In January 2025, the Digital Operational Resilience Act (DORA) entered into application across the European Union. This landmark regulation is designed to strengthen the digital resilience of the financial sector. Now, a year on, what does DORA mean in practice for financial institutions and critical third-party providers, including data centers?

What is DORA really?

Europe’s financial stability depends on digital trust. To safeguard that trust, the European Commission introduced the Digital Operational Resilience Act (DORA): a regulation designed to protect financial institutions from digital disruption. DORA has been in force since January 2025, marking a new chapter in how Europe safeguards the stability of its financial system.

At its core, DORA ensures that banks, insurers and other financial institutions can withstand digital shocks. From ransomware attacks to power outages, DORA turns resilience from a best practice into a legal obligation.

But DORA is not just about banks and insurers. It also applies to the partners they rely on, including data centers. These facilities, usually operating quietly in the background, now take a central role in Europe’s plan for digital resilience.

Why DORA matters

The European Commission introduced DORA to tackle growing risks in the financial system.

Cyberattacks, digital sabotage, and complex supply chains can quickly undermine stability. Vulnerabilities in a single provider can ripple through an entire ecosystem. At the same time, the lack of transparency and fragmented reporting make it difficult to respond effectively when incidents occur.

DORA complements other European initiatives such as NIS2, which focuses on critical infrastructure, and the Cyber Resilience Act (CRA), aimed at connected devices. Together, these regulations raise the bar for cybersecurity and operational resilience across Europe.

What DORA means for financial institutions

For banks, insurers, and other financial players, DORA sets clear expectations. They must strengthen ICT risk management across their entire chain of partners. This includes everyone from cloud service providers to data centers. Cyber incidents now have to be reported swiftly to national authorities. Regular resilience testing is mandatory, through penetration tests, scenario exercises, and audits. Contracts must also include predefined exit plans, ensuring continuity if a supplier relationship ends.

Data centers as critical third parties

Although DORA was not written specifically for data centers, it affects them directly. As critical ICT service providers to the financial industry, data centers carry responsibility for operational continuity. If a data center experiences an outage or security breach, the consequences for financial institutions can be immediate.

This means data centers must demonstrate compliance with strict security and operational standards. They need to provide detailed documentation for audits, ensure that subcontractors follow the same resilience requirements, and align physical and digital security to reduce human error. In today’s regulatory environment, data centers are not “just” facility providers. They are strategic partners in financial resilience.

Resilience as a competitive strength

True resilience goes beyond having a checklist. It is about preparation, communication, and adaptability. Regular simulations and failover drills help organisations test their response under real conditions. Cross-functional training ensures that technical experts, communication teams, and senior leaders work together when crises arise. Clear and consistent communication during such moments builds trust, both internally and externally.In practice, resilience is now a competitive differentiator for data centers.

For data centers, resilience has become a differentiator. Clients value partners that can demonstrate maturity in both preparedness and response. Those who invest in their cybersecurity strategies will not only comply with DORA but also strengthen their reputation as reliable partners.

The human factor and the role of AI

Technology plays a vital role in resilience, but people make the difference. The way teams act under pressure, how leaders communicate, and how lessons are integrated after exercises determine success. At the same time, artificial intelligence is changing the landscape. Attackers are using AI to automate and scale threats. Defenders, on the other hand, can use it to predict failures, detect anomalies, and support faster recovery.

Still, experts agree that AI should remain a supporting tool. Decision-making and accountability must stay in human hands. The balance between technology and human judgement is what builds lasting trust.

Challenges and opportunities

Complying with DORA will require both technical and organisational investment. Enhanced monitoring systems, redundancy, sustainability initiatives, and cyber-secure processes will become standard. Governance must also evolve, with closer client collaboration, stronger supplier oversight, and contractual clauses that ensure continuity.

Yet, these efforts bring opportunities. Data centers that embrace resilience and transparency can position themselves as trusted partners. By helping clients meet their own DORA obligations, they add value beyond infrastructure. At the same time, their growing role in sustainability, for instance through heat reuse or grid stabilization, underlines their contribution to society.

Looking ahead

While DORA focuses on financial services, its principles are likely to spread across other sectors, much like NIS2 did. This broader adoption will bring greater transparency and accountability throughout ICT ecosystems. It will also reinforce Europe’s digital sovereignty by strengthening trust and control over critical infrastructure. As both frameworks evolve, their overlap is becoming increasingly clear, suggesting that one day a single, unified standard for digital resilience may apply across all sectors.

