At a glance

Quick Comparison Table

Before going into the detail, here is a side-by-side summary of the two regulations across the dimensions that matter most for compliance planning.

Dimension DORA (EU 2022/2554) NIS2 (EU 2022/2555)
Legal form Regulation (directly applicable) Directive (transposed by member states)
Sector focus Financial services only 18 sectors including energy, transport, health, digital infrastructure
Primary entities ~22,000 EU financial entities + critical ICT providers Essential and important entities across all 18 sectors
Effective date 17 January 2025 18 October 2024 (member state transposition deadline)
Core focus Digital operational resilience (ICT risk, testing, third parties) Broad cybersecurity risk management and incident reporting
Testing requirements Annual basic testing + TLPT every 3 years for designated entities General obligation for appropriate technical measures; no TLPT
Third-party oversight Detailed: Register of Information, mandatory contract clauses, CTPP oversight General supply chain risk management
Incident reporting 4h initial / 72h intermediate / 1 month final to NCA 24h early warning / 72h notification to CSIRT
Penalties Set by NCAs under existing powers; CTPP fines up to 1% daily turnover Up to EUR 10M or 2% turnover (essential); EUR 7M or 1.4% (important)
Supervisory model Financial supervisors (ECB, EBA, ESMA, EIOPA) + Lead Overseers for CTPPs National cybersecurity authorities + CSIRTs

DORA

DORA: Purpose and Scope

DORA is an EU regulation (directly applicable, no transposition needed) that focuses exclusively on the financial sector. Its purpose is to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions. It addresses the systemic risk that arises when the financial sector depends heavily on a small number of critical technology providers.

DORA applies to around 22,000 financial entities in the EU, including banks, insurers, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, central counterparties, and credit rating agencies. It also brings critical ICT third-party service providers (CTPPs) under direct EU-level oversight for the first time.

The regulation is organised around five pillars: ICT risk management (Art. 5-16), incident management and reporting (Art. 17-23), digital resilience testing (Art. 24-27), third-party ICT risk management (Art. 28-44), and information sharing (Art. 45). Each pillar is supported by Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that provide detailed implementation guidance. For a complete overview, see our DORA compliance guide.

DORA's key strength is its specificity. Rather than setting broad cybersecurity principles, it prescribes detailed requirements: exactly when incident reports are due, what must be in a Register of Information, what contract clauses are mandatory for critical provider agreements, and how TLPT must be conducted. This precision is a defining difference from NIS2.


NIS2

NIS2: Purpose and Scope

NIS2 (Directive 2022/2555) is the successor to the original NIS Directive and represents the EU's cross-sector approach to cybersecurity. Unlike DORA, NIS2 is a directive, meaning each EU member state must transpose it into national law. This results in some variation in how requirements are applied across the EU.

NIS2 applies across 18 sectors, divided into essential entities (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research). The scope is significantly broader than DORA.

The directive requires entities to adopt appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risk. It mandates incident reporting to CSIRTs (Computer Security Incident Response Teams) with an early warning within 24 hours and a full notification within 72 hours. It also requires supply chain risk management and governance accountability at the management body level.

NIS2 gives member states flexibility in implementation, which means the detailed obligations can vary. Some member states have added sector-specific requirements, registration obligations, or enhanced penalties beyond the directive's minimum. Entities operating across multiple EU jurisdictions may face different NIS2 implementations in each country.


Differences

Key Differences Between DORA and NIS2

While both regulations aim to improve cybersecurity and operational resilience, they differ in several important ways that affect how organisations approach compliance.

Sector specificity vs broad coverage. DORA is designed exclusively for financial services, with requirements tailored to the specific risks and operational characteristics of the sector. NIS2 covers 18 sectors with a one-size-fits-many approach. DORA's requirements are correspondingly more detailed and prescriptive than NIS2's principles-based approach.

Testing requirements. DORA mandates a structured testing programme with specific testing methods (vulnerability assessments, network security reviews, scenario testing, source code reviews, performance testing) and requires TLPT for designated entities. NIS2 requires entities to evaluate the effectiveness of their cybersecurity measures but does not prescribe specific testing methodologies or mandate penetration testing. This is one of the most significant practical differences between the two regulations.

Third-party oversight. DORA's treatment of third-party risk is among the most detailed in any regulation globally. It requires a Register of Information on all ICT arrangements, mandatory contract clauses for critical provider agreements, pre-contract risk assessments, concentration risk monitoring, and exit strategies. CTPPs are subject to direct EU-level oversight by Lead Overseers. NIS2 addresses supply chain risk management in more general terms, requiring entities to consider the cybersecurity practices of their suppliers without the same level of prescription.

Incident reporting timelines. DORA requires an initial notification within 4 hours of classification (and no later than 24 hours of detection), an intermediate report within 72 hours, and a final report within one month. NIS2 requires an early warning within 24 hours and a notification within 72 hours. The DORA timeline is shorter for the initial report, reflecting the systemic importance of financial services disruptions.

Legal form. DORA is a regulation, meaning it applies uniformly across all EU member states without transposition. NIS2 is a directive, meaning member states have discretion in how they implement it. This creates potential inconsistencies in NIS2 requirements across jurisdictions, while DORA requirements are the same everywhere.

Penalties. NIS2 sets explicit maximum fines at the EU level (up to EUR 10 million or 2% of global turnover for essential entities). DORA leaves penalty determination to national supervisors under their existing powers, which can include fines, cessation orders, and personal liability for management body members. For CTPPs, DORA introduces periodic penalty payments of up to 1% of average daily worldwide turnover.


Overlap

Where DORA and NIS2 Overlap

Despite their different scopes, DORA and NIS2 share several common themes. Organisations that comply with one regulation will find significant overlap with the other.

