Docs

Appearance

NIS2 vs DORA

NIS2 (Directive (EU) 2022/2555) is the European Union's horizontal cybersecurity framework. DORA (Regulation (EU) 2022/2554) is the sector-specific operational-resilience regime for the EU financial sector. The two acts overlap on cybersecurity governance, incident reporting, and supply-chain (ICT third-party) risk; they diverge on supervisory route, sanction regime, and the breadth of testing obligations.

This page is the structured pairwise walk-through.

Quick decision

  • Financial entity that would otherwise be a NIS2 essential or important entity under national transposition → DORA Article 1(2) is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4. DORA's specialised provisions apply on the matters DORA covers; NIS2 obligations remain relevant where DORA does not cover the matter. Read DORA first.
  • Essential or important entity outside the financial sector → NIS2 only. Read NIS2 scope and applicability first.
  • ICT third-party service provider serving financial entities → Articles 28–30 of DORA apply through contractual arrangements with the financial entities. If designated critical under Article 31, the EU oversight framework (Articles 31–44) applies. NIS2 may also apply to the TPP if it qualifies as an essential or important entity in its own right (e.g. cloud service provider; managed service provider).
  • Cross-sectoral group operating both financial and non-financial entities → apply DORA to financial entities and NIS2 to non-financial entities; coordinate the two programmes around shared infrastructure (ICT third-party risk, identity, incident handling).

TL;DR

  • NIS2 = Directive (EU) 2022/2555. Horizontal cybersecurity framework. Scope by Annex I / II sectors + size cap (Recommendation 2003/361/EC). Member-State transposition by 17 October 2024, application of transposing measures from 18 October 2024.
  • DORA = Regulation (EU) 2022/2554. Sector-specific financial-sector operational resilience. Scope by entity type (Article 2(1)). Directly applicable from 17 January 2025 (Article 64).
  • DORA Article 1(2) is the operative provision: DORA operates as a sector-specific Union legal act for the purposes of NIS2 Article 4 in relation to financial entities also identified as essential or important under the national NIS2 transposition.
  • Same competent-authority distinction: NIS2 designates a national cybersecurity authority + CSIRT; DORA designates the prudential / conduct supervisor under Article 46.
  • Significant procedural differences on incident reporting (NIS2 Art 23 staged timeline vs DORA Arts 17–19 with 2025/301 + 2025/302 forms), testing (DORA Arts 24–27 + TLPT in Arts 26–27 vs no NIS2 equivalent), and ICT third-party regime (DORA Arts 28–30 + 31–44 oversight vs NIS2 Art 21(2)(d) + 21(3)).

Side-by-side comparison

DimensionNIS2 (Directive (EU) 2022/2555)DORA (Regulation (EU) 2022/2554)
Legal instrumentDirective — transposed into Member State lawRegulation — directly applicable in every Member State
Sectoral scopeAnnex I / II sectors (broad cross-sectoral)Financial-services sectors only
Entity scope testSize cap (medium-sized or larger under Rec 2003/361/EC) + regardless-of-size additions in Art 2(2) + Member State identification in Art 2(2)(b)–(e)Entity type list in Art 2(1); no size cap
Sub-cohortsEssential (Art 3(1)) vs important (Art 3(2))Full RMF (Arts 5–15) vs simplified RMF (Art 16) for specific entity types
Adopted14 December 202214 December 2022
Entered into force16 January 202316 January 2023
ApplicationTransposition deadline 17 Oct 2024; application of transposing measures from 18 Oct 202417 January 2025 (Art 64)
Risk-management baselineArt 21(1) framing + Art 21(2)(a)–(j) ten measure categoriesArt 6(1) ICT RMF cornerstone + Arts 7–14 substance + Art 16 simplified
Incident-reporting timelineArt 23(4): 24h early warning + 72h notification + intermediate report on request + 1 month final report + progress report for ongoingArt 19(4): initial notification + intermediate report + final report (timings in Delegated Reg 2025/301)
Incident-report templatesImplementing Reg 2024/2690 specifies for digital-infrastructure entity typesImplementing Reg 2025/302 specifies for all in-scope financial entities
Resilience testingArt 21(2)(f) effectiveness assessment (programme-level only)Arts 24–25 testing programme + Arts 26–27 TLPT for entities meeting criteria
ICT third-party regimeArt 21(2)(d) + Art 21(3) supply-chain measuresArts 28–30 contractual baseline + register of information + subcontracting; Arts 31–44 EU oversight of designated critical TPPs
Public-information dutyArt 23(7) (authority may inform the public after consulting the entity)Through competent-authority supervisory powers under Art 46+
SanctionsArt 34: Member States provide for max admin fines of at least EUR 10m / 2% (essential), EUR 7m / 1.4% (important)Competent-authority supervisory powers; Art 50 penalty regime for designated critical TPPs
Competent authorityNational cybersecurity authority + CSIRT (designated by Member State)Prudential / conduct supervisor designated under Art 46
Cross-Member-State coordinationNIS Cooperation Group + CSIRTs network + EU-CyCLONeESAs + Lead Overseer for critical TPPs

How NIS2 and DORA map onto each other

The two regimes overlap on three central topics: ICT risk management measures, incident reporting, and supply-chain / third-party risk. The mapping below shows the equivalent provisions.

TopicNIS2DORANotes
Management-body dutiesArt 20(1) approval / oversight / liability; Art 20(2) trainingArt 5 (overall responsibility + specific responsibilities + training)DORA Art 5 lists more specific responsibilities and is more prescriptive
Risk-management frameworkArt 21(1) framing + Art 21(2)(a) policiesArt 6(1) ICT RMF cornerstone + Arts 6–14 substanceDORA RMF is more detailed; NIS2 is more programme-level
Incident handlingArt 21(2)(b)Art 17 incident management processDORA Art 17 is more detailed and prescriptive
Incident classificationArt 23(3) two-prong significance testArt 18 six criteria + Delegated Reg 2024/1772DