From NIS2 to DORA and the AI Act: Managing Converging Cyber Risks

European companies and institutions are navigating a rapidly expanding, increasingly interconnected and continuously evolving regulatory landscape at the intersection of cybersecurity, AI and privacy. Frameworks such as NIS2, the CRA, the AI Act, CER and DORA introduce overlapping and, at times, intersecting obligations that affect legal, compliance and technical functions alike. At the same time, the regulatory environment continues to evolve, including proposals such as the Digital Omnibus Act and the revision of the Cybersecurity Act, which may further reshape existing requirements and supervisory expectations. This session brings together legal and IT perspectives to explore how companies and institutions can put these requirements into practice, including lessons learned from the early implementation of DORA requirements for critical ICT third-party providers. Drawing on practical experience, the panel will examine how companies can structure governance, incident reporting and risk management in a way that is both compliant and operationally effective across regimes. Attendees will gain practical insights into building a coherent, scalable compliance strategy across cyber and AI frameworks.

What you will learn:

• How NIS2, CRA, AI Act, CER and DORA interact in practice, including regulatory overlaps and supervisory boundaries.
• How DORA establishes a distinct supervisory regime for critical ICT providers.
• How to implement integrated incident reporting, risk management and governance across cyber and AI regimes while meeting evolving audit and supervisory expectations.