Conclusion

DORA marks a turning point in the relationship between financial institutions and their data center partners. What started as a rulebook for banks has become a strategic catalyst for the entire data center industry. Those who place resilience, security, and transparency at the heart of their operations will not only comply with European law but also shape the foundations of Europe’s digital economy.

In the age of DORA, resilience is not optional, it is the cornerstone of trust.

Europe’s digital leaders are rethinking data sovereignty

European organisations face a new strategic reality. With NIS2, DORA and the US CLOUD Act reshaping the rules of accountability and access, data sovereignty is no longer a compliance term. It has become a defining factor for resilience and competitive strength.

In this episode of Data Center Dialogues, Lieven Heuninck (CEO and managing partner, Apogado) and Lowie Schaubroeck (Managing director, Lebon.IT) explain why storing data in Europe does not guarantee sovereignty, how hidden dependencies inside cloud platforms create real exposure, and why board members now carry personal responsibility for cyber resilience decisions.

“True sovereignty requires full-stack awareness and architectural flexibility, not blind trust in hyperscalers.”

If you want to understand the forces reshaping Europe’s digital autonomy, this is a conversation worth your time.

Listen to the full dialogue now.

From genome sequencing to clinical trials, secure access to high-quality data is critical for pharma and biotech. As artificial intelligence reshapes every stage of the life cycle, robust data governance has become indispensable.

With Europe reinforcing its data and AI regulations, and global powers like the US, China and Russia asserting stronger digital influence, the concept of data sovereignty has come to the forefront. It raises fundamental questions: Who controls the data? Where is it stored, and under whose jurisdiction? And how do we balance scientific openness with privacy, ethics and compliance?

These themes were explored during a recent CIONET x LCL roundtable, where leaders from GSK, Johnson & Johnson and UCB joined the discussion. The session was led by Prof. Stein Aerts, Scientific Director at VIB.AI. His organisation pioneers a new generation of biological research through the integration of machine learning and computational biology.

This whitepaper distils the key insights from the roundtable.

The Network and Information Security Directive (NIS2) is a significant legislative update by the European Union aimed at boosting cyber security and protecting critical infrastructure. In a recent article, we introduced NIS2 and discussed its structure and some of its measures. Now, we delve a little deeper into what NIS2 will mean for data centers, with the help of Arnaud Martin, Expert Cyber security Regulation & Standardisation at Agoria. Agoria is a Belgian employers organisation that has more than 2000 technology companies from the manufacturing industry and the digital and telecom sectors among its members.

What are the main changes introduced by the NIS2 legislation compared to the original NIS Directive?

Arnaud Martin: “The NIS2 Directive broadens the scope of its predecessor. It aims to achieve a high level of cyber security across the EU by standardising measures and responsibilities. If we keep that goal in mind, six main changes stand out:

1. The scope extension includes a whole array of sectors that weren’t included in the NIS directive. Size criteria were also added.
2. Self-registration is an obligation. Originally, the authorities had to designate you as being in NIS. A process that not every country followed equally well. Now companies of a certain size are automatically included, shifting the responsibility of registration to the companies themselves. Delays are eliminated and more comprehensive coverage is ensured.
3. Standardised cyber security measures are now mandatory across member states, reducing fragmentation. If every country has their own guidelines, that doesn’t work. Countries can still add to the standard measures, but at least there is a clear base for everyone.
4. Top management responsibilities are emphasised, holding them accountable for breaches. Cyber security is now a responsibility at the highest level, not just of the IT department.
5. Extended reporting obligations require early notifications and regular updates on incidents. You must alert the authorities and any affected parties.
6. National cyber security response teams have gained more authority to support and coordinate efforts.”

Which sectors are now covered by the NIS2 Directive that were not included in the original NIS Directive?

Arnaud Martin: “NIS2 includes a broad array of new sectors but also subsectors that weren’t included yet. For example, digital infrastructure was already in the original NIS, but now it also covers data centers. Content delivery networks, electronic communications, trust service providers, and ICT service management were also added to that category. The public administration sector is now included, which is crucial as breaches affect large groups of people. Hospitals are now specified, alongside the general healthcare sector. On top of that, Annex II lists other -slightly less- critical sectors that are still considered important like postal and courier services, waste management, chemicals, food manufacturing, and research.”

Why was this NIS directive update necessary?

