Compliance

NIS2 & DORA: SASE Compliance Guide

February 1, 20269 min readUpdated Feb 2026

TL;DR

NIS2 and DORA mandate specific security controls that SASE directly addresses: continuous monitoring, incident reporting within 24-72 hours, supply chain security, and resilience testing. SASE provides the inspection, logging, and access control infrastructure needed for compliance. EU organizations face NIS2 enforcement from October 2024; financial entities face DORA from January 2025.

NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act) are two EU regulations that impose specific cybersecurity requirements on organizations operating in critical infrastructure and financial services sectors. SASE architectures address a significant portion of these requirements because the core capabilities of SASE, including encrypted traffic inspection, zero trust access control, data loss prevention, continuous monitoring, and digital experience monitoring, map directly to the technical controls that NIS2 and DORA mandate. This guide provides specific mappings between regulatory requirements and SASE capabilities to help compliance teams document how their SASE deployment satisfies audit evidence requirements.

NIS2 overview and scope

NIS2 replaced the original NIS Directive in January 2023 and member states were required to transpose it into national law by October 2024. In January 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance for organizations across member states. NIS2 significantly expands the scope of covered organizations to include 'essential entities' (energy, transport, banking, health, water, digital infrastructure, space, public administration) and 'important entities' (postal services, waste management, chemicals, food, manufacturing, digital providers, research). Any organization in these sectors with more than 50 employees or more than 10 million euros in annual turnover is subject to NIS2 requirements.

NIS2 mandates specific cybersecurity risk management measures under Article 21, including policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security, network and information systems acquisition and development security, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic cyber hygiene practices and cybersecurity training, policies on the use of cryptography and encryption, human resource security and access control policies, and the use of multi-factor authentication and secured communications. The directive explicitly requires mandatory MFA for all access to critical systems, data encryption in transit and at rest, network security controls including IDS/IPS capability, documented incident response procedures, and third-party vendor security evaluations — all of which map directly to SASE capabilities.

How SASE maps to NIS2 Article 21 requirements

The reason SASE is uniquely positioned for NIS2 compliance is that the directive's technical requirements read like a SASE feature list. Mandatory MFA maps to ZTNA, which enforces identity verification with multi-factor authentication before granting per-application access. Data encryption maps to SWG TLS inspection with re-encryption and ZTNA encrypted micro-tunnels. Network security with IDS/IPS maps to FWaaS, which provides inline intrusion detection and prevention across all traffic flowing through the SASE fabric. Incident response procedures map to the centralized logging, alerting, and incident workflow capabilities built into every SASE platform. Third-party vendor security evaluations map to CASB, which discovers, categorizes, and risk-scores every SaaS application and third-party service your organization uses. No other single architecture addresses this many NIS2 requirements simultaneously.

DORA overview and scope

DORA entered into application on January 17, 2025, and applies to virtually all regulated financial entities in the EU: banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and critically, their ICT third-party service providers including cloud providers and, by extension, SASE vendors themselves. DORA focuses specifically on digital operational resilience: the ability of financial entities to build, assure, and review their technological infrastructure to withstand ICT-related disruptions and threats.

DORA establishes requirements across five pillars: ICT risk management (Article 6-16), ICT-related incident management (Article 17-23), digital operational resilience testing (Article 24-27), managing ICT third-party risk (Article 28-44), and information sharing (Article 45). Financial entities must implement comprehensive ICT risk management frameworks, classify and report ICT-related incidents, conduct regular testing including threat-led penetration testing for significant entities, maintain registers of ICT third-party contractual arrangements, and share threat intelligence with other financial entities.

NIS2 requirement to SASE control mapping

NIS2 Requirement (Article 21)	SASE Capability	Evidence for Audit
Risk analysis and information system security	CASB shadow IT discovery, SWG traffic analysis, DEM performance monitoring	CASB risk reports showing all cloud services with risk scores; SWG logs showing threat landscape; DEM baselines documenting system performance
Incident handling	SWG/FWaaS/CASB alert generation, DLP incident workflow, SIEM log export	Incident response procedures integrated with SASE alerting; documented triage workflows for DLP, CASB, and threat detection events
Business continuity and crisis management	SASE PoP redundancy, SD-WAN multi-path failover, DEM availability monitoring	PoP failover architecture documentation; SD-WAN failover test results; DEM uptime reports showing service availability
Supply chain security	CASB third-party app risk scoring, ZTNA third-party contractor access control	CASB vendor risk assessments for SaaS providers; ZTNA policies restricting contractor access to specific applications with continuous posture verification
Policies and procedures to assess cybersecurity measures	DEM performance metrics, DLP effectiveness reports, CASB coverage reports	Quarterly SASE effectiveness reviews showing detection rates, false positive rates, coverage gaps, and remediation timelines
Cryptography and encryption	SWG TLS inspection with re-encryption, ZTNA encrypted micro-tunnels, IPsec/GRE SD-WAN tunnels	Encryption standards documentation showing TLS 1.2+ enforcement; ZTNA tunnel encryption specifications; SD-WAN tunnel encryption configuration
Access control policies	ZTNA per-application access with identity and posture verification, CASB SaaS access governance	ZTNA policy documentation showing per-app access rules; identity provider integration with MFA enforcement; device posture policy requirements
Multi-factor authentication and secured communications	ZTNA MFA requirement at IdP, step-up authentication on posture change, encrypted tunnels for all traffic	IdP MFA configuration; ZTNA step-up auth policies; network architecture showing all traffic encrypted in transit through SASE tunnels

