January 20, 2026

compliancenis2dora

NIS2 and DORA: What SASE Teams Need to Know

A practical guide to how NIS2 and DORA compliance requirements map to SASE capabilities — and what gaps you still need to fill.

Two EU regulations are reshaping how organizations approach network security: NIS2 (effective October 2024) and DORA (applicable from January 2025). Organizations that already had SASE deployments in progress found they were 70-80% of the way to compliance. Those without SASE scrambled to demonstrate technical controls that a properly configured SSE stack provides out of the box — centralized logging, identity-based access, encryption enforcement, and DLP. If your organization operates in the EU or serves EU financial institutions, here is exactly how NIS2 and DORA map to SASE capabilities — and where the gaps are that SASE cannot fill.

NIS2 in 60 seconds

NIS2 replaces the original NIS Directive and dramatically expands its scope. It now covers essential entities (energy, transport, healthcare, banking, digital infrastructure) and important entities (manufacturing, food, chemicals, waste management, postal services, and more). The key requirements include risk management measures for network and information systems, incident reporting within 24 hours of detection, supply chain security assessments, encryption and access control obligations, and board-level accountability for cybersecurity — executives can be held personally liable.

NIS2 introduces personal liability for executives. The CISO and board must demonstrate that appropriate technical measures are in place. This is not a checkbox exercise — regulators can and will audit implementation effectiveness.

DORA in 60 seconds

DORA is specific to the financial sector: banks, insurance companies, investment firms, and their critical ICT service providers. It mandates ICT risk management frameworks, digital operational resilience testing (including threat-led penetration testing), third-party ICT risk management, incident classification and reporting, and information sharing on cyber threats. DORA is more prescriptive than NIS2 about how resilience testing must be conducted and how third-party risk must be managed.

How SASE maps to NIS2 and DORA requirements

The following table maps specific regulatory requirements to SASE capabilities. Green indicates strong coverage, yellow indicates partial coverage that needs supplementation.

Requirement	NIS2 Article	DORA Article	SASE Capability	Coverage Level
Network access control	Art. 21(2)(i)	Art. 9(2)	ZTNA with identity-based per-app access, device posture checks	Strong
Encryption in transit	Art. 21(2)(e)	Art. 9(3)(b)	TLS inspection ensures encrypted transport; SASE PoPs enforce TLS 1.2+	Strong
Incident detection	Art. 21(2)(b)	Art. 10	SWG, CASB, and FWaaS log all security events; SIEM integration for correlation	Strong
Incident reporting (24h)	Art. 23	Art. 19	Centralized logging + SIEM integration enables rapid reporting. Process still needed.	Partial — SASE provides the data, but the reporting workflow is a process, not a product
Supply chain security	Art. 21(2)(d)	Art. 28–30	CASB provides visibility into third-party SaaS usage; risk scoring per app	Partial — CASB covers SaaS supply chain, but not hardware or on-prem software supply chain
Business continuity	Art. 21(2)(c)	Art. 11	SASE PoP redundancy provides resilient connectivity; SD-WAN failover for branches	Partial — covers network resilience, not application-layer business continuity
Resilience testing	—	Art. 24–27	DEM provides baseline performance metrics; not a substitute for TLPT or pen testing	Weak — DORA requires threat-led pen testing that SASE does not provide
Data protection / DLP	Art. 21(2)(e)	Art. 9(3)(a)	Inline DLP for web, SaaS, and GenAI; exact data matching and ML classification	Strong
Multi-factor authentication	Art. 21(2)(j)	Art. 9(3)(c)	ZTNA enforces MFA via IdP integration as a prerequisite for access	Strong
Third-party ICT risk	—	Art. 28–30	CASB shadow IT discovery + SaaS risk scoring for cloud providers	Partial — covers SaaS third parties, not all ICT third parties

The gaps SASE does not fill

SASE is a significant piece of the compliance puzzle, but it is not the whole puzzle. Here are the requirements where SASE provides little or no coverage:

Governance and board reporting — NIS2 requires board-level accountability. SASE provides the technical data, but the governance framework, risk register, and board reporting cadence are organizational responsibilities.
Threat-led penetration testing (TLPT) — DORA Article 26 requires advanced testing based on the TIBER-EU framework. This requires specialized red team services, not a SASE platform.
Hardware supply chain — NIS2 Article 21(2)(d) covers supply chain broadly. CASB only addresses SaaS supply chain. Hardware and on-premises software supply chain risk management requires a separate process.
Incident response playbooks — Both regulations require documented incident response procedures. SASE provides the detection and logging, but the playbooks, escalation paths, and communication plans must be developed separately.
Employee training — NIS2 Article 21(2)(g) requires cybersecurity awareness training. SASE does not replace a training program.

Practical steps for SASE teams

Map your SASE deployment to the table above and identify which requirements you already cover
For 'Partial' coverage items, document what supplementary controls or processes are needed
Ensure SASE logs are flowing to your SIEM with retention periods that meet regulatory requirements (NIS2 does not specify a minimum, but most member state implementations require at least 12 months)
Verify that your SASE vendor can provide data residency within the EU if required by your national NIS2 transposition
For DORA: confirm that your SASE vendor is classified as a critical ICT third-party provider and has their own compliance documentation available for your auditors
Document ZTNA policies in a format that maps to your risk register — auditors want to see that access controls are risk-based, not just technically enforced
Schedule a quarterly review of CASB-discovered third-party SaaS applications to maintain supply chain visibility

Both NIS2 and DORA are new enough that enforcement patterns are still emerging. Invest in compliance now while the regulatory guidance is being established — it is much easier (and cheaper) to be compliant before your first audit than to remediate after a finding.

