DORA vs NIS2
Comparing the EU's financial sector digital resilience framework with its cross-sector cybersecurity directive
Quick Comparison
Side-by-side overview of key regulatory dimensions
Regulation (EU) 2022/2554, directly applicable in all Member States
Directive (EU) 2022/2555, which requires national transposition by each Member State
Financial sector only: banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party providers
Cross-sector: essential and important entities across 18 sectors including energy, transport, health, digital infrastructure, public administration, and more
Ensure digital operational resilience of financial entities against ICT disruptions and cyberattacks
Achieve a high common level of cybersecurity across the EU for network and information systems
Detailed ICT risk management framework with prescriptive requirements for identification, protection, detection, response, recovery, and learning
Risk-based approach requiring appropriate technical, operational, and organisational measures proportionate to the risk
Three-stage reporting to financial supervisors: initial notification (within 4 hours of classification), intermediate report (within 72 hours), and final report (within 1 month)
Early warning within 24 hours, full incident notification within 72 hours, and final report within 1 month to national CSIRTs or competent authorities
Mandatory digital operational resilience testing programme including threat-led penetration testing (TLPT) every 3 years for significant entities
No specific testing regime prescribed; security measures must be appropriate but testing requirements are left to national implementation
Comprehensive third-party ICT risk framework including mandatory contractual provisions, register of third-party providers, and EU-level oversight of critical ICT providers
Supply chain security requirements including due diligence on suppliers, but less prescriptive than DORA on specific contractual and oversight mechanisms
Determined by Member States; for critical ICT providers, up to 1% of average daily worldwide turnover per day of non-compliance (max 6 months)
Essential entities: up to EUR 10 million or 2% of worldwide annual turnover; important entities: up to EUR 7 million or 1.4% of worldwide annual turnover
Key Differences
What sets these regulations apart
DORA is lex specialis for financial services
DORA takes precedence over NIS2 for financial entities. Where both regulations cover the same ground, such as incident reporting or cybersecurity risk management, financial entities must follow DORA's more prescriptive requirements rather than NIS2.
NIS2 covers 18 sectors, not just finance
NIS2 applies broadly across energy, transport, health, water, digital infrastructure, public administration, space, postal services, waste management, manufacturing, food, and chemicals, far beyond DORA's financial sector focus.
DORA mandates advanced penetration testing
DORA requires significant financial entities to conduct threat-led penetration testing (TLPT) following the TIBER-EU framework at least every three years. NIS2 does not prescribe a specific testing methodology or frequency.
NIS2 establishes explicit maximum fine thresholds
NIS2 sets clear maximum penalty levels (EUR 10 million or 2% turnover for essential entities), while DORA leaves most penalty amounts to national discretion, only specifying periodic penalties for critical ICT providers.
DORA creates a direct EU oversight framework for critical ICT providers
DORA establishes a unique Lead Overseer mechanism through which European Supervisory Authorities directly supervise critical ICT third-party service providers. NIS2 relies on national competent authorities for enforcement.
NIS2 introduces personal liability for senior management
NIS2 explicitly allows Member States to hold management bodies personally liable for compliance failures and to temporarily ban individuals from management roles. DORA requires management accountability but does not go as far on personal liability provisions.
Where They Overlap
Areas where both regulations share common ground
Both require organizations to implement comprehensive cybersecurity risk management measures with governance at the highest management level
Both mandate timely incident reporting to competent authorities with multi-stage notification processes
Both address supply chain and third-party risk management as critical components of cybersecurity posture
Both hold senior management responsible and accountable for cybersecurity governance and compliance
Both encourage information sharing about cyber threats between entities to strengthen collective resilience
Which Applies to You?
Common scenarios and which regulation takes precedence
You are a bank or insurance company operating in the EU
DORA is your primary compliance obligation and takes precedence as lex specialis. However, you should also assess NIS2 for any aspects not specifically covered by DORA, particularly if your national transposition adds requirements.
You are a technology company providing cloud services to financial institutions
You may be subject to both DORA (as a critical ICT third-party provider to the financial sector) and NIS2 (as a digital infrastructure provider). You need to meet DORA's contractual and oversight requirements from your financial clients while also complying with NIS2 obligations.
You are a healthcare provider or energy company in the EU
NIS2 is your primary cybersecurity regulation. DORA does not apply to your sector. Focus on NIS2 risk management, incident reporting, and supply chain security requirements as transposed in your Member State.
You are a fintech company that also provides digital infrastructure services
You likely fall under both DORA and NIS2. Map the overlapping requirements carefully: DORA prevails for your financial services activities, while NIS2 applies to your broader digital infrastructure role. An integrated compliance approach will reduce duplication.
Frequently Asked Questions
Common questions about these regulations