NIS2 and DORA Compliance in 2026: Lessons from Stryker and Poland's Nuclear Center

Introduction: High-Stakes Cyberattacks Signal Urgent Regulatory Gaps

In March 2026, the Iran-linked Handala hacktivist group compromised an administrator account at medical technology giant Stryker, creating a Global Administrator account in Microsoft Intune to remotely wipe approximately 80,000 managed devices. This attack disrupted Stryker's internal Microsoft corporate environment, forcing electronic ordering systems offline and requiring manual order processing. Meanwhile, Poland's National Centre for Nuclear Research (NCBJ) successfully thwarted a cyberattack, with early evidence suggesting Iranian hackers may be responsible—though officials warned it could be a false flag operation. These incidents, occurring against a backdrop of increasing state-sponsored threats, highlight critical vulnerabilities that the EU's NIS2 Directive and DORA (Digital Operational Resilience Act) are designed to address. With NIS2 member state transposition deadlines passed in October 2024 and DORA applicable from 17 January 2025, organizations must urgently bridge compliance gaps to avoid penalties of up to EUR 10 million or 2% of global turnover under NIS2.

Compliance Failures Exposed: Access Control, Incident Response, and Supply Chain Risks

The Stryker attack underscores a fundamental failure in access control and privilege management—a core requirement under both NIS2 and DORA. Handala's ability to compromise an admin account and escalate privileges to create a Global Administrator account allowed them to remotely wipe devices without deploying malware, demonstrating inadequate identity and access management (IAM) controls. NIS2 requires "appropriate and proportionate technical, operational, and organizational measures" to manage security risks, including access control systems. DORA mandates robust ICT risk management frameworks, which must include stringent access controls for financial entities. The attack also revealed gaps in incident response: while Stryker engaged Microsoft DART and Palo Alto Unit 42 for recovery, the disruption to supply-chain and transactional systems suggests insufficient resilience testing. DORA specifically requires financial entities to conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT), to ensure continuity during incidents.

Poland's NCBJ incident, though successfully defended, highlights the heightened risks to critical infrastructure sectors classified as "essential entities" under NIS2. The nuclear research center, which operates Poland's only nuclear research reactor, falls under the energy sector, where NIS2 imposes stricter obligations. The thwarted attack followed a separate incident on Poland's power grid two months earlier attributed to Russian actors, emphasizing persistent state-sponsored threats. NIS2 requires essential entities to implement risk management measures, incident reporting (24-hour early warning, 72-hour notification), and supply chain security. The NCBJ's defense likely involved advanced monitoring and response capabilities, but organizations must verify their alignment with NIS2's sector-specific mandates. Additionally, CISA's alert on CVE-2025-47813 in Wing FTP Server—requiring federal agencies to patch within two weeks under Binding Operational Directive (BOD) 22-01—shows how unpatched vulnerabilities can chain with critical flaws like CVE-2025-47812 (a remote code execution bug) to enable severe attacks. NIS2 and DORA both emphasize proactive vulnerability management, with DORA requiring financial entities to manage third-party ICT risks, including software vendors.

Step-by-Step Mitigation Strategies for NIS2 and DORA Compliance

To address these gaps, organizations should implement a phased approach aligned with regulatory deadlines. First, conduct a comprehensive risk assessment to classify your entity under NIS2 as "essential" or "important" based on sectors like energy, transport, health, or digital infrastructure. For DORA, identify if you qualify as a financial entity (e.g., bank, insurer, payment institution). Use this assessment to map existing controls against NIS2's risk management measures and DORA's ICT risk management framework.

1. Implement Zero-Trust Architecture and Strengthen Access Controls

The Stryker attack shows that traditional perimeter-based security is insufficient. Adopt a zero-trust model where every access request is verified, regardless of origin. Key actions include:

• Enforce multi-factor authentication (MFA) for all administrative accounts, especially those with privileges in cloud environments like Microsoft Intune.
• Apply the principle of least privilege (PoLP) to limit user access to only necessary resources, reducing the attack surface for privilege escalation.
• Regularly audit and review access logs to detect anomalous behavior, using tools like AIGovHub's cybersecurity compliance monitoring platform to automate alerts for suspicious admin activities.