Bottom line

SASE gives you strong coverage for access control, encryption, incident detection, DLP, and SaaS supply chain visibility. It gives you partial coverage for incident reporting, business continuity, and third-party risk. It gives you no coverage for governance, penetration testing, training, and hardware supply chain. Know the gaps, fill them with complementary controls and processes, and use the SASE logs as the evidence backbone for audit readiness.

Sources

European Parliament, "Directive (EU) 2022/2555 (NIS2)" — eur-lex.europa.eu
European Parliament, "Regulation (EU) 2022/2554 (DORA)" — eur-lex.europa.eu
ENISA, "NIS2 Directive — Overview and Guidance" — enisa.europa.eu
European Commission, "Digital Operational Resilience Act (DORA) Factsheet" — finance.ec.europa.eu
NIST, "Zero Trust Architecture" SP 800-207 (2020) — nist.gov

Related on sase.cloud

NIS2 & DORA Compliance Guide →DLP Deep Dive →SASE Licensing & Pricing →

Get the next guide in your inbox

One email per publish. Unsubscribe anytime.

ShareLinkedIn X

Was this helpful?

← Previous

SASE in 2026: What Changed This Year

Next →

Five SASE Deployment Mistakes

NIS2 in 60 seconds

DORA in 60 seconds

How SASE maps to NIS2 and DORA requirements

The following table maps specific regulatory requirements to SASE capabilities. Green indicates strong coverage, yellow indicates partial coverage that needs supplementation.

Requirement	NIS2 Article	DORA Article	SASE Capability	Coverage Level
Network access control	Art. 21(2)(i)	Art. 9(2)	ZTNA with identity-based per-app access, device posture checks	Strong
Encryption in transit	Art. 21(2)(e)	Art. 9(3)(b)	TLS inspection ensures encrypted transport; SASE PoPs enforce TLS 1.2+	Strong
Incident detection	Art. 21(2)(b)	Art. 10	SWG, CASB, and FWaaS log all security events; SIEM integration for correlation	Strong
Incident reporting (24h)	Art. 23	Art. 19	Centralized logging + SIEM integration enables rapid reporting. Process still needed.	Partial — SASE provides the data, but the reporting workflow is a process, not a product
Supply chain security	Art. 21(2)(d)	Art. 28–30	CASB provides visibility into third-party SaaS usage; risk scoring per app	Partial — CASB covers SaaS supply chain, but not hardware or on-prem software supply chain
Business continuity	Art. 21(2)(c)	Art. 11	SASE PoP redundancy provides resilient connectivity; SD-WAN failover for branches	Partial — covers network resilience, not application-layer business continuity
Resilience testing	—	Art. 24–27	DEM provides baseline performance metrics; not a substitute for TLPT or pen testing	Weak — DORA requires threat-led pen testing that SASE does not provide
Data protection / DLP	Art. 21(2)(e)	Art. 9(3)(a)	Inline DLP for web, SaaS, and GenAI; exact data matching and ML classification	Strong
Multi-factor authentication	Art. 21(2)(j)	Art. 9(3)(c)	ZTNA enforces MFA via IdP integration as a prerequisite for access	Strong
Third-party ICT risk	—	Art. 28–30	CASB shadow IT discovery + SaaS risk scoring for cloud providers	Partial — covers SaaS third parties, not all ICT third parties

The gaps SASE does not fill

SASE is a significant piece of the compliance puzzle, but it is not the whole puzzle. Here are the requirements where SASE provides little or no coverage:

Governance and board reporting — NIS2 requires board-level accountability. SASE provides the technical data, but the governance framework, risk register, and board reporting cadence are organizational responsibilities.

Threat-led penetration testing (TLPT) — DORA Article 26 requires advanced testing based on the TIBER-EU framework. This requires specialized red team services, not a SASE platform.

Hardware supply chain — NIS2 Article 21(2)(d) covers supply chain broadly. CASB only addresses SaaS supply chain. Hardware and on-premises software supply chain risk management requires a separate process.

Incident response playbooks — Both regulations require documented incident response procedures. SASE provides the detection and logging, but the playbooks, escalation paths, and communication plans must be developed separately.

Employee training — NIS2 Article 21(2)(g) requires cybersecurity awareness training. SASE does not replace a training program.

Practical steps for SASE teams

Map your SASE deployment to the table above and identify which requirements you already cover

For 'Partial' coverage items, document what supplementary controls or processes are needed

Ensure SASE logs are flowing to your SIEM with retention periods that meet regulatory requirements (NIS2 does not specify a minimum, but most member state implementations require at least 12 months)

Verify that your SASE vendor can provide data residency within the EU if required by your national NIS2 transposition

For DORA: confirm that your SASE vendor is classified as a critical ICT third-party provider and has their own compliance documentation available for your auditors

Document ZTNA policies in a format that maps to your risk register — auditors want to see that access controls are risk-based, not just technically enforced

Schedule a quarterly review of CASB-discovered third-party SaaS applications to maintain supply chain visibility

Bottom line

Sources

European Parliament, "Directive (EU) 2022/2555 (NIS2)" — eur-lex.europa.eu

European Parliament, "Regulation (EU) 2022/2554 (DORA)" — eur-lex.europa.eu

ENISA, "NIS2 Directive — Overview and Guidance" — enisa.europa.eu

European Commission, "Digital Operational Resilience Act (DORA) Factsheet" — finance.ec.europa.eu

NIST, "Zero Trust Architecture" SP 800-207 (2020) — nist.gov