1

Risk Management Frameworks

Both regulations require entities to establish and maintain risk management frameworks that cover identification, protection, detection, response, and recovery. The underlying approach aligns with established frameworks such as ISO 27001 and the NIST Cybersecurity Framework.

2

Incident Reporting

Both require timely reporting of significant incidents to competent authorities, though the timelines and reporting formats differ. An entity that meets DORA's stricter 4-hour deadline will generally satisfy NIS2's 24-hour early warning requirement as well.

3

Governance Accountability

Both regulations place responsibility on the management body for cybersecurity and operational resilience. Both require board-level oversight, regular reporting, and personal accountability for the adequacy of risk management arrangements.

4

Supply Chain Risk

Both require entities to manage risk from third-party service providers. DORA is far more prescriptive (Register of Information, mandatory contract clauses, CTPP oversight), but the underlying principle of supply chain risk management is common to both regulations.


Legal hierarchy

Lex Specialis: DORA Overrides NIS2 for Financial Entities

The relationship between DORA and NIS2 is resolved by the lex specialis principle, which is explicitly established in Art. 1(2) of NIS2. This provision states that where sector-specific EU legal acts require financial entities to adopt ICT risk management measures or report incidents, and where those requirements are at least equivalent to NIS2, the sector-specific requirements apply instead.

What lex specialis means in practice

If you are a financial entity subject to DORA, you comply with DORA's ICT risk management, incident reporting, and testing requirements rather than the equivalent provisions of NIS2. You do not need to duplicate your incident reports to both a financial supervisor and a CSIRT (unless your member state has specified otherwise in its NIS2 transposition). DORA is your primary compliance framework, and NIS2 fills any gaps where DORA does not provide equivalent requirements.

The lex specialis principle does not mean financial entities can ignore NIS2 entirely. NIS2 may impose requirements in areas that DORA does not cover or does not cover to the same level of detail. For example, some member states may have transposed NIS2 with broader supply chain requirements that extend beyond ICT providers, or with specific obligations around CSIRT cooperation that do not have a direct DORA equivalent. Financial entities should map both sets of requirements and identify any NIS2 provisions that go beyond DORA.

ICT third-party service providers that serve both financial and non-financial clients may find themselves subject to DORA (through their financial entity clients or through CTPP designation) and NIS2 (as digital infrastructure or ICT service management entities). For these organisations, a unified compliance programme that addresses both regulations is the most efficient approach.


Guidance

Practical Implications for Dual-Regulated Entities

If your organisation is subject to both DORA and NIS2, the following approach will help you manage compliance efficiently without duplicating effort.

Build on DORA first. For financial entities, DORA is the more prescriptive regulation. A comprehensive DORA compliance programme will cover the majority of NIS2 requirements. Start with DORA and use NIS2 as a gap-check overlay. DORA GRC is designed around this approach, covering all five DORA pillars with the depth the regulation demands.

Map the gaps. Review your member state's NIS2 transposition to identify any requirements that go beyond DORA. Common areas where NIS2 may add requirements include broader supply chain obligations, specific CSIRT reporting or cooperation duties, registration requirements, and cross-sector information sharing obligations. Document these gaps and address them within your existing framework rather than building a separate compliance programme.

Consolidate incident reporting. While DORA requires reporting to your financial NCA and NIS2 requires reporting to your CSIRT, some member states have established single-window mechanisms or information-sharing agreements between the two authorities. Check with your NCA whether a single incident report can satisfy both obligations, or whether separate notifications are required.

Align governance reporting. Both regulations require management body oversight. A single board report that covers ICT risk management, incident trends, testing results, and third-party risk can satisfy both DORA and NIS2 governance requirements. The board report module in DORA GRC generates this reporting from the same data that feeds your DORA compliance programme.

Monitor regulatory developments. Both DORA and NIS2 are relatively new. ESA guidance, NCA supervisory expectations, and member state NIS2 implementations continue to evolve. Keep your compliance programme responsive to new guidance, and review the mapping between DORA and NIS2 at least annually. The DORA gap analysis tool can help you identify areas that need attention.


FAQ

Frequently Asked Questions

Yes, for the areas where DORA and NIS2 overlap. Art. 1(2) of NIS2 establishes DORA as lex specialis, meaning it takes precedence over NIS2 for financial entities where the requirements are at least equivalent. However, financial entities may still need to comply with certain NIS2 provisions that go beyond DORA's scope, depending on their member state's transposition. The safest approach is to comply fully with DORA and then gap-check against your national NIS2 implementation.

In most areas, yes. Both regulations require risk management frameworks, incident reporting, governance accountability, and supply chain risk management. A financial entity with a comprehensive DORA compliance programme will meet the majority of NIS2 requirements. However, some member state NIS2 transpositions may add requirements around broader supply chain security, CSIRT cooperation, or registration that DORA does not address. We recommend mapping both frameworks and building a single, unified compliance programme.

NIS2 defines maximum administrative fines at the EU level: up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% of turnover for important entities. DORA does not set specific fine amounts at the EU level; penalties are determined by national competent authorities under their existing supervisory powers, which can include fines, public reprimands, orders to cease activities, and personal liability for management body members. For critical ICT third-party providers, DORA can impose periodic penalty payments of up to 1% of average daily worldwide turnover.

DORA takes precedence over NIS2 for financial entities under the lex specialis principle. Where both regulations impose overlapping requirements, the DORA provisions apply. NIS2 requirements only apply to financial entities in areas where DORA does not provide equivalent or more specific rules. Financial entities should build their compliance programme around DORA and use NIS2 as a supplementary reference for any areas DORA does not cover.