DORA vs NIS 2: Understanding the Differences
Financial entities operating in the EU may find themselves potentially subject to both DORA and NIS 2. Understanding how these regulations interact is essential for efficient compliance planning.
The key principle is that DORA is lex specialis (the more specific law) for the financial sector. Where DORA and NIS 2 overlap, DORA requirements apply to financial entities.
Key Takeaways
| Point | Summary |
|---|---|
| Lex specialis | DORA takes precedence over NIS 2 for financial entities |
| Sector focus | DORA is financial sector-specific; NIS 2 covers 18 critical sectors |
| Similar structure | Both address risk management, incident reporting, and supply chain security |
| Incident timelines | Both use similar reporting timeframes but to different authorities |
| Testing requirements | DORA has more prescriptive testing requirements, including mandatory TLPT |
Quick Answer: DORA and NIS 2 are both EU cybersecurity regulations, but DORA specifically targets the financial sector while NIS 2 covers 18 critical sectors. For financial entities, DORA is considered the more specific regulation (lex specialis), meaning DORA requirements apply where the two overlap. Both regulations share similar themes but DORA has more prescriptive requirements tailored to financial services.
Overview Comparison
| Aspect | DORA | NIS 2 |
|---|---|---|
| Full name | Digital Operational Resilience Act | Network and Information Security Directive 2 |
| Legal instrument | Regulation (directly applicable) | Directive (requires national transposition) |
| Sector scope | Financial services (20 entity types) | 18 critical sectors |
| Effective date | January 17, 2025 | October 17, 2024 (transposition deadline) |
| Primary focus | Digital operational resilience | Cybersecurity |
| Reporting authority | Financial supervisors | National cybersecurity authorities |
Scope and Applicability
DORA Scope
DORA applies to 20 categories of financial entities, including:
- Credit institutions
- Payment institutions
- Investment firms
- Insurance undertakings
- Crypto-asset service providers
- Central counterparties
- Trading venues
NIS 2 Scope
NIS 2 applies to entities in 18 sectors classified as essential or important:
| Essential Sectors | Important Sectors |
|---|---|
| Energy | Postal services |
| Transport | Waste management |
| Banking | Chemicals |
| Financial market infrastructure | Food |
| Health | Manufacturing |
| Drinking water | Digital providers |
| Wastewater | Research |
| Digital infrastructure | |
| ICT service management | |
| Public administration | |
| Space |
Overlap
The overlap occurs in:
- Banking (NIS 2 essential sector, DORA scope)
- Financial market infrastructure (NIS 2 essential sector, DORA scope)
- ICT service management (NIS 2 essential sector, potentially DORA CTPP scope)
The Lex Specialis Principle
How It Works
Article 4 of NIS 2 establishes that where sector-specific EU legislation:
- Requires essential or important entities to adopt cybersecurity risk management measures, or
- Requires notification of significant incidents, and
- The requirements are at least equivalent to NIS 2 obligations
Then the sector-specific legislation applies instead of NIS 2.
DORA as Lex Specialis
For financial entities, DORA is recognized as the more specific regulation:
- DORA requirements on ICT risk management are at least equivalent to NIS 2 cybersecurity requirements
- DORA incident reporting obligations are at least equivalent to NIS 2 notification requirements
- Therefore, DORA applies instead of NIS 2 for covered financial entities
Practical Implications
Financial entities:
- Should focus compliance efforts on DORA, not NIS 2
- Report incidents to financial supervisors under DORA, not to national cybersecurity authorities under NIS 2
- Follow DORA testing requirements, not NIS 2 security assessments
Requirement Comparison
Risk Management
| Aspect | DORA | NIS 2 |
|---|---|---|
| Framework | Comprehensive ICT risk management framework required | Appropriate cybersecurity risk management measures |
| Governance | Explicit management body accountability | Management body approval and oversight |
| Documentation | Detailed documentation requirements | Risk-based policies and procedures |
| Business continuity | Specific ICT continuity requirements | Business continuity included in measures |
Both regulations require risk-based approaches, but DORA provides more detailed requirements specific to financial services.
Incident Reporting
| Aspect | DORA | NIS 2 |
|---|---|---|
| Timeline | 4 hours (classification) / 24 hours / 72 hours / 1 month | 24 hours / 72 hours / 1 month |
| Authority | Financial supervisors | National cybersecurity authorities |
| Content | Detailed multi-stage reporting | Significant incident notification |
| Client notification | Required when financial interests affected | May be required to inform recipients |
The timelines are similar, reflecting alignment during the legislative process.