DORA requirement to SASE control mapping

DORA Requirement	SASE Capability	Evidence for Audit
ICT risk identification and protection (Art. 8-9)	SWG threat prevention, FWaaS IPS, CASB SaaS risk assessment, DLP data classification	Threat prevention logs; IPS signature coverage reports; CASB SaaS risk register; DLP data inventory showing classified data types and locations
Detection of anomalous activities (Art. 10)	SWG malware detection, CASB UEBA, FWaaS IPS alerts, DEM anomaly detection	Alert and detection logs with response times; UEBA behavioral baselines and deviation alerts; DEM performance anomaly detection reports
ICT business continuity policy (Art. 11)	Multi-PoP redundancy, SD-WAN failover, ZTNA connector redundancy	PoP failover test results; SD-WAN failover test documentation; ZTNA connector redundancy configuration; recovery time measurements
ICT-related incident management (Art. 17-18)	Centralized SASE incident dashboard, DLP incident workflow, automated SIEM forwarding	Incident classification procedures mapped to DORA severity levels; incident response timelines; post-incident root cause analysis reports
ICT-related incident reporting (Art. 19)	SASE platform incident logs with timestamps, severity, and scope data for regulatory notification	Incident reporting templates populated from SASE log data; evidence of reporting within DORA timelines (initial within 4 hours, intermediate within 72 hours, final within 1 month)
Digital operational resilience testing (Art. 24-25)	DEM synthetic testing, SASE configuration audit, SD-WAN failover testing	Synthetic test results showing service resilience; configuration drift reports; quarterly failover test documentation with measured recovery times
ICT third-party risk management (Art. 28-30)	CASB third-party SaaS risk register, ZTNA contractor access audit, SASE vendor's own compliance certifications	CASB third-party risk reports; contractor access review logs; SASE vendor SOC 2, ISO 27001, and C5 certifications
Threat-led penetration testing (Art. 26)	DEM and SWG provide pre/post test baselines; ZTNA architecture limits test scope to specific applications	Penetration test reports showing SASE control effectiveness; ZTNA architecture documentation demonstrating reduced attack surface

Implementation guidance for NIS2

For organizations subject to NIS2, the SASE deployment sequence should prioritize the controls that address the highest-risk requirements first. Start with ZTNA and MFA (Article 21 access control and multi-factor authentication requirements) because unauthorized access is the most common attack vector and NIS2 explicitly mandates MFA. Deploy SWG with TLS inspection next (Article 21 cryptography and incident handling) to gain visibility into encrypted traffic and begin generating the threat detection evidence that auditors will request. Add CASB (Article 21 supply chain security and risk assessment) to inventory all cloud services and assess third-party risk. Finally, deploy DLP (Article 21 information system security) to classify and protect sensitive data.

NIS2 requires organizations to report significant incidents to the competent authority within 24 hours of becoming aware of them, with a full incident notification within 72 hours. Your SASE platform must be configured to generate alerts with sufficient detail to populate these notifications: what happened, when it was detected, what systems were affected, what data was at risk, and what containment actions were taken. Pre-build incident report templates that pull data from SASE logs and map to the national CSIRT's reporting format.

Implementation guidance for DORA

Financial entities subject to DORA face additional requirements beyond NIS2, particularly around operational resilience testing and ICT third-party risk management. The SASE platform itself becomes a critical ICT third-party service provider that must be included in your Article 28 third-party risk register. Request your SASE vendor's SOC 2 Type II report, ISO 27001 certificate, and if available, the BSI C5 (Cloud Computing Compliance Criteria Catalogue) attestation, which is increasingly required by EU financial regulators.

