showed that while 94% of financial institutions treat DORA as a board-level agenda item, only one-third express confidence in meeting all requirements.
The cost of non-compliance
The fines are significant — up to 7% of global turnover under the AI Act — but the operational risk is larger. Gartner predicts AI regulatory violations will result in a 30% increase in legal disputes for tech companies by 2028. Germany’s BaFin has already launched DORA-focused special audits, with transitional leniency no longer available from 2026.
The unified approach advantage
Gartner projects that effective governance technology can reduce regulatory expenses by 20%. The logic is straightforward: a requirement that appears under different names across multiple frameworks — incident reporting, risk assessment, third-party oversight, audit trail — can be implemented once and mapped to all three. Organisations deploying AI governance platforms are 3.4x more likely to achieve high effectiveness (Gartner, 2025 survey of 360 organisations).
The European RegTech market reached USD 5.87 billion in 2025 (30.7% of global share), with AI governance platforms alone projected to surpass USD 1 billion by 2030 at 45% CAGR.
4. The Unified Control Fabric: One Platform, Three Regulations
The answer to regulatory convergence isn’t more point solutions. It’s a platform that treats compliance as process orchestration — the same discipline that has transformed operations in every other domain.
A unified approach maps shared controls across all three frameworks:
Risk Management — NIS2 requires cybersecurity risk assessments. DORA requires ICT risk management frameworks. The AI Act requires risk classification. One risk management process, properly designed, feeds all three.
Incident Management — NIS2’s 24-hour notification, DORA’s tiered reporting, and the AI Act’s serious incident reporting can be orchestrated through a single incident workflow with regulation-specific routing and timelines.
Third-Party Oversight — NIS2’s supply chain security, DORA’s ICT third-party risk management (including the new CTPP oversight regime), and the AI Act’s value chain obligations all converge on the same set of vendors and providers.
Audit Trail and Documentation — Every regulation demands evidence of compliance. A BPM platform that captures who did what, when, and why — with full process versioning — provides the compliance-by-design foundation that satisfies all three.
Uniksystem‘s iFlowBPM delivers this unified control fabric: BPMN 2.0-compliant process orchestration with built-in incident management workflows, third-party risk assessment processes, automated regulatory reporting, and complete audit trails. Deployed on-premise or cloud, integrated with existing GRC, ERP, and HR systems — without replacing what already works.
5. What to Do This Quarter
The regulatory stack is here. The enforcement machinery is operational. The fines are real. But the biggest risk isn’t a penalty — it’s the competitive drag of running three parallel compliance programs when one integrated approach would cost less and deliver more.
For CIOs and CTOs: Audit your current compliance architecture. How many separate tools, teams, and processes are handling NIS2, DORA, and AI Act obligations? Map the overlaps. Quantify the duplication.
For CFOs: The RegTech investment isn’t optional — it’s the difference between $10,000 per employee in fragmented compliance costs and a 20% reduction through platform consolidation.
For the Board: These three regulations share a common demand — demonstrable, auditable, continuous governance. That’s not a technology purchase. It’s an operating model decision.
The organisations that treat the European compliance stack as a strategic capability — not a regulatory burden — will move faster, spend less, and compete from a position of strength.
The next decade belongs to them.
Bonus: Compliance Stack Quick Reference
NIS2 — Key Obligations
- Cybersecurity risk management and governance
- Incident reporting within 24 hours (early warning), 72 hours (full notification)
- Supply chain security assessment
- Board-level accountability and training
- Scope: ~160,000 entities across 18 sectors
- Fines: EUR 10M or 2% of global turnover
DORA — Key Obligations
- ICT risk management framework
- ICT incident classification and reporting
- Digital operational resilience testing (incl. TLPT)
- Third-party ICT risk management and CTPP oversight
- Scope: ~22,000 financial entities + ICT providers
- Fines: EUR 5-10M or 2% of global turnover
EU AI Act — Key Obligations
- AI system risk classification (prohibited, high-risk, limited, minimal)
- Conformity assessments for high-risk AI
- Transparency and human oversight requirements
- Fundamental Rights Impact Assessments (FRIA)
- Scope: all entities developing, deploying, or using AI in EU market
- Fines: up to 7% of global turnover (prohibited practices)
Sources: European Parliament ITRE Committee (Oct 2025), Gartner (Feb 2026), McKinsey, Deloitte Luxembourg DORA Survey (2025), PwC Luxembourg (Mar 2025), CSSF Luxembourg, Cloud Security Alliance (Sep 2025), BearingPoint IT-GRC Study (2025), EU Council (May 2026 Omnibus).
About the author: Jorge Gamito Pereira is CEO and Co-Founder of Uniksystem, a European enterprise platform company specialising in low-code BPM, AI-powered automation, and digital transformation for regulated industries. Uniksystem holds ISO/IEC 27001 certification across the entire JOYN Group.
Subscribe to “Digital, Simpler, Faster” for biweekly insights on technology, automation, and the future of enterprise operations.