Supply Chain / Third-Party Risk
| Aspect | DORA | NIS 2 |
|---|---|---|
| Focus | ICT third-party service providers | Supply chain security broadly |
| Register | Register of Information required | Not specifically required |
| Contractual | Detailed mandatory contract provisions | General supply chain security measures |
| Oversight | CTPP oversight framework | No equivalent designation process |
DORA has more prescriptive third-party requirements, including the unique CTPP oversight framework.
Testing
| Aspect | DORA | NIS 2 |
|---|---|---|
| Basic testing | Required for all entities | General obligation to assess measures |
| Advanced testing | TLPT mandatory for designated entities | No specific advanced testing requirement |
| Frequency | Annual program, TLPT every 3 years | Proportionate testing |
| Third-party inclusion | Required in testing | Not specified |
DORA's testing requirements, particularly TLPT, are more prescriptive than NIS 2.
Penalties
| Aspect | DORA | NIS 2 |
|---|---|---|
| Maximum (entities) | 2% of turnover | 2% (essential) / 1.4% (important) |
| Maximum (individuals) | 1 million | Varies by member state |
| CTPPs | Up to 5 million | N/A |
Penalty structures are comparable, with both using turnover-based maximums.
ICT Service Providers
Under DORA
ICT third-party service providers serving financial entities:
- Face contractual requirements from clients
- May be designated as CTPPs for direct oversight
- Must participate in client testing programs
Under NIS 2
Managed service providers and managed security service providers:
- Fall directly within NIS 2 scope as important entities
- Must implement NIS 2 cybersecurity measures
- Must report significant incidents
Dual Application
An ICT service provider may face:
- NIS 2 requirements directly (as a managed service provider)
- DORA contractual requirements indirectly (from financial sector clients)
- CTPP oversight (if designated)
This creates layered compliance obligations for major technology providers.
When NIS 2 Might Still Apply
While DORA is lex specialis, NIS 2 may still be relevant when:
Group-Level Considerations
Financial groups with non-financial subsidiaries may find those subsidiaries subject to NIS 2 if they:
- Provide ICT services to the financial entity
- Operate in other NIS 2 sectors
- Meet NIS 2 size thresholds
Technology Providers
Non-financial ICT providers may be subject to NIS 2 directly while also facing DORA-driven contractual requirements from financial clients.
Regulatory Coordination
NIS 2 establishes coordination mechanisms that may involve financial supervisors:
- National Cyber Crises Liaison Organisation Network (CyCLONe)
- European cyber crises management framework
- Cross-sector incident sharing
Compliance Synergies
Organizations subject to both regulations (or supporting clients under both) can leverage synergies:
| Area | Synergy |
|---|---|
| Risk management | Common risk assessment methodologies |
| Policies | Shared policy frameworks with sector-specific customization |
| Incident response | Common detection and response capabilities |
| Supply chain | Unified vendor assessment approaches |
| Testing | Comprehensive testing programs serving both requirements |
Common Questions
I am a bank. Do I need to comply with NIS 2?
No. As a credit institution, you fall within DORA scope. DORA is lex specialis, meaning DORA requirements apply instead of NIS 2.
We are an ICT provider serving banks. Which applies?
Potentially both. NIS 2 may apply to you directly as a managed service provider. DORA applies indirectly through contractual requirements from your financial sector clients. If designated as a CTPP, you also face direct DORA oversight.
Do we report incidents to both authorities?
Financial entities report under DORA to financial supervisors. NIS 2 reporting is not required because DORA is lex specialis. However, coordination between authorities means information may be shared.
Should we pursue ISO 27001 for both?
ISO 27001 provides a strong foundation for both DORA and NIS 2 compliance. Both regulations reference international standards favorably. Certification can demonstrate baseline security to multiple stakeholders.
How Bastion Helps
Bastion supports organizations navigating DORA and NIS 2:
- Applicability assessment: Determine which regulations apply to your organization
- Gap analysis: Evaluate current state against applicable requirements
- Efficient implementation: Leverage synergies between frameworks
- ISO 27001 certification: Build a foundation supporting multiple compliance objectives
- Ongoing compliance: Maintain alignment with evolving requirements
Ready to clarify your compliance obligations? Talk to our team
Sources
- DORA Regulation - Digital Operational Resilience Act full text
- NIS 2 Directive - Network and Information Security Directive 2 full text
- NIS 2 Article 4 - Sector-specific legal acts provision