NIS2 vs DORA — Key Differences & Overlaps
Both NIS2 and DORA set cybersecurity and operational resilience requirements for EU organisations. Financial entities often face both. Here is a practical comparison.
| Dimension | NIS2 | DORA |
|---|---|---|
| Legal instrument | Directive (transposed nationally) | Regulation (directly applicable) |
| Scope | 18 sectors, all medium/large entities | Financial entities only (21 types) |
| Primary focus | Cybersecurity of network & info systems | ICT operational resilience |
| Regulator | National competent authority | Sector financial supervisor (e.g. ECB, NCAs) |
| Incident reporting | 24h warning / 72h notification | Initial report 4h / intermediate 24h / final 1 month |
| Fines | Up to €10M or 2% turnover (Essential) | Supervisory measures; fines via national law |
| Supply-chain | Supply-chain security measures | ICT third-party risk management + oversight of critical providers |
| Testing | Security measures testing | Advanced TLPT (threat-led penetration testing) for significant entities |
Frequently asked questions
What is the difference between NIS2 and DORA?
NIS2 (Directive 2022/2555) is a cross-sector cybersecurity framework covering 18 sectors. DORA (Regulation 2022/2554) is a sector-specific ICT resilience framework for financial entities. DORA takes precedence for financial entities where both apply — but the security obligations are largely complementary.
Does DORA replace NIS2 for financial institutions?
Partially. NIS2 Article 4 provides that financial entities subject to DORA are considered compliant with NIS2 security obligations for ICT risk management (lex specialis principle). However, NIS2 obligations for incident notification to the national authority may still apply separately.
Which sectors face both NIS2 and DORA?
Banking (credit institutions), financial market infrastructure (trading venues, CCPs, CSDs), investment firms, payment institutions, insurance undertakings and crypto-asset service providers face DORA obligations. The banking and financial markets sectors also appear in NIS2 Annex I.
Can I use a single compliance programme for NIS2 and DORA?
Yes — the underlying controls (risk management, incident response, supply-chain security, testing) overlap significantly. NISDESK's gap analysis tool maps NIS2 and DORA requirements together so you can identify shared controls and minimise duplication.
For decision-support purposes only. Consult a qualified expert for regulatory advice.