DORA & NIS-2 – New Challenges for ICT Service Providers

IT-Law and Data Security

Regulatory requirements for companies in the information and communications technology (ICT) sector continue to grow. With the Digital Operational Resilience Act (DORA) and the implementation of the NIS 2 Directive, extensive requirements for resilience, IT security, and risk management are coming into effect, with direct implications for many ICT service providers as well.

Small and medium-sized providers, in particular, face the challenge of adapting their processes, contracts, and security structures to the new European requirements. The requirements are high: they range from minimum contractual standards and comprehensive documentation obligations to compliance requirements for critical or important IT services. Whether a company falls within the scope of these regulations often depends on the specific areas of application for the solutions or services offered and must be assessed on a case-by-case basis.

Key Areas of Focus for ICT Service Providers

Service providers should assess early on what adjustments are necessary to avoid regulatory risks and strengthen their own digital resilience:

  • Affected Parties Analysis: Determining whether and to what extent the company falls under DORA or NIS-2.
  • Compliance strategy: Develop and implement a customized set of rules to comply with the new regulations.
  • Contract management: Review and adapt existing contracts to the new regulatory requirements.
  • Internal structures: Establish information registers, risk management processes, and emergency plans.
  • Awareness-raising: Training for management and employees on the practical implementation of the new requirements.

DORA and NIS-2 are leading to a significant increase in regulatory requirements in the IT environment. For service providers, this means that processes, contracts, and security measures must be adapted in a timely manner to avoid sanctions and liability risks. Sound legal support helps to efficiently integrate the new requirements into existing structures while ensuring operational stability.

Feel free to contact us:

Dr. André Schmidt | Partner 

Angelika Maria Szalek | Senior Associate

Niklas Vogt | Senior Associate

Dr. Philipp Knitter | Associate

02.04.2026

LUTZ | ABEL advised AlphaPet Ventures on the acquisition of Tierliebhaber

25.03.2026

IT-related legal challenges for defense companies with dual-use products

04.02.2026

E-Commerce 2026: Additional Requirements, New Cancellation Button – What Businesses Need to Know Now

02.02.2026

AI Due Diligence in M&A Transactions: When a Supposed Tech Asset Becomes a Regulatory Liability

27.01.2026

AI Transcription of Meetings: Data Protection, Section 201 of the German Criminal Code (StGB), and the Limits of Consent

eHealth | Digital Health | Medical Applications