NIS2, DORA, and PCI DSS 4.0: What Changed in 2026 and What It Means for You
Three of the most significant regulatory frameworks in cybersecurity, PCI DSS 4.0, DORA, and NIS2, all reached major milestones in the 2025 to 2026 window. If your organization touches payment data, operates in EU financial services, or falls under NIS2's expanded scope of essential and important entities, here's what's changed.
PCI DSS 4.0
Many of PCI DSS 4.0's "future-dated" requirements, items that were optional during a transition period, became fully enforceable as of March 31, 2025. This includes tighter expectations around logging, encryption, and, notably, phishing-resistant multi-factor authentication for anyone with access to the cardholder data environment. SMS codes and app-based one-time passwords no longer satisfy that bar on their own.
DORA (Digital Operational Resilience Act)
DORA made operational resilience a binding legal requirement for financial entities operating in the EU starting January 17, 2025, and 2026 marks the beginning of genuine supervisory enforcement. Its incident reporting timeline is notably strict: an initial report is due within 4 hours of a major incident being classified, compared to 24 hours under NIS2. Regulators have signaled they will act on incident-reporting failures and gaps in the Register of Information, not just theoretical control gaps.
NIS2 Directive
NIS2 significantly expands the scope of organizations considered "essential" or "important" entities across the EU. In-scope entities face a first compliance audit deadline of June 30, 2026, with national transposition laws now in force across most member states ahead of an October 2026 full compliance deadline. Like DORA, NIS2 treats incident reporting as a hard requirement, with a 24-hour initial notification window.
The common thread
Across all three frameworks, phishing-resistant MFA has emerged as the baseline expectation for authentication, and fast, structured incident reporting is now a legal obligation rather than a best practice. For most organizations, the practical starting point isn't reading the full text of each regulation, it's a gap assessment: what do we already do, what's missing, and which framework's deadline is closest.
