NIS2 + DORA: Identity Proofing for Critical Infrastructure

Two EU regulations are reshaping how essential and financial organizations defend themselves. NIS2 (the second Network and Information Security Directive) raises the cybersecurity baseline across critical and important sectors — energy, transport, health, digital infrastructure, and more. DORA (the Digital Operational Resilience Act) does the same specifically for the financial sector, with a sharp focus on Information and Communication Technology (ICT) risk and the third parties that financial entities depend on.

They come at the problem from different angles, but they converge on the same controls: know who has access, prove identities rigorously, and manage the risk your vendors introduce. Identity proofing sits at the center of all three. This post explains what NIS2 and DORA require, why identity is load-bearing, and how Didit — both as a verification engine and as an attested vendor — helps you meet them.

Key takeaways

• NIS2 mandates risk-management measures, strong access control, and supply-chain security across essential and important sectors.
• DORA governs ICT risk in financial services, including a register of ICT third-party providers and rigorous management of vendor risk.
• Both regimes lean heavily on identity proofing and access control — you cannot secure a system without trustworthy answers to "who is this person?"
• Didit supplies high-assurance identity proofing — document verification, NFC, liveness, biometric face match — for onboarding employees, contractors, and high-value customers.
• As an ICT third party itself, Didit reduces your vendor-risk burden with concrete attestations: SOC 2 Type 1 (ATOM, as of 2026-04-09), ISO/IEC 27001:2022 (Bureau Veritas, cert nº ES144068, valid until 2027-06-03), and iBeta Level 1 PAD.
• Webhook-driven audit trails (status.updated, data.updated) give you the evidence both regimes expect.

What the rules require

NIS2 widens the scope of the original directive to far more sectors and tightens the obligations. Among its core requirements: cybersecurity risk-management measures proportionate to the risk, incident handling and reporting, business-continuity planning, and — critically for identity — access control policies, the use of multi-factor or continuous authentication where appropriate, and supply-chain security that accounts for the security of direct suppliers and service providers. Management bodies are accountable, and supervisory authorities can act when controls fall short.

DORA focuses the lens on financial entities and their resilience to ICT disruption. It sets requirements across five pillars: ICT risk management, incident reporting, digital operational-resilience testing, information-sharing, and ICT third-party risk management. That last pillar is the one that touches every vendor: financial entities must maintain a register of information on all ICT third-party arrangements, assess the risk a provider introduces before and during the relationship, and ensure contractual and oversight provisions are in place. Strong identity and access controls underpin the risk-management and resilience-testing pillars.

The common thread: you cannot demonstrate operational resilience or network security if you can't reliably establish identity — of the people accessing systems, and of the vendors in your chain.

Why it matters

Critical infrastructure is exactly where attackers concentrate, because the blast radius is largest. NIS2 and DORA exist because regulators have watched incidents at a single supplier cascade into outages, breaches, and systemic risk. The penalties reflect that: significant fines, management accountability, and supervisory intervention.

For identity specifically, two failure modes recur. First, weak proofing — letting a fraudulent or impersonated identity through onboarding or account recovery, which becomes an access-control failure later. Second, unmanaged third-party risk — relying on a vendor (like an identity provider) whose own security posture you can't evidence. Both regimes force you to close those gaps, and to keep records that prove you did.

How Didit helps

Didit addresses both sides of the identity equation under NIS2 and DORA.

As your identity-proofing layer:

• High-assurance verification for onboarding customers, employees, and contractors: document verification across 14,000+ document types ($0.15), NFC chip reading ($0.15), passive ($0.10) and active ($0.15) liveness, and Face Match 1:1 ($0.05).
• Attack-resistant biometrics — Presentation Attack Detection tested to iBeta Level 1 (ISO/IEC 30107-3) with 0% attack success across 360 attempts — the kind of evidence access-control policies should rest on.
• AML and sanctions screening ($0.20, 1,300+ lists) and ongoing monitoring ($0.07/user/year) where regulated relationships demand it.
• Composable orchestration via the no-code Workflow Builder, so you apply controls proportionate to risk.

As an attested ICT third party — easing your DORA register and NIS2 supply-chain obligations:

• SOC 2 Type 1 attestation by ATOM, covering Security, Availability, and Confidentiality, as of 2026-04-09 (full report restricted-use under NDA).
• ISO/IEC 27001:2022 certification by Bureau Veritas, cert nº ES144068, valid until 2027-06-03 — distributable evidence of a certified information-security management system.
• iBeta Level 1 PAD compliance letter — distributable, for biometric-control assurance.

These give the artifacts your procurement and risk teams need when they assess Didit as a provider in your ICT third-party register.

Deep dive: identity in the DORA third-party register

Under DORA, every ICT third-party arrangement goes into a register of information your supervisor can request. For each provider, you're expected to understand the function it supports, the criticality of that function, and the risk the provider introduces — backed by evidence.

When the provider is your identity-verification vendor, the evidence you want is exactly what Didit can supply: an independent SOC 2 attestation describing the design of its controls, an ISO/IEC 27001 certificate proving a managed information-security system, and a biometric iBeta result quantifying anti-spoofing performance. Pair those with Didit's webhook-driven audit trail — status.updated and data.updated events recording every verification's lifecycle — and you have both the vendor-level assurance for the register and the transaction-level records for resilience testing and incident investigation.

That combination turns a vendor that could be a risk line-item into one that shortens your due-diligence cycle.

Use cases

• Banks, EMIs, and payment institutions scoping DORA ICT third-party risk for their identity stack.
• Crypto-asset service providers under DORA's financial-sector scope.
• Operators of essential services (energy, transport, health, digital infrastructure) under NIS2 hardening access control and supply-chain security.
• Managed service providers that must evidence the security of the identity tools they deploy for clients.

Frequently asked questions

Do NIS2 and DORA apply to the same organizations?

Not exactly. NIS2 covers essential and important entities across many sectors; DORA covers financial entities and their ICT providers. Many financial organizations fall under both, and the controls overlap heavily.

Is identity verification actually required by these rules?

The rules require strong access control, risk management, and third-party oversight. Reliable identity proofing is foundational to all three — you can't enforce access control or vet a vendor's users without it.

What does Didit provide for DORA's ICT third-party register?

Didit can supply SOC 2 Type 1, ISO/IEC 27001:2022 (cert ES144068), and iBeta Level 1 PAD evidence, plus webhook-based audit trails — the artifacts your risk team needs to assess and document Didit as a provider.

Is Didit's SOC 2 a Type 1 or Type 2?

It is a Type 1 attestation (design of controls as of 2026-04-09). A Type 2 examination is planned. The full report is restricted-use and shared under NDA.

Can I get the ISO 27001 certificate to share internally?

Yes — the ISO/IEC 27001:2022 certificate (Bureau Veritas, cert nº ES144068) is distributable on request.

Ready to get started?

See Didit's attestations and security posture on the trust hub, explore the ID Verification product, and review transparent pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, with a core verification flow from $0.33.