Key Takeaway: Most financial entities subject to DORA are explicitly carved out from NIS2's operational requirements under the lex specialis principle. But the boundary is not clean, and some entities face dual obligations. Understanding where you stand is critical.
Since DORA entered into application in January 2025, European financial firms have been navigating two overlapping EU cybersecurity frameworks simultaneously. NIS2 applies to critical infrastructure broadly. DORA applies specifically to financial entities and their ICT third-party providers.
This article compares the two frameworks, clarifies who must comply with what, maps the shared obligations, and identifies the DORA-specific requirements that go beyond NIS2.
What is DORA?
The Digital Operational Resilience Act (Regulation EU 2022/2554) is a sector-specific EU regulation that establishes binding cybersecurity and ICT resilience requirements for financial entities. It applies to:
- Credit institutions (banks)
- Payment institutions
- Investment firms
- Insurance and reinsurance undertakings
- Crypto-asset service providers (CASPs)
- Central securities depositories
- Central counterparties
- Trading venues
- ICT third-party service providers (critical designation)
- Credit rating agencies
The lex specialis carve-out: who falls under which regulation?
NIS2 Article 4 establishes that where sector-specific EU acts impose cybersecurity requirements of "at least equivalent effect," those acts take precedence. DORA qualifies as such a lex specialis instrument for financial entities.
| Entity type | NIS2 | DORA | Note |
|---|---|---|---|
| Banks and credit institutions | Partially carved out | Primary framework | NIS2 registration and reporting obligations still apply in some member states |
| Insurance undertakings | Partially carved out | Primary framework | Same nuances apply |
| FinTech payment firms | May apply if sector threshold met | Applies | Check national implementation carefully |
| Critical ICT providers to finance | May apply | CTPP oversight | Dual exposure possible |
| Non-financial firms serving finance | Applies if in NIS2 sector | Not directly | But DORA flows down via contracts |
Important nuance: "Carved out" does not mean NIS2 does not apply at all. Member states have implemented the boundary differently. In several EU countries, financial entities still face NIS2 registration obligations and must notify the national CSIRT as well as their financial supervisor for significant incidents. Get country-specific advice.
The overlap: requirements both frameworks share
Both NIS2 and DORA stem from the same EU policy objective: making critical sectors resilient to cyber threats. Their technical requirements overlap significantly:
Shared core requirements
- ICT risk management framework
- Incident detection, reporting, and response
- Business continuity and disaster recovery
- Supply chain and third-party risk management
- Cryptography and access control
- Security awareness training
- Vulnerability management and patching
- Management body accountability and oversight
What DORA adds: requirements beyond NIS2
DORA is more prescriptive than NIS2 in several important areas. These are the requirements that purely NIS2-focused organizations do not face:
Digital operational resilience testing (TLPT)
DORA requires Threat-Led Penetration Testing (TLPT) for significant financial entities. Unlike generic pen testing, TLPT follows the TIBER-EU methodology, involves intelligence-led threat scenarios, and must be conducted by independent external testers. NIS2 has no equivalent mandatory testing requirement.
Critical ICT third-party provider (CTPP) oversight
DORA establishes a direct EU-level oversight regime for ICT providers designated as critical (cloud hyperscalers, data analytics firms, etc.). These CTPPs are supervised directly by lead overseers (ESAs). NIS2 has no equivalent centralized provider oversight mechanism.
Information sharing arrangements
DORA Article 45 specifically encourages financial entities to participate in cyber threat intelligence sharing arrangements. While NIS2 mentions information sharing, DORA establishes formal mechanisms for the financial sector through the European Systemic Risk Board (ESRB).
Highly prescriptive ICT contract requirements
DORA specifies in detail what must appear in contracts with ICT providers, including exit strategies, service level agreements, audit rights, and data location. NIS2 requires supply chain security clauses, but with considerably less prescription. DORA's Annex lists specific mandatory contract elements.
Major ICT incident reporting to financial supervisors
Under DORA, major ICT-related incidents must be reported to the competent financial authority (e.g. ECB for significant banks, national banking regulator for others) via a specific three-stage process with defined classification criteria and RTS-governed report templates. NIS2 reporting goes to national CSIRTs, not financial supervisors.
