NIS2 vs. DORA: What's the Difference and Do You Need to Comply With Both?

Two EU regulations. Both about cybersecurity. Both with tight deadlines. If you're in the financial sector, you've probably heard of both NIS2 and DORA — but you may not be sure how they differ, whether they overlap, and which one takes priority.

The short answer: DORA takes priority for financial entities, but NIS2 still matters for your ICT suppliers. This article gives you the full picture.

What are NIS2 and DORA?

NIS2 (Directive 2022/2555) is a broad EU directive covering cybersecurity risk management across 18 sectors — including but not limited to the financial sector. It requires essential and important entities to implement 10 cybersecurity measures, report incidents within strict deadlines, and ensures personal board liability.

DORA (Regulation 2022/2554) — the Digital Operational Resilience Act — is a sector-specific regulation exclusively for the financial sector. It covers banks, insurance companies, investment firms, payment providers, crypto-asset service providers, and their critical ICT third-party providers.

NIS2 vs ISO 27001 — Requirements Comparison
◈NIS2 Only
Mandatory incident reporting to authorities (24h / 72h)
Board-level personal liability for cybersecurity
Supply chain security obligations for essential entities
Sector-specific regulatory obligations
⬡Shared Requirements
Information security risk management
Access control and identity management
Business continuity and disaster recovery
Security awareness and training
◇ISO 27001 Only
Internal audit and management review cycles
Statement of Applicability (SoA) documentation
Formal certification and third-party audit
◈NIS2 Only
Mandatory incident reporting to authorities (24h / 72h)
Board-level personal liability for cybersecurity
Supply chain security obligations for essential entities
Sector-specific regulatory obligations
⬡Shared Requirements
Information security risk management
Access control and identity management
Business continuity and disaster recovery
Security awareness and training
◇ISO 27001 Only
Internal audit and management review cycles
Statement of Applicability (SoA) documentation
Formal certification and third-party audit
The centre column shows requirements that both NIS2 and ISO 27001 share

Key differences at a glance

	NIS2	DORA
Type	Directive (must be transposed into national law)	Regulation (directly applicable)
Scope	18 sectors across the economy	Financial sector only
Applicable since	Transposition deadline: Oct 2024 (status per country)	17 January 2025 — directly applicable
Risk management	10 Article 21 measures (broad)	Detailed ICT risk management framework (prescriptive)
Incident reporting	24h / 72h / 1 month to national authority	4h initial / 72h intermediate / 1 month final to competent authority
Third-party risk	Supply chain security requirements	Comprehensive ICT third-party risk management + oversight of critical providers
Testing	Effectiveness assessment required	Mandatory threat-led penetration testing (TLPT) for significant entities
Board role	Personal liability, training required	Board must approve ICT risk framework, training required
Penalties	Up to €10M or 2% global turnover	Defined by national financial supervisors; administrative penalties and periodic penalty payments

The lex specialis principle: DORA takes priority

Article 4 of NIS2 explicitly states that where sector-specific EU legislation provides for cybersecurity requirements that are at least equivalent to those in NIS2, the sector-specific legislation takes precedence. This is the lex specialis principle.

DORA is recognised as such sector-specific legislation for the financial sector. In practice, this means:

Financial entities (banks, insurers, investment firms, etc.) primarily comply with DORA, not NIS2
Where DORA is silent on a topic that NIS2 covers, NIS2 may still apply as a fallback
ICT third-party providers to the financial sector may face requirements under both NIS2 and DORA

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

Where they overlap — and where they diverge

ICT risk management

NIS2 requires broad cybersecurity risk management through 10 measures but leaves significant room for interpretation.

DORA is far more prescriptive. It requires a comprehensive ICT risk management framework with specific requirements for identification, protection, detection, response, recovery, and learning. DORA also mandates specific policies, governance structures, and reporting lines.

Bottom line: If you comply with DORA's ICT risk management framework, you exceed NIS2 requirements in this area.

