İçeriğe geç
NISDESK

NIS2 vs DORA — Key Differences & Overlaps

Both NIS2 and DORA set cybersecurity and operational resilience requirements for EU organisations. Financial entities often face both. Here is a practical comparison.

DimensionNIS2DORA
Legal instrumentDirective (transposed nationally)Regulation (directly applicable)
Scope18 sectors, all medium/large entitiesFinancial entities only (21 types)
Primary focusCybersecurity of network & info systemsICT operational resilience
RegulatorNational competent authoritySector financial supervisor (e.g. ECB, NCAs)
Incident reporting24h warning / 72h notificationInitial report 4h / intermediate 24h / final 1 month
FinesUp to €10M or 2% turnover (Essential)Supervisory measures; fines via national law
Supply-chainSupply-chain security measuresICT third-party risk management + oversight of critical providers
TestingSecurity measures testingAdvanced TLPT (threat-led penetration testing) for significant entities
Lex specialis: NIS2 Article 4 states that financial entities subject to DORA are considered to comply with NIS2 ICT risk-management obligations. However, incident notification to the national NIS2 authority may still be required alongside DORA reporting.

Frequently asked questions

What is the difference between NIS2 and DORA?

NIS2 (Directive 2022/2555) is a cross-sector cybersecurity framework covering 18 sectors. DORA (Regulation 2022/2554) is a sector-specific ICT resilience framework for financial entities. DORA takes precedence for financial entities where both apply — but the security obligations are largely complementary.

Does DORA replace NIS2 for financial institutions?

Partially. NIS2 Article 4 provides that financial entities subject to DORA are considered compliant with NIS2 security obligations for ICT risk management (lex specialis principle). However, NIS2 obligations for incident notification to the national authority may still apply separately.

Which sectors face both NIS2 and DORA?

Banking (credit institutions), financial market infrastructure (trading venues, CCPs, CSDs), investment firms, payment institutions, insurance undertakings and crypto-asset service providers face DORA obligations. The banking and financial markets sectors also appear in NIS2 Annex I.

Can I use a single compliance programme for NIS2 and DORA?

Yes — the underlying controls (risk management, incident response, supply-chain security, testing) overlap significantly. NISDESK's gap analysis tool maps NIS2 and DORA requirements together so you can identify shared controls and minimise duplication.

Check your NIS2 scope in 30 seconds

Free scope check →DORA readiness →

For decision-support purposes only. Consult a qualified expert for regulatory advice.