Meet NIS2 and DORA database
security requirements
NIS2 and DORA impose concrete technical requirements on how EU organisations manage access to systems containing sensitive data. For engineering teams, this includes production databases.
Under NIS2 Article 20, management carries personal liability for cybersecurity failures. Under DORA, financial entities face supervisory authority scrutiny of their ICT risk management. Shared database credentials and SSH tunnels are the most common compliance gap in both frameworks.
NIS2 entered into force in January 2023. EU member states were required to transpose it into national law by October 2024. Enforcement is now active across most member states, though national implementation timelines vary — consult your national law for applicable requirements. CISOs at essential and important entities carry personal liability for cybersecurity failures under Article 20. DORA applies from January 2025 to financial entities regulated by EBA, ESMA, and EIOPA.
NIS2 requirements for database access
NIS2 Directive (EU) 2022/2555 — applicable to essential and important entities in healthcare, finance, digital infrastructure, and related sectors.
Access control policies
Requirement: Organisations must implement access control policies as part of their cybersecurity risk management measures. This includes authentication controls and the principle of least privilege.
Scalple: Scalple enforces field-level access control policies — each identity gets access to exactly the tables and columns required for their role, for the duration of a single session. No persistent access, no shared credentials.
Multi-factor authentication
Requirement: Multi-factor authentication or continuous authentication solutions must be used for all systems handling sensitive data.
Scalple: Scalple sessions require identity authentication before any database access is granted. Every session is cryptographically tied to a verified identity — not a shared service account. MFA is enforced at the identity provider level (Entra ID, Google Workspace, or your OIDC provider). Scalple requires that your IdP session carries authentication appropriate to your NIS2 obligations — MFA configuration is your responsibility at the IdP layer.
Incident handling and audit logging
Requirement: Organisations must have incident handling capabilities including detection, analysis, containment, and recovery. Comprehensive audit logging is a prerequisite for incident analysis.
Scalple: Scalple's INSERT-only audit trail records every query, every access request, and every denied operation. In the event of an incident, security teams have immediate, complete, tamper-evident visibility into what was accessed and by whom.
Incident reporting obligations
Requirement: Significant incidents must be reported to the national CSIRT within 24 hours (early warning) and 72 hours (full report), with a final report within one month.
Scalple: Scalple's audit trail provides the evidence base for incident reports. The 24-hour early warning can be supported by an immediate audit log export covering the affected period and data subjects.
DORA requirements for database access
Digital Operational Resilience Act (EU) 2022/2554 — applicable from January 2025 to banks, payment institutions, investment firms, insurance companies, and crypto-asset service providers.
ICT risk management framework
Requirement: Financial entities must establish a comprehensive ICT risk management framework including identification, protection, detection, response, and recovery capabilities.
Scalple: Scalple addresses the protection and detection layers for database access: zero credential exposure eliminates a major attack surface, and real-time access logging enables immediate detection of anomalous database activity.
Protection of information assets
Requirement: Financial entities must implement measures to protect the confidentiality, integrity, and availability of data. Access to sensitive systems must be controlled and logged.
Scalple: Field-level permissions enforce confidentiality at the data model level. INSERT-only audit logs guarantee integrity of the access record. EU-only infrastructure with no US sub-processors ensures availability is not subject to foreign jurisdiction.
ICT-related incident classification
Requirement: Financial entities must classify ICT-related incidents and determine which are major incidents requiring regulatory notification. Classification requires understanding the scope of data accessed.
Scalple: Scalple's field-level audit trail enables precise incident scoping: you can determine exactly which customer records, which fields, and which operations were involved in any incident — directly informing the classification decision.
NIS2 and DORA database compliance — frequently asked questions
What does NIS2 require for database access control?
NIS2 Article 21 requires organisations to implement access control policies, multi-factor authentication, and comprehensive audit logging as part of their cybersecurity risk management. For production databases containing personal or operational data, this means: access must be tied to individual identities (not shared credentials), sessions must require authentication, and every database operation must be logged in a tamper-evident audit trail. Shared credentials and SSH tunnels fail all three requirements.
How does DORA affect how fintech companies manage database access?
DORA Articles 6 and 9 require financial entities to protect ICT assets including production databases through access controls and audit logging. Article 18 requires classifying incidents by the scope of data affected — which requires field-level visibility into what was accessed. DORA also imposes ICT incident reporting to competent authorities (EBA, ESMA, EIOPA) for major incidents, requiring rapid and precise audit trail access.
Does NIS2 impose personal liability on CISOs for database security failures?
Yes. NIS2 Article 20 requires that management bodies of essential and important entities oversee the implementation of cybersecurity risk management and can be held personally liable for infringements. For CISOs and CTOs at companies in scope, this means a production database breach caused by inadequate access controls — such as shared credentials and no audit trail — can result in personal financial liability. Scalple eliminates the shared-credential attack surface entirely.
Can Scalple help with the NIS2 72-hour incident reporting deadline?
Yes. NIS2 Article 23 requires early warning within 24 hours and a full incident notification within 72 hours of becoming aware of a significant incident. Scalple's audit trail gives you immediate, precise visibility into which data was accessed and by whom — enabling accurate scoping of the incident within hours, not days. This directly supports your ability to meet the reporting deadlines with complete and accurate information.
Which EU industries are in scope for NIS2?
NIS2 applies to essential entities (energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, digital providers, research). Most EU healthtech, fintech, and legaltech companies processing significant volumes of personal data will fall under NIS2 scope either directly or through their sector classification.
How does Scalple's zero credential exposure help with NIS2 Article 21?
NIS2 Article 21(2)(i) explicitly requires access control policies including the principle of least privilege. Scalple's access model ensures that database credentials are never held by human engineers — eliminating the credential theft and credential sharing attack vectors entirely. Each session is scoped to the specific data required, automatically expires, and is fully logged. This is the architectural implementation of the principle of least privilege at the database layer.
Close your NIS2 and DORA database access gap
If your production database access relies on shared credentials or SSH tunnels, your NIS2 Article 21 and DORA Article 9 technical measures are incomplete. Book a 30-minute walkthrough or deploy the self-hosted version today.