2024-2026: the European Union has deployed three major regulations for resilience — DORA (financial sector), NIS2 (expanded essential sectors), CRA (digital products). Each addresses risks within its scope, but together they indirectly frame resilience against geopolitical shocks: Hormuz blockade, state-sponsored cyberattacks, energy shortages, massive supply chain disruptions.
This article precisely maps which requirements apply to your business during a geopolitical crisis, and how ResiPlan covers each of them.
Europe now frames resilience in all its forms
The 3-regulation convergence
| Regulation | Scope | Effective date |
|---|---|---|
| DORA (EU 2022/2554) | Financial entities + critical ICT providers | 17 January 2025 |
| NIS2 (EU 2022/2555) | 18 essential + important sectors | 17 October 2024 (transposition) |
| CRA (EU 2024/2847) | Products with digital elements | 11 December 2027 |
All 3 share a common DNA:
- Risk mapping including geopolitical
- Third-party supplier management (including energy, ICT, cloud)
- Incident reporting with strict deadlines
- Regular resilience tests
- Heavy sanctions for non-compliance
DORA: how it really covers the energy crisis
Articles directly impacted by a Hormuz crisis
Art. 5-9 — ICT risk management
Financial entities must identify, assess and address all ICT risks. Including:
- Underlying infrastructure risks: electricity, network, cooling, generator fuel
- Supply chain risks: your cloud provider paying an exploding electricity bill → continuity at risk
- Geopolitical risks: Art. 6(1) explicitly mentions "scenarios impacting operational resilience"
Art. 11 — Continuity + recovery plan
Formal obligation: every firm must maintain a BCP + DRP tested annually covering:
- "Moderately severe but plausible" scenarios (Hormuz blockade qualifies)
- Crisis communication with customers, authorities, counterparties
- Degraded-mode ICT reduction
Art. 17 — Major incident reporting
Strict deadlines: ack 4h, initial report 72h, final report 30 days.
A major incident includes:
- Prolonged unavailability of a critical or important function (CIF) — even due to energy!
- Material impact on customers or revenue
- Cascade to other financial entities
Art. 26-27 — TLPT (Threat-Led Pen Testing)
Significant entities (all major banks, insurers, CCPs, CSDs) must organize every 3 years a threat-intelligence-led intrusion test mandatorily covering all CIFs. In a geopolitical crisis, these tests may be audited by ACPR/AMF on priority.
Art. 28-30 — ICT third-party risk
Each critical ICT provider must:
- Be tracked in the Register of Information (Art. 31)
- Subject to concentration analysis (if several CIFs depend on the same one, alert)
- Have a documented exit strategy (Art. 28(7)(j))
- Allow audits (on-site, remote)
- Notify you of its own major incidents
Hormuz implication: your Ireland data center, powered by a gas plant fueled by LNG transiting Hormuz → double dependency to flag.
Art. 31 — Register of Information (ROI)
Formal registry to maintain and share with ESAs (EBA, ESMA, EIOPA) on request. Standardized ITS (Implementing Technical Standards) format. Contents:
- List of CIFs
- List of ICT contracts per CIF
- Subcontracting chain (Art. 29)
- Geographic distribution of providers
- Exit strategies
In a geopolitical crisis, authorities will demand immediately the ROI to assess sector exposure.
DORA Sanctions
Article 50 DORA: up to 1% of daily global revenue per day of non-compliance, with coercive corrective measures, possible business prohibitions.
NIS2: geopolitical resilience for 18 sectors
Affected sectors
Essential sectors (reinforced obligations):
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, road, maritime)
- Banking / financial markets (complementing DORA)
- Healthcare
- Drinking water / wastewater
- Digital infrastructure (DNS, IXP, cloud, data centers)
- Public administrations
- Space
Important sectors (standard obligations):
- Postal / courier services
- Waste management
- Chemicals (including petrochemicals!)
- Food
- Manufacturing (medical devices, computers, vehicles, machinery)
- Digital (services providers, marketplaces, search engines)
- Research
The 10 NIS2 measures (Art. 21)
Each entity must implement at minimum 10 measures:
- Risk analysis + system security policies
- Incident handling
- Business continuity (BCP, recovery, crisis management) ← Hormuz
- Supply chain security (direct + indirect) ← Hormuz
- Security in acquisition / development / maintenance
- Effectiveness assessment policies
- Cyber hygiene + training
- Cryptography
- HR security, access controls
- MFA / secure comms / vulnerabilities
Art. 23 — Incident reporting
Like DORA: early warning 24h, notification 72h, final report 1 month.
A significant NIS2 incident includes any prolonged unavailability of an essential service, even caused by energy shortage or geopolitical cascade.
NIS2 Sanctions
Article 34: up to €10M or 2% of global revenue (whichever higher) for essential entities. €7M or 1.4% revenue for important. Personal liability of executives possible (Art. 20).