2. Enhance Incident Response and Resilience Testing

Both NIS2 and DORA mandate robust incident response capabilities. Learn from Poland's NCBJ defense by:

• Developing and testing an incident response plan (IRP) that includes procedures for 24-hour early warning and 72-hour notification as required by NIS2.
• Conducting regular tabletop exercises and threat-led penetration testing (TLPT) per DORA's requirements to simulate attacks like those on Stryker or critical infrastructure.
• Integrating threat intelligence feeds to identify indicators of compromise (IoCs) from groups like Handala or state-sponsored actors.

3. Strengthen Supply Chain and Third-Party Risk Management

The Stryker attack disrupted supply-chain systems, while CVE-2025-47813 highlights vendor risks. Steps include:

• Assessing third-party vendors for compliance with NIS2 and DORA, requiring evidence of security controls like SOC 2 reports or ISO/IEC 27001:2022 certification.
• Implementing software patch management processes to address vulnerabilities like CVE-2025-47813 within mandated timeframes, extending CISA's BOD 22-01 guidance to all systems.
• Using contractual clauses to enforce security standards and audit rights, as DORA requires financial entities to manage ICT third-party risk.

4. Integrate with Existing Frameworks like SOC 2 and NIST CSF 2.0

Aligning with established frameworks can streamline compliance. For example:

• SOC 2 attestations, based on the AICPA Trust Services Criteria, cover security, availability, and confidentiality—directly supporting NIS2 and DORA controls. Note that SOC 2 is not a certification but an attestation report issued by a CPA firm.
• The NIST Cybersecurity Framework (CSF) 2.0, published in February 2024, provides a voluntary framework with six core functions (Govern, Identify, Protect, Detect, Respond, Recover) that map to NIS2 requirements. Its Govern function emphasizes risk management, akin to DORA's ICT risk framework.
• ISO/IEC 27001:2022 certification demonstrates an Information Security Management System (ISMS) with 93 controls, offering a certifiable standard that can satisfy regulatory expectations.

Key Takeaways for 2026 Readiness

• Urgent Action Required: NIS2 deadlines have passed, and DORA is already applicable. Organizations must verify their classification and implement measures to avoid penalties.
• Focus on Access Control: The Stryker attack shows privilege escalation risks. Implement zero-trust and least privilege to mitigate.
• Invest in Incident Response: Both regulations mandate timely reporting and testing. Develop plans and conduct exercises regularly.
• Manage Third-Party Risks: Supply chain vulnerabilities are critical. Assess vendors and enforce security standards.
• Leverage Existing Frameworks: Integrate SOC 2, NIST CSF 2.0, or ISO 27001 to build a robust compliance foundation.

Some links in this article are affiliate links. See our disclosure policy.

Conclusion: Proactive Compliance as a Defense Strategy

The Stryker and Poland nuclear center incidents are not isolated events but part of a growing trend of sophisticated cyberattacks targeting critical infrastructure and large enterprises. As regulatory enforcement intensifies, compliance with NIS2 and DORA is no longer optional but a strategic imperative. By learning from these attacks, organizations can turn regulatory requirements into competitive advantages, enhancing resilience against future threats. Tools like AIGovHub's cybersecurity compliance monitoring platform can help automate risk assessments and track control implementation, while vendors like CrowdStrike and SentinelOne offer advanced endpoint protection solutions—contact sales for pricing. For more insights on integrating AI governance with cybersecurity, explore our guide on EU AI Act compliance or our analysis of Microsoft Copilot security flaws. Remember, this content is for informational purposes only and does not constitute legal advice. Organizations should verify current timelines and consult experts to ensure full compliance.