Arnaud Martin: “The update was necessary to address evolving requirements and existing problems with the original NIS directive. The six main changes discussed above, are the areas that needed improvement and clarity. There were inconsistencies in scope and varying cyber security measures across countries. The new self-registration mechanism ensures comprehensive coverage, and the extended scope addresses sectors previously overlooked. These changes aim to create a more consistent and robust cyber security framework across the EU.”

Do companies still underestimate the importance of cyber security?

Arnaud Martin: “It really depends on the sector. In industries like banking, energy, and telecom, cyber security is ingrained in their operations. However, many companies, even in the digital sector, still do not fully grasp its importance. NIS2 helps level the playing field, as the same regulations apply all over Europe. It will set a new standard, much like what happened to quality management by introducing certifications like ISO9001, which are now well known and commonly used and required.”

Impact on Data Centers

How will the new NIS2 requirements affect the operational procedures of data centers?

Arnaud Martin: “Data centers usually have security, including cybersecurity, very high in their priorities. However, NIS2 might still impact various operational aspects of data centers as it mandates cyber security integration into all critical business processes. This includes identifying those critical business processes and data, and ensuring these are adequately protected, guaranteeing continuity. More specifically: defining and updating policies, maintaining stringent access controls and up-to-date asset handling, and regularly reviewing procedures. It’s a comprehensive organisational challenge that requires continuous updates and clear definitions of roles and responsibilities. Some data centers will already have this covered: a company that is ISO27001 certified is expected to already be compliant with NIS2, since it even goes a little beyond NIS2’s requirements. But even these data centers shouldn’t leave anything to chance. The EU is currently working on an Implementing Act, which will detail specific measures, and data centers need to review and adapt their procedures accordingly. A draft of this implementing act is currently being finalised, detailing the different measures across 27 pages.”

What specific measures must data centers take to comply with the NIS2 regulations?

Arnaud Martin: “Leadership responsibilities are clearly defined. Senior management must approve cyber security measures and undergo training to understand and manage risks. Data centers must also provide regular cyber security training to all staff, ensuring awareness and competence. Worst-case scenarios must be covered, with a disaster recovery plan, proper back-up and crisis management”

How can data centers adapt their risk management processes to meet the NIS2 guidelines?

Arnaud Martin: “Data centers should refine their risk management processes by conducting thorough analyses and evaluating existing procedures. The Implementing Act provides a detailed approach of 10 steps, and compliance with certifications like ISO 27001 can aid in meeting these requirements. Regular updates and audits are essential to ensure ongoing compliance and effectiveness.”

What are the implications of the new supply chain security requirements for data centers?

Arnaud Martin: “NIS2 places significant emphasis on supply chain security, which might become the most impactful change. The draft Implementing Act includes four selection criteria and nine elements to specify in contracts. Data centers must evaluate and monitor their suppliers regularly, ensuring they meet strict cyber security standards. Contracts should specify security measures, including background checks and audit reports. This thorough approach can have a waterfall effect to third and even fourth-party suppliers, necessitating a comprehensive and continuous evaluation process.”

What are the new incident reporting requirements under NIS2 and how can data centers prepare for them?

Arnaud Martin: “NIS2 mandates early notifications to the relevant authorities within 24 hours of detecting an incident, followed by an initial assessment within 72 hours and a detailed report after a month. In view of their criticality, data centers should invest in advanced incident detection and response tools and consider establishing a Security Operations Center (SOC) to handle incidents effectively, if it isn’t in place yet. Preparedness involves having structured procedures and trained personnel ready to respond 24/7 to incidents promptly.”

Are there specific technologies or actions you recommend for data centers to be prepared for the NIS2 requirements?

Arnaud Martin: Data centers should invest in robust incident detection and response tools, such as Extended Detection and Response (XDR) and Network Detection and Response (NDR). When it comes to managing their SOC, Data centers might also consider partially outsourcing incident response for an extra set of eyes. Not fully though, as building your own expertise can be beneficial as well. Regular evaluations and updates of cyber security measures are crucial to stay compliant with NIS2 requirements.

Conclusion

NIS2 represents a significant step towards strengthening cyber security across the European Union. For data centers, this directive brings both challenges and opportunities. By adhering to NIS2 requirements and fostering a proactive security culture, data centers can enhance their resilience against cyber threats and contribute to a more secure digital ecosystem.

Please note that this article is not a substitute for in-depth training on this topic. For further guidance, data centers can consult cyber security experts or refer to the official documentation provided by the European Commission.

