Financial entities operating in the European Union now face two overlapping cybersecurity regulations: the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) and the NIS2 Directive (Directive (EU) 2022/2555). Both entered the enforcement phase in 2025, both impose security requirements and incident reporting obligations, and both carry significant penalties. The critical question for compliance teams is not which one applies – in many cases, both do – but where they differ and how to build a compliance program that satisfies both without duplicating effort.
This article provides a precise comparison of DORA vs NIS2 across scope, requirements, enforcement, and timelines, with practical guidance for financial entities subject to both.
Key Takeaways
- DORA is a regulation (directly applicable); NIS2 is a directive (requires national transposition). This creates different compliance mechanics.
- Art. 4 of DORA establishes it as lex specialis for financial entities, meaning DORA requirements prevail where they overlap with NIS2.
- Financial entities must still comply with NIS2’s broader governance and supply chain requirements where DORA is silent.
- Incident reporting timelines differ: DORA requires initial notification within 4 hours of classification; NIS2 requires early warning within 24 hours.
Scope: Who Falls Under Which Regulation
The scope difference is the starting point for any DORA vs NIS2 analysis.
DORA applies to 21 categories of financial entities enumerated in Art. 2(1): credit institutions, investment firms, payment institutions, electronic money institutions, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, securitisation repositories, crowdfunding service providers, and ICT third-party service providers designated as critical by the European Supervisory Authorities (ESAs).
NIS2 applies to essential and important entities across 18 sectors listed in Annexes I and II. The banking and financial market infrastructure sectors (Annex I, sectors 3 and 4) are explicitly included. This means banks, stock exchanges, central counterparties, and other financial market infrastructure entities fall within NIS2’s scope as essential entities.
The overlap is significant. A bank is simultaneously a “credit institution” under DORA and an “essential entity” in the banking sector under NIS2. The same bank must navigate both frameworks.
The Lex Specialis Principle
Art. 4 of DORA resolves the overlap by establishing DORA as lex specialis – the specialist law that takes precedence over the general law (NIS2) for financial entities. Recital 16 of DORA and Recital 28 of NIS2 both confirm this hierarchy.
In practice, this means:
- Where DORA imposes a specific requirement (e.g., ICT risk management under Art. 6, incident reporting under Art. 19), financial entities follow DORA.
- Where NIS2 imposes a requirement that DORA does not address (e.g., certain supply chain security provisions under Art. 21(2)(d) NIS2), the NIS2 requirement still applies.
- National authorities cannot impose NIS2 obligations on financial entities in areas already covered by DORA.
This is not a blanket exemption from NIS2. Financial entities must map both regulations to identify gaps.
Requirements Compared
ICT Risk Management
DORA (Art. 5-16): Prescribes a detailed ICT risk management framework including: identification and classification of ICT assets (Art. 8), protection and prevention measures (Art. 9), detection capabilities (Art. 10), response and recovery procedures (Art. 11), backup and restoration (Art. 12), learning and evolving (Art. 13), and communication (Art. 14). The framework must be documented, reviewed annually, and approved by the management body.
NIS2 (Art. 21): Requires “appropriate and proportionate technical, operational and organisational measures” to manage risks. Art. 21(2) lists ten categories of measures including risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability handling, cybersecurity assessment, cryptography, human resources security, and multi-factor authentication.
Key difference: DORA is significantly more prescriptive. NIS2’s Art. 21 is principles-based and leaves substantial implementation discretion to entities and national transposition. DORA specifies exact components of the ICT risk management framework, approval requirements, and testing obligations.
Incident Reporting
The incident reporting timelines present the sharpest practical difference between DORA and NIS2.
| Reporting Stage | DORA | NIS2 |
|---|---|---|
| Initial/early warning | 4 hours after classification as major ICT-related incident | 24 hours after becoming aware of significant incident |
| Intermediate report | 72 hours after initial notification | 72 hours after early warning |
| Final report | 1 month after initial notification | 1 month after intermediate report |
| Reporting authority | National competent authority (NCA) for the financial sector | National CSIRT or competent authority |
| Classification criteria | Defined in ESA RTS: data losses, service downtime, geographic spread, economic impact | Defined by national transposition, based on Art. 23(3) criteria |
For financial entities subject to both, DORA’s 4-hour initial reporting deadline is the binding constraint. Meeting DORA’s timeline inherently satisfies NIS2’s 24-hour requirement.
The reporting authority may differ. Under DORA, financial entities report to their financial sector NCA (e.g., BaFin, ACPR, Central Bank of Ireland). Under NIS2, entities report to the national CSIRT or NIS2 competent authority. In practice, several Member States are aligning these channels, but financial entities should verify the national arrangements. See our incident reporting comparison across DORA, NIS2, and GDPR for a detailed cross-framework analysis.
Resilience Testing
DORA (Art. 24-27): Mandates a digital operational resilience testing program that includes vulnerability assessments, network security testing, gap analyses, physical security reviews, and scenario-based testing. Critically, Art. 26 requires threat-led penetration testing (TLPT) at least every three years for significant financial entities. TLPT must follow the TIBER-EU framework.
NIS2 (Art. 21(2)(f)): Requires “policies and procedures to assess the effectiveness of cybersecurity risk-management measures” – essentially cybersecurity testing, but without prescribing specific methodologies or frequencies.
Key difference: DORA’s TLPT requirement is substantially more demanding and specific than anything NIS2 requires. Financial entities cannot rely on NIS2’s general testing expectation to satisfy DORA’s TLPT obligation.