DORA's resilience testing requirements (Article 24-27) mean you must regularly test your SASE platform's failover capabilities. Conduct quarterly PoP failover tests by simulating primary PoP unavailability and measuring time to failover and service impact. Test SD-WAN path failover by disconnecting WAN links at pilot branches and verifying sub-second failover. Test ZTNA connector failover by taking down primary connectors and measuring user experience impact. Document every test with timestamps, measured results, and comparison against defined recovery time objectives.

For the ICT-related incident classification required by Article 18, map your SASE alert severities to DORA's incident classification criteria: number of clients affected, duration of the incident, geographic spread, data losses, criticality of services affected, and economic impact. A DLP incident involving bulk PII exfiltration from a customer-facing banking application would classify differently than a SWG alert about a blocked malware download on a single workstation. Pre-define these mappings so incident classification is automated, not ad-hoc during an active incident.

What SASE does not cover

SASE addresses the technical control requirements of NIS2 and DORA but does not cover the full compliance scope. Both regulations also require governance measures (board-level oversight of cybersecurity risk), organizational measures (cybersecurity training, human resource security), and process measures (business continuity planning, crisis management procedures, supply chain risk management frameworks) that are beyond the scope of any technical platform. SASE is a critical component of compliance, not the entirety of it.

Specific gaps where SASE needs complementary controls include: endpoint security (EDR/EPP for device-level threat detection), email security (secure email gateway or cloud email security for phishing and BEC protection), identity governance (IGA for access certification and privileged access management), vulnerability management (scanning and patching for servers, applications, and infrastructure), and security awareness training (human-layer controls that technical platforms cannot replace). Build your compliance evidence matrix with SASE as the network and cloud security layer, complemented by these additional control categories.

Data residency considerations

Both NIS2 and DORA operate within the EU's data protection framework, meaning GDPR data residency requirements apply to the traffic your SASE platform processes. Verify that your SASE vendor offers PoPs within the EU, that traffic processing (decryption, inspection, logging) occurs within EU PoPs for EU-originating traffic, and that log data is stored in EU-based facilities. Some SASE vendors offer data residency guarantees as a configurable option; others route traffic through the nearest PoP regardless of jurisdiction. For financial entities under DORA, this is not optional: regulators will ask where your traffic is processed and where your logs are stored.

Sources & further reading

EUR-Lex, "Directive (EU) 2022/2555 (NIS2)" — eur-lex.europa.eu/eli/dir/2022/2555
EUR-Lex, "Regulation (EU) 2022/2554 (DORA)" — eur-lex.europa.eu/eli/reg/2022/2554
ENISA, "NIS2 Directive Implementation Guidance" — enisa.europa.eu/topics/nis-directive
NIST SP 800-207, "Zero Trust Architecture" — nist.gov/publications/zero-trust-architecture
BSI, "Cloud Computing Compliance Criteria Catalogue (C5)" — bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/C5
Gartner, "How SASE Supports EU Regulatory Compliance" — gartner.com/reviews/market/security-service-edge

Frequently asked questions

No. SASE addresses the technical security controls required by NIS2 Article 21 but does not cover governance requirements (board oversight), organizational requirements (training, HR security), or process requirements (business continuity planning, crisis management). SASE is a major component of the technical compliance layer but must be complemented by governance, process, and organizational measures.

Potentially, yes. DORA Article 28-44 covers ICT third-party risk management, and if your financial entity relies on a SASE vendor as a critical ICT service provider, the vendor may be subject to regulatory oversight. Request your SASE vendor's DORA readiness documentation, including their own business continuity plans, incident reporting procedures, and audit rights provisions in your contract.

At minimum: SOC 2 Type II, ISO 27001, and ISO 27017 (cloud security). For financial services under DORA, also request BSI C5 attestation (increasingly required by BaFin and other EU financial regulators) and evidence of GDPR compliance including Data Processing Agreements (DPAs) with EU Standard Contractual Clauses. Ask specifically about data residency: where is traffic processed and where are logs stored?

NIS2 requires an early warning within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. Your SASE platform should be configured to generate alerts with sufficient metadata (timestamps, affected systems, data scope, containment actions) to populate these notifications. Pre-build report templates that pull from SASE logs and map to your national CSIRT's reporting format.

Related on sase.cloud

DLP Deep Dive →SASE RFP Template →Blog: NIS2 & DORA for SASE Teams →

Get the next guide in your inbox

One email per publish. Unsubscribe anytime.

ShareLinkedIn X

Was this helpful?

← Previous

SASE Vendor Comparison 2026: All 8 Vendors Scored

Next →

SASE Architecture Diagram Explained: Traffic Flow and Inspection

Compliance