Incident reporting

This is where the divergence is most notable:

Stage	NIS2	DORA
Initial notification	Within 24 hours	Within 4 hours of classification
Follow-up report	Within 72 hours	Within 72 hours
Final report	Within 1 month	Within 1 month

DORA's 4-hour initial notification is significantly tighter than NIS2's 24-hour window. If you're a financial entity, DORA's timeline is the one you must meet.

Important: Under DORA, you report to your financial supervisory authority (e.g., ECB, national central bank, or financial market authority). Under NIS2, you report to your national competent authority and CSIRT. If both apply, you may need to report to different authorities.

Third-party and supply chain risk

Both regulations address supply chain security, but DORA goes much further:

NIS2 requires supply chain security assessments of direct suppliers
DORA requires a full ICT third-party risk management framework, including:
- Register of all ICT third-party arrangements
- Pre-contractual risk assessments
- Mandatory contractual clauses (access rights, exit strategies, audit rights)
- Ongoing monitoring of ICT third-party performance
- EU oversight framework for critical ICT third-party providers (CTPPs)

The CTPP oversight is unique to DORA — the European Supervisory Authorities (ESAs) can directly supervise ICT providers deemed critical to the financial sector.

Testing and resilience

NIS2 requires effectiveness assessment (measure 6) but doesn't prescribe specific testing methodologies.

DORA mandates:

Regular ICT testing programmes
Threat-Led Penetration Testing (TLPT) at least every 3 years for significant financial entities
Testing must cover critical ICT systems and follow the TIBER-EU framework or equivalent

Scenarios: which framework applies to you?

Scenario 1: You're a bank

Primary framework: DORA NIS2 role: Fallback where DORA is silent Action: Focus on DORA compliance. NIS2 gap analysis for areas DORA doesn't explicitly cover.

Scenario 2: You're an MSP serving banks

Primary framework: NIS2 (you're in Annex I as ICT service management B2B) — see our NIS2 for MSPs guide DORA role: Your financial customers will impose DORA-level requirements on you contractually Action: Comply with NIS2 for your own obligations. Prepare for DORA-level contractual requirements from financial clients.

Scenario 3: You're a cloud provider to multiple sectors

Primary framework: NIS2 (if you meet the size threshold — check here) DORA role: If you're designated as a Critical ICT Third-Party Provider (CTPP), you fall under direct ESA oversight Action: Comply with NIS2. Monitor whether ESAs designate you as a CTPP.

Scenario 4: You're in energy, healthcare, or another non-financial NIS2 sector

Primary framework: NIS2 only DORA role: Does not apply to you Action: Focus entirely on NIS2. Start with our overview of the 10 Article 21 measures.

What to do if both apply

If your organisation faces requirements under both NIS2 and DORA:

Map both frameworks — identify which requirements come from NIS2 and which from DORA
Comply with the stricter standard — where both cover the same topic, the stricter requirement satisfies both (usually DORA)
Track reporting obligations separately — different authorities, different timelines, different formats
Use DORA as the baseline — if you're DORA-compliant, you're likely NIS2-compliant on most measures. Run a gap analysis for NIS2-specific areas DORA doesn't cover.
Document everything — both frameworks require demonstrable compliance

Key takeaway

NIS2 and DORA are complementary, not competing. DORA is the specialist regulation for financial entities, while NIS2 covers the broader economy. If you're in the financial sector, DORA is your primary obligation — but NIS2 still matters for your supply chain, for your ICT providers, and as a fallback where DORA is silent.

The organisations that will navigate this best are those that build a unified cyber resilience framework that satisfies both — rather than treating them as two separate compliance exercises.

Find out where you stand on NIS2

Our free NIS2 quickscan assesses your organisation against all 10 Article 21 measure categories. If you're navigating both NIS2 and DORA, the scan shows you where your NIS2-specific gaps are — so you can focus your effort where it matters.

Take the free quickscan →