Building a unified compliance program
For financial entities facing both frameworks, the practical approach is to build around DORA as the primary framework, then layer in NIS2-specific obligations where they add requirements:
Unified compliance strategy
Confirm your regulatory scope
Determine which DORA entity category you fall into, and whether your member state's NIS2 implementation creates additional obligations alongside DORA. The answer varies by country.
Build your ICT risk management framework to DORA standards
DORA's ICT risk management requirements (Chapter II) are more detailed than NIS2's Article 21. A DORA-compliant framework will satisfy NIS2's risk management requirements as well.
Design your incident classification to cover both reporting paths
DORA and NIS2 use different severity classification criteria and report to different authorities. Map events to both sets of criteria and build dual-track reporting procedures into your incident response plan.
Use DORA ICT contract templates, add NIS2 supplier clauses
DORA's contract requirements are more specific, so build from DORA's Annex. Add incident notification and right-to-audit clauses that explicitly reference NIS2 obligations for completeness.
Register with national authorities as required
Even DORA-primary entities may need to register with their national NIS2 authority. Check your member state's NIS2 implementation law.
NIS2 vs DORA: quick reference
| Aspect | NIS2 | DORA |
|---|---|---|
| Legal instrument | Directive (national transposition required) | Regulation (directly applicable EU-wide) |
| Sectors covered | 18 critical sectors broadly | Financial sector and their ICT providers |
| Report incidents to | National CSIRT / competent authority | Competent financial supervisor (ESA/NCAs) |
| Penetration testing | Not mandated | TLPT mandatory for significant entities |
| Max fine | EUR 10M or 2% global turnover | Varies by member state; daily periodic penalties possible |
| Management liability | Personal liability, temporary bans possible | Management body responsible; individual liability per national law |
| ICT contract requirements | General security clauses required | Detailed mandatory elements per DORA Annex |
Frequently asked questions
What is DORA and who does it apply to?
The Digital Operational Resilience Act, Regulation EU 2022/2554, is a sector-specific EU regulation setting binding cybersecurity and ICT resilience requirements for financial entities. It applies to credit institutions, payment institutions, investment firms, insurers, crypto-asset service providers, central securities depositories, central counterparties, trading venues, critical ICT third-party providers, and credit rating agencies.
Do financial firms need to comply with both NIS2 and DORA?
Most financial entities subject to DORA are partially carved out from NIS2's operational requirements under the lex specialis principle of NIS2 Article 4. The boundary is not clean. In several EU countries, financial entities still face NIS2 registration obligations and must notify the national CSIRT alongside the financial supervisor for significant incidents. Country-specific advice is essential.
What do NIS2 and DORA have in common?
Both frameworks require an ICT risk management framework, incident detection and reporting, business continuity and disaster recovery, supply chain and third-party risk management, cryptography and access control, security training, vulnerability management and patching, and management body accountability. The control library overlaps by roughly 70 percent.
What does DORA require beyond NIS2?
DORA adds Threat-Led Penetration Testing under the TIBER-EU methodology for significant financial entities, Critical ICT Third-Party Provider oversight with direct EU-level supervision by lead overseers, formal information-sharing arrangements, prescriptive ICT contract requirements per the DORA Annex, and major ICT incident reporting to financial supervisors through a specific three-stage process.
How should financial firms build a unified NIS2 and DORA programme?
Confirm the regulatory scope and member state implementation, build the ICT risk management framework to DORA standards since DORA Chapter II is more detailed than NIS2 Article 21, design incident classification to cover both reporting paths with dual-track procedures, use DORA ICT contract templates with NIS2 supplier clauses, and register with national authorities as required.
Does DORA replace NIS2 for banks, insurers, and investment firms?
No, not fully. DORA is the lex specialis for operational ICT resilience, so it overrides NIS2 Article 21 measures for most in-scope financial entities. Registration, scope identification, and some governance obligations under NIS2 still apply at member state level. Each national transposition sets the exact interaction, so the answer depends on country.
Are incident reporting deadlines the same under NIS2 and DORA?
They look similar but diverge in detail. NIS2 Article 23 requires a 24-hour early warning, 72-hour notification, and one-month final report to the national CSIRT. DORA requires a three-stage notification to the financial supervisor with different content requirements and a specific classification of 'major' versus 'significant cyber threat'. A dual-track playbook is the only safe design.
Navigating NIS2 and DORA together?
We help financial firms and ICT providers build unified compliance programs that satisfy both frameworks without duplicating work or creating gaps.
Book a free consultation