2026 Compliance Framework Comparison: NIS2 vs DORA vs PCI DSS 4.0
A side-by-side comparison of scope, deadlines, and authentication and incident-reporting requirements across three major frameworks reaching enforcement milestones in 2026.
Scope
PCI DSS 4.0 applies to any organization that stores, processes, or transmits payment card data. DORA applies to financial entities and their critical ICT providers operating in the EU. NIS2 applies broadly to essential and important entities across energy, transport, health, digital infrastructure, and other critical sectors within the EU.
Key deadlines
- PCI DSS 4.0: future-dated requirements became fully enforceable March 31, 2025.
- DORA: became a binding legal requirement for in-scope financial entities January 17, 2025, with 2026 marking the start of active supervisory enforcement.
- NIS2: first compliance audits due June 30, 2026, full national compliance deadlines following in October 2026.
Incident reporting
- DORA: initial report within 4 hours of a major incident being classified.
- NIS2: initial notification within 24 hours of becoming aware of a significant incident.
- PCI DSS 4.0: no fixed hour-based deadline, but requires a documented incident response plan with defined roles and timelines.
Authentication
All three frameworks now treat phishing-resistant multi-factor authentication as the practical baseline for privileged and sensitive access, with SMS-based and app-based one-time codes no longer considered sufficient on their own for high-risk processing.
Where to start
For most organizations, the practical first step is a gap assessment against whichever framework's deadline is nearest, followed by a prioritized remediation plan rather than attempting simultaneous full compliance across all three.
