DORA covers financial services. CISA covers critical infrastructure. ISO 22301 covers everyone with >100 employees. NIS2 covers digital operations across the EU. In 2026, most organizations are subject to multiple overlapping resilience mandates. What was once managed by business continuity planners as separate compliance projects is now converged into a single operational resilience framework.
The Four-Layer Resilience Stack
Layer 1: DORA (Digital Operational Resilience Act)
DORA became effective January 17, 2025. Enforcement is ramping up throughout 2026. DORA covers all financial entities (banks, insurers, investment firms, payment processors) and applies to EU and third-country entities operating in EU markets.
DORA mandates:
- ICT Risk Management: Identify all ICT systems, third-party dependencies, and potential failure points. Implement controls for confidentiality, integrity, availability.
- Penetration Testing: Conduct advanced penetration tests at least annually. Document findings, remediation, and validation.
- Incident Reporting: Report significant ICT incidents to regulatory authorities within defined timeframes. Maintain incident register.
- Third-Party Oversight: Audit ICT service providers (cloud, outsourced systems). Contractually require compliance. Monitor continuously.
- Scenario Testing: Conduct impact tolerance and scenario testing (e.g., single point of failure, supply chain disruption).
For financial entities, DORA compliance is mandatory and enforcement is accelerating. Regulators are issuing examination notices and imposing remediation deadlines.
Layer 2: CISA and Critical Infrastructure Requirements
The Cybersecurity and Infrastructure Security Agency has issued CIRCIA (Critical Infrastructure Resilience and Recovery Act) guidance that applies to organizations designated as “critical infrastructure” (energy, water, transportation, communications, financial services, healthcare).
CISA requirements include:
- Asset Management: Know what systems are critical. Maintain current inventory.
- Business Continuity and Disaster Recovery: Plan for failures. Test recovery procedures. Maintain redundancy.
- Supply Chain Risk Management: Identify critical suppliers. Audit their controls. Monitor continuously.
- Incident Response: Detect and respond to failures quickly. Maintain communication with CISA and sector partners.
Overlap with DORA: If you’re a financial entity in EU markets AND a critical infrastructure provider (e.g., payment processor, insurance carrier operating critical infrastructure), you’re subject to both DORA AND CISA.
Layer 3: ISO 22301 (Business Continuity Management)
ISO 22301 applies to organizations with >100 employees globally (no geographic restriction). In 2026, the standard amendment incorporates climate scenarios explicitly:
- Climate Resilience: Identify climate-related risks (flood, wildfire, heat, supply chain disruption). Model recovery in climate scenarios.
- Impact Analysis: Map business functions to recovery time objectives (RTO) and recovery point objectives (RPO). Include climate scenarios.
- Testing and Drills: Conduct impact tolerance tests and scenario drills (not just system failover tests; include climate scenarios, supplier failures, geopolitical disruption).
- Governance:**Assign board-level accountability for business continuity. Link to enterprise risk management.
ISO 22301 is increasingly required by auditors and investors as a baseline for operational resilience governance.
Layer 4: NIS2 Directive (EU Network and Information Systems Directive)
NIS2 expanded the scope of EU cybersecurity requirements beyond critical infrastructure to include:
- Essential services: Digital infrastructure, waste management, postal services, public administration
- Important entities: Manufacturers of ICT products and services, cloud providers, hosting providers, digital service providers (e.g., online marketplaces)
NIS2 mandates:
- Risk Management: Implement appropriate technical, operational, and organizational measures to manage cybersecurity risk.
- Incident Notification: Report cybersecurity incidents to competent authorities.
- Supply Chain Security: Manage ICT supply chain risk.
- Third-Party Audit: Auditors and certification bodies must be notified of significant security measures.
Overlap with DORA: If you’re a financial entity operating in EU markets, you’re subject to both DORA (more stringent) and NIS2 (broader scope). DORA requirements typically exceed NIS2, so DORA compliance usually covers NIS2 obligations.
The Convergence Pressure: Three Integration Challenges
Challenge 1: Audit Consolidation
Auditors expect to see one resilience narrative, not four separate programs. Organizations that maintain separate DORA, CISA, ISO 22301, and NIS2 programs create audit friction:
- Multiple risk registers (different frameworks, different risk quantification methods)
- Different governance structures (separate committees for ICT risk, business continuity, third-party risk)
- Duplicate testing and documentation (four different penetration test scopes, four different incident registers)
Challenge 2: Geographic and Sectoral Overlap
An organization’s scope across frameworks isn’t always clear:
- Is our subsidiary in the EU? Then DORA AND NIS2 apply.
- Are we designated critical infrastructure AND a financial entity? Then CISA AND DORA apply.
- Do we have >100 employees globally AND operate in a regulated sector? Then ISO 22301, DORA, and NIS2 likely all apply.
Challenge 3: Testing and Scenario Alignment
Each framework has different testing requirements. But testing is expensive and disruptive. Organizations are consolidating:
- One annual impact tolerance test that covers DORA scenario testing AND ISO 22301 impact analysis
- One penetration test program that covers DORA requirements AND NIS2 risk management
- One incident response drill that covers DORA incident reporting, CISA incident notification, and ISO 22301 response capability
Integrated Resilience Framework: How to Structure It
1. Single Risk Register**
Map all resilience-related risks (ICT failures, supply chain disruption, climate events, geopolitical shocks) to a single register. Cross-reference which frameworks each risk maps to:
- System failure → DORA ICT risk, CISA asset management, ISO 22301 impact analysis
- Supplier failure → DORA third-party oversight, CISA supply chain, ISO 22301 dependency mapping
- Climate event → ISO 22301 climate scenario, CISA resilience requirement, DORA scenario testing
2. Consolidated Governance**
Create a single resilience governance structure:
- Board Resilience Committee: Oversight of operational resilience (DORA + CISA + ISO 22301 + NIS2) reported as single agenda item
- Chief Resilience Officer: Single executive responsible for coordinating all resilience programs (ICT risk, business continuity, third-party risk, incident response)
- Resilience Program Management Office: Coordinates DORA workstreams, CISA compliance, ISO 22301 maintenance, and NIS2 audits
3. Integrated Testing**
Design one annual testing cycle that covers all frameworks:
- Q1: Impact Tolerance Test — assess RTO/RPO for critical functions under failure scenarios (covers DORA, ISO 22301, CISA)
- Q2: Penetration Testing — advanced penetration test of critical systems (covers DORA, NIS2)
- Q3: Incident Response Drill — full-scale incident response exercise (covers DORA incident reporting, CISA notification, ISO 22301 response)
- Q4: Third-Party Risk Review — audit critical suppliers’ resilience controls (covers DORA, NIS2, CISA)
4. Consolidated Documentation**
One documentation set serves all frameworks:
- Resilience Policy and Governance Framework (DORA, ISO 22301)
- Risk Register and Assessment (DORA, CISA, ISO 22301, NIS2)
- Business Continuity Plan (DORA, CISA, ISO 22301)
- Incident Response Plan (DORA, CISA, NIS2)
- Third-Party Risk Management Framework (DORA, NIS2)
- Test Results and Remediation Tracking (all frameworks)
Cross-Sector Context
Business continuity teams are applying the same integration logic that ESG teams have mastered for years. For broader context on cross-sector regulatory convergence, see The 2026 Regulatory Convergence: ESG, Climate, AI, and Operational Standards.
Healthcare facilities face similar convergence pressures. Read Healthcare Regulatory Convergence: CMS, Joint Commission, NFPA, FGI, and ESG.
What Organizations Must Do in 2026
1. Map Your Regulatory Scope
Determine which frameworks apply based on geography, sector, size, and critical infrastructure designation. Use Regulatory Compliance for Business Continuity as your starting point.
2. Consolidate Your Governance**
Move from siloed resilience programs to consolidated oversight. Assign a Chief Resilience Officer or equivalent. Link resilience to enterprise risk management.
3. Integrate Your Risk Assessment**
Build one resilience risk register that maps to all applicable frameworks. Use this for governance, testing, and audit preparation.
4. Plan Your Testing Program**
Design one annual testing cycle that covers all frameworks. This reduces cost, disruption, and audit friction.
5. Prepare for DORA Enforcement**
If you’re a financial entity in EU markets, DORA enforcement is ramping up in 2026. Use EU DORA Compliance as your detailed implementation guide.
Conclusion
In 2026, business continuity is no longer a separate function managed by BC planners. It’s a core operational resilience capability that intersects with ICT risk, supply chain management, climate resilience, and critical infrastructure continuity. Organizations that consolidate DORA, CISA, ISO 22301, and NIS2 into a single resilience framework will reduce cost, improve governance, and emerge as resilience leaders. Those that maintain silos will fragment.