Why the confusion between DORA and NIS2?
When the EU published the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) and the revised Network and Information Security Directive (NIS2, Directive (EU) 2022/2555) within weeks of each other in late 2022, many compliance teams were left wondering whether they needed to implement one, the other, or both frameworks. The confusion is understandable: both texts address cyber resilience, both use similar vocabulary around incident reporting, and both impose obligations on third-party ICT providers. Yet their legal nature, sectoral scope, and enforcement mechanisms differ significantly.
This article clarifies the boundary between DORA and NIS2, walks through their overlapping and diverging requirements, and gives you a decision framework to prioritize your compliance roadmap.
Key differences at a glance
| Dimension | DORA | NIS2 |
|---|---|---|
| Legal instrument | Regulation (directly applicable in all EU member states) | Directive (transposed into national law) |
| Applicable sectors | Financial sector only (20 entity types) | 18 sectors across essential and important entities |
| Competent authority | Financial supervisors (ECB, EBA, ESMA, national NCAs) | National CSIRT / NIS authorities |
| Entry into force | 17 January 2025 | 17 October 2024 (transposition deadline) |
| ICT third-party oversight | Centralised CTPP oversight framework (EBA/ESMA/EIOPA) | Supply-chain security measures (Art. 21) |
| Incident reporting deadline | 4 hours (initial) / 72 hours (intermediate) / 1 month (final) | 24 hours (early warning) / 72 hours (notification) / 1 month (final) |
| Penalties | Up to 1 % of global daily turnover (per day) | Up to €10 M or 2 % of global turnover (essential entities) |
Scope: who is covered by each regulation?
DORA — financial entities only
DORA's scope is defined in Article 2. It applies to 20 categories of financial entity, including:
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms and crypto-asset service providers (CASPs)
- Insurance and reinsurance undertakings
- Central counterparties (CCPs) and trade repositories
- Management companies and AIFMs
- ICT third-party service providers that serve the above (designated as Critical Third-Party Providers — CTPPs)
Microenterprises below certain thresholds (< 10 employees and < €2 M turnover) benefit from a simplified regime under Article 16. DORA does not apply to entities outside the financial sector, even if those entities run critical infrastructure.
NIS2 — a broader sectoral sweep
NIS2 (Articles 2–4) extends the original NIS Directive to 18 sectors, split into:
- Highly critical sectors (Annex I): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space
- Other critical sectors (Annex II): postal, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, vehicles), digital providers, research
Member states may add entities at their discretion. Importantly, banking and financial market infrastructure appear in Annex I of NIS2, which means financial entities could theoretically fall under both frameworks.
The lex specialis rule: DORA wins for financial entities
Article 1(2) of DORA explicitly addresses the overlap: where financial entities subject to DORA are also in scope of NIS2 (Annex I), DORA takes precedence as lex specialis. Financial entities comply with DORA, and that compliance is deemed to satisfy the equivalent NIS2 obligations for their sector. This avoids double regulation for banks and insurers.
Practically, however, a financial group that also operates entities outside the financial sector (e.g., a telecom subsidiary or a healthcare fintech arm) must assess each legal entity separately: the financial entities follow DORA; the non-financial entities follow the NIS2 transposition in each member state.
Overlapping obligations: what looks similar but isn't
ICT incident management
Both DORA and NIS2 impose mandatory incident reporting, but the thresholds and recipients differ:
- Under DORA (Articles 17–23), "major ICT-related incidents" are reported to the competent financial supervisor using the standardised templates published by the Joint Committee of EBA, ESMA, and EIOPA. The 4-hour initial notification clock starts from the entity's classification of the incident as major.
- Under NIS2 (Article 23), "significant incidents" are reported to the national CSIRT or competent authority. The 24-hour early-warning starts from the entity becoming aware of the incident.
The difference in trigger points matters: DORA's classification step gives a small practical buffer; NIS2's awareness trigger is stricter.
ICT third-party risk
DORA's third-party risk chapter (Articles 28–44) is far more prescriptive than NIS2's supply-chain measure (Article 21(2)(d)):
- DORA mandates contractual clauses with all ICT providers (Art. 30), a mandatory Register of Information (Art. 28), and exit strategies.
- For CTPPs, the Joint Oversight Network (JON) led by EBA/ESMA/EIOPA can conduct direct inspections of cloud and data-centre providers — a power that has no NIS2 equivalent.
Governance and testing
| Obligation | DORA reference | NIS2 equivalent |
|---|---|---|
| Management body accountability | Art. 5 | Art. 20 |
| ICT risk management framework | Arts. 6–10 | Art. 21 (risk management measures) |
| Penetration testing | Art. 26 (TLPT — Threat-Led Penetration Testing) | Art. 21(2)(m) (general security testing) |
| Business continuity | Art. 11 | Art. 21(2)(c) |
DORA's Threat-Led Penetration Testing (TLPT) regime — based on the TIBER-EU framework — requires red-team exercises every three years for significant entities. NIS2 refers to "security testing" more generically, leaving specifics to member states.
Decision framework: which regulation applies to you?
Use this three-step test:
- Are you a financial entity listed in DORA Art. 2? If yes → DORA is your primary framework. Check whether a simplified regime applies (microenterprise threshold).
- Do you also operate non-financial entities or subsidiaries in a NIS2 Annex I/II sector? If yes → those entities are separately subject to NIS2 as transposed in each member state.
- Are you an ICT provider serving financial entities? If yes → you may be designated a CTPP under DORA regardless of NIS2 status. Monitor the CTPP designation process managed by the Joint Oversight Network.
For pure-play non-financial companies (retailers, manufacturers, hospitals, universities), DORA is irrelevant; NIS2 transposition in your member state is your framework.
Practical compliance roadmap
For financial entities (DORA primary)
- Complete your ICT risk management framework gap analysis against the EBA/ESMA/EIOPA Joint Guidelines (published December 2023).
- Build your Register of Information for all ICT third-party contracts — required by DORA Art. 28(3) and requested by competent authorities as of January 2025.
- Map your incident classification criteria to the thresholds in the RTS on major incident classification (Commission Delegated Regulation (EU) 2024/1772).
- Plan TLPT exercises aligned with your national TIBER programme.
For non-financial companies (NIS2 primary)
- Identify your entity classification (essential vs. important) under the national transposition law — thresholds vary slightly by member state.
- Implement the ten security measures of Art. 21, including supply-chain risk policies and cryptography standards.
- Register with your national NIS authority (registration deadlines vary; most required by Q1 2025).
For ICT providers serving both sectors
- Maintain a dual-track programme: DORA contractual obligations for financial clients, NIS2 supply-chain security measures for non-financial clients.
- Standardise your incident notification runbooks to handle both the 4-hour DORA trigger and the 24-hour NIS2 trigger.
Summary
DORA and NIS2 are complementary, not competing frameworks. DORA governs the digital resilience of the EU financial sector with surgical precision; NIS2 covers a broad set of critical sectors with a directive-based, member-state-implemented approach. The lex specialis rule resolves most overlap for financial entities, but ICT providers and conglomerates straddling both worlds need a unified compliance programme that satisfies both.
Understanding exactly which obligations apply — and in which timeline — is the first step toward building a defensible, audit-ready resilience posture.