CRA: product resilience against state cyberattacks
When a Hormuz crisis erupts, cyberattacks explode — state APTs (Iran, Russia), opportunistic ransomware. The CRA (effective 11 December 2027) requires:
- SBOM (Software Bill of Materials): to react fast if critical CVE
- CVD portal (security.txt RFC 9116): vulnerability reception
- 5 or 15-year security updates per product criticality
- Market surveillance: 15 business days to respond to authorities
A product with digital elements (PDE) insufficiently patched during a cyber crisis becomes an entry lever to attack the entire sector.
👉 ResiPlan's CRA suite covers 6 modules: PDE Registry, SBOM, CVD, Security Updates, Annex I, Market Surveillance.
Summary matrix: obligations × Hormuz scenario
| Obligation | DORA | NIS2 | CRA |
|---|---|---|---|
| Identify CIF | ✅ Art. 3(22) | Implicit (essential services) | ❌ |
| Map energy suppliers | ✅ Art. 28 | ✅ Art. 21(d) | ❌ |
| Tested BCP + DRP | ✅ Art. 11 + 25 | ✅ Art. 21(c) | ❌ |
| TLPT / pen test | ✅ Art. 26 | Partial | ❌ |
| Register of Information | ✅ Art. 31 | ❌ | ❌ |
| Incident reporting | ✅ 4h/72h/30d | ✅ 24h/72h/1m | ✅ 24h/72h/14d |
| SBOM / digital product | ❌ | Implicit | ✅ |
| Authority coordination | ACPR/AMF | ANSSI/CSIRT | DGCCRF / FPS Economy |
| Max sanctions | 1% revenue/day | 2% revenue or €10M | 2.5% revenue or €15M |
How ResiPlan covers the 3 regulations in one platform
ResiPlan is the only European platform that natively covers the 3 regulations:
DORA
- DORA CIF — Art. 3(22) registry + AI justification + Art. 31 ROI
- Dependencies Pro — Art. 28-30 (ICT third-parties + concentration + subcontracting)
- TLPT module — Art. 26-27 (engagement + findings)
- Incident response integrated with 4h/72h/30d reporting
NIS2
- Compliance — 10 Art. 21 measures mapped
- Mass Notification — 7-channel crisis comms
- Crisis Gaming — Art. 21(c) BCP tabletops
- Regulatory Watch — automatic monitoring
CRA
- Complete CRA suite — 6 native modules
- SBOM (CycloneDX / SPDX) + CVE cross-ref
- CVD portal + RFC 9116 security.txt
- Annex I self-assessment
- Market Surveillance 15-day response
Cross-cutting
- France hosting (OVH) — sovereign
- AI module deactivable for sensitive sectors (defense, intelligence)
- 36 risk methodologies integrated
- Immutable audit trail 7-year retention
FAQ
Is a Hormuz-linked energy shortage covered by DORA?
Yes, indirectly but clearly. If the shortage impacts a CIF (e.g., your data centers hosting critical systems), this constitutes a major incident to report within 72h per Art. 17. Your exit strategies (Art. 28(7)(j)) must include this scenario.
Does NIS2 require explicit Hormuz crisis preparation?
NIS2 doesn't use the word "Hormuz" but Art. 21(c) requires continuity and Art. 21(d) requires supply chain security. ANSSI published a 2024 guide recommending to explicitly integrate geopolitical scenarios into continuity plans.
Is my 20-employee company concerned by NIS2?
Depends on sector and not only size. Essential sectors apply in principle from 50 employees (microenterprises excluded), but with exceptions. In energy, healthcare or critical infrastructure sectors, much lower thresholds.
Can DORA fines really reach 1% of daily global revenue?
Yes. Article 50 DORA provides this maximum sanction for serious and persistent violations. In practice, ACPR will apply progressively (formal notice → daily penalties → final sanction). But a systemic negligent entity could reach €50-200M in cumulated penalties.
Are executives personally liable?
Yes, under NIS2 Art. 20 and DORA Art. 5 (governance). Effective executives may be personally sanctioned: fines, temporary duty prohibition, name publication in authority decisions.
Must Hormuz continuity be specifically tested?
Not necessarily by that name. But a continuity test must cover plausible geopolitical scenarios. DORA Art. 25 mentions "scenarios covering a severe disruption". An auditor in 2025-2026 will ask: "Have you tested service availability against a major disruption of the energy sector?"
How does ResiPlan simplify compliance?
- Native cross-mapping: a control documented once satisfies DORA + NIS2 + ISO 22301 + COSO simultaneously
- Pre-drafted templates: BCP, DRP, incident response, registers
- ResiPlan AI for criticality justifications, incident reports, RETEX
- Crisis Gaming tests validated by auditors
- Automated reporting to ACPR/AMF/ANSSI