The amount of data generated and stored is growing exponentially. Digital transformation, societal interconnectedness, AI, and our vast online activities contribute to this data flood. Data centers play a critical role in enabling this growth. As the volume of sensitive data increases, data centers must ensure continuous service availability and robust protection measures.

Recognising the importance of data management and governance, the European Union has introduced the EU Network and Information Security Directive (NIS2), an update of the existing NIS directive. NIS2 aims to achieve a high common level of cyber security across the EU. This article focuses on the general scope of NIS2 and its implications for data centers.

Understanding (the structure of) NIS 2

NIS2 broadens its scope to include more sectors beyond traditional critical infrastructure. This now explicitly covers data centers, but also healthcare, financial services, and the public administration sector, reflecting the growing interdependence of digital services.

NIS2 requires companies to comply with several security measures, often demonstrated by certifications like Cyber Essentials or ISO 27001, which have the advantage of being presumed compliant with NIS 2. They focus on 3 main articles of NIS2:

• Article 20: Governance
• Article 21: Cyber security risk-management measures
• Article 22: Reporting obligations

Governance is a significant aspect of NIS2, emphasising the responsibility of all company members. Management bodies are now more accountable for security breaches, and training is crucial for understanding cyber security’s gravity. Every employee must recognise that a cyber security issue at their level can impact the entire organisation. But what are risk-management measures to take to be NIS 2 compliant?

10 cyber security risk-management measures

The general assumption is that security breaches can happen to anyone at any time. The purpose of the cyber security risk-management measures is to protect network and information systems, and the physical environment of these systems from incidents. This can mean an array of things, but to make this more digestible, NIS2 hands 10 thematic areas to us, which form the minimum measures.

1. Risk assessments and security policies for information systems: companies must have clear cyber security policies, covering everything from asset inventories to disaster recovery procedures.
2. Incident handling: this is defined as actions to prevent, detect, analyse, contain, and recover from incidents. Policies should include detection procedures, reporting phases (initial report, incident report, detailed report), and communication protocols. For example, incident reporting can include information like the affected assets, the date and time of the detection, the detection method, the immediate actions, and internal and external communications related to the incident.
3. Business continuity plans: these ensure critical business functions continue during and after disruptions, with policies for updating backups and assigning recovery roles. A strong business continuity plan can limit the effect of a breach on your own business, but also your clients’.
4. Supply chain security: supply chain attacks are described as one of the factors that contributes to the increase in ransomware attacks. NIS2 emphasises the importance of security in supply chains, particularly for SMEs, which are often targets for attacks affecting their operations and their clients. They often have fewer security resources and less rigid measures on risk and crisis management. Companies must install security measures that fit the vulnerabilities of each direct supplier and assess the overall security level for all suppliers.

5. Effectiveness Evaluation: policies and procedures for evaluating the effectiveness of cyber security risk-management measures go hand in hand with continuous improvement and compliance monitoring. This is achieved through regular internal audits and evaluations by competent authorities who ensure effective cyber security risk management.
6. Procurement and Vulnerability Handling: security around the procurement of systems and the development and operation of systems is essential. More specifically, we can discuss vulnerability handling and a vulnerability disclosure, which lays the emphasis on the reporting obligation. Coordination between entities is, again, of utmost importance when vulnerabilities are discovered.
7. Cyber hygiene and cyber security training: it’s mandatory to train and management bodies on a regular basis, covering software updates, device configuration, and phishing. Data centers should also inform their clients of significant cyber threats and of possible measures that they can take to safeguard their devices and communications.
8. Policies and procedures regarding the use of cryptography and encryption is the next thematic area. Cryptography should be used in a manner that aligns with the information classification and risk analysis results, then it can provide the necessary environment for protecting data confidentiality, authenticity and integrity. The use of encryption technologies is also mandatory.
9. Human Resources Security and Access Control: Procedures for employees with access to sensitive data, including background checks and access control methods like ID cards and biometric data.
10. Authentication and Communication Security: Multi-factor authentication, secured communication systems, and continuous authentication solutions are crucial for managing user identities and protecting authentication information.

NIS2 represents a critical step forward in bolstering Europe’s cyber security landscape. For the data center sector, this directive brings both challenges and opportunities. By adhering to the requirements and fostering a proactive security culture, data centers can enhance their resilience against cyber threats and contribute to the overall security of the digital ecosystem.

Data centers must take proactive steps to align with NIS2, ensuring they are well-prepared to handle the evolving cyber security landscape. For further guidance, data centers can consult with cyber security experts or refer to the official documentation provided by the European Commission.