Third-Party Risk Management
DORA (Art. 28-44): Creates the most detailed ICT third-party risk management framework in EU regulation. Requires: a policy on ICT third-party risk (Art. 28(2)), mandatory contractual provisions (Art. 30), a register of information on all ICT contractual arrangements (Art. 28(3)), and concentration risk management. Critically, designates “critical ICT third-party service providers” subject to direct oversight by the ESAs (Art. 31-44).
NIS2 (Art. 21(2)(d)): Requires supply chain security measures, including “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” The requirement is broad but not prescriptive.
Key difference: DORA’s third-party framework is far more granular, with specific contractual requirements, a mandatory register, and a direct oversight mechanism for critical providers that has no equivalent in NIS2.
Penalties Compared
| Aspect | DORA | NIS2 |
|---|---|---|
| Maximum fine (entities) | Up to 2% of total annual worldwide turnover or EUR 10 million (whichever is higher). Member States may set higher. | Essential entities: up to EUR 10 million or 2% of global turnover. Important entities: up to EUR 7 million or 1.4% of global turnover. |
| Individual liability | Up to EUR 1 million for management body members | Art. 20: management bodies must approve and oversee cybersecurity measures; can be held personally liable. National transposition defines specifics. |
| Critical ICT providers | Up to EUR 5 million or 1% of average daily turnover per day (max 6 months) | Not applicable (NIS2 does not have a critical ICT provider oversight framework) |
| Enforcement authority | Financial sector NCAs + ESAs for critical ICT providers | National NIS2 competent authorities |
For financial entities, DORA penalties are the primary enforcement risk because DORA’s requirements are more detailed and its enforcement framework is sector-specific. However, NIS2 penalties can still apply for requirements outside DORA’s scope.
Timeline Comparison
| Milestone | DORA | NIS2 |
|---|---|---|
| Publication | 27 December 2022 | 27 December 2022 |
| Entry into force | 16 January 2023 | 16 January 2023 |
| Application date | 17 January 2025 | 18 October 2024 (transposition deadline) |
| National transposition | Not required (regulation) | Required (directive) – status varies by Member State |
| First enforcement actions | Q1 2025 onwards | Depends on national transposition. As of April 2026, 22 of 27 Member States have transposed. |
The key practical difference: DORA is a regulation and applies uniformly across all Member States from 17 January 2025. NIS2 is a directive and required national transposition by 18 October 2024. Several Member States missed the deadline, creating a fragmented enforcement landscape. Financial entities benefit from DORA’s uniformity.
How to Comply with Both: Practical Approach
For financial entities subject to both DORA and NIS2, the compliance strategy should be:
1. Start with DORA as the baseline. DORA’s requirements are more prescriptive across almost every domain. Building your ICT risk management, incident reporting, testing, and third-party management programs to DORA standards will satisfy most NIS2 requirements automatically.
2. Map NIS2 gaps. Identify areas where NIS2 imposes requirements that DORA does not address or where national NIS2 transposition adds obligations. Common gap areas include broader supply chain security beyond ICT providers, human resources security policies, and certain governance reporting requirements.
3. Align incident reporting channels. Verify with your national authorities whether DORA and NIS2 incident reports can be submitted through a single channel or whether separate notifications are required. Several Member States (notably Germany and France) are consolidating reporting mechanisms.
4. Integrate governance. Both DORA (Art. 5) and NIS2 (Art. 20) require management body engagement with cybersecurity governance. A single board-level oversight framework covering both regulations avoids duplication and ensures consistent accountability.
5. Document the lex specialis analysis. Maintain a documented mapping showing where you apply DORA requirements (as lex specialis) and where you apply NIS2 requirements (for areas outside DORA’s scope). This documentation is essential for demonstrating compliance to both financial sector NCAs and NIS2 authorities.
See how Legiscope helps organisations map overlapping EU compliance requirements and maintain a unified compliance program across GDPR, DORA, and NIS2.
FAQ
Does DORA replace NIS2 for financial entities?
Not entirely. Art. 4 of DORA establishes it as lex specialis, meaning DORA prevails where its requirements overlap with NIS2. But NIS2 still applies to financial entities in areas that DORA does not specifically address, such as certain supply chain security measures beyond ICT providers. Financial entities must comply with both, using DORA as the primary framework and NIS2 to fill gaps.
Which has stricter incident reporting: DORA or NIS2?
DORA is stricter. The initial notification deadline under DORA is 4 hours after classifying a major ICT-related incident, compared to NIS2’s 24-hour early warning requirement. Financial entities that meet DORA’s timeline will automatically satisfy NIS2’s reporting obligations, but may need to submit reports to different authorities depending on national arrangements.
Do financial entities need to comply with NIS2 supply chain requirements?
Yes, to the extent that NIS2’s supply chain security requirements under Art. 21(2)(d) go beyond DORA’s ICT third-party risk management framework. DORA covers ICT service providers comprehensively, but NIS2’s supply chain provisions extend to non-ICT suppliers and service providers. A financial entity should assess whether its broader supply chain (not just ICT vendors) falls within NIS2’s scope.
Can a single compliance program cover both DORA and NIS2?
Yes, and this is the recommended approach. Start by building the compliance program around DORA’s more prescriptive requirements. Then map NIS2 obligations against the DORA framework to identify additional requirements. The governance structures, risk management processes, and incident reporting workflows can be unified, with specific procedures branching only where the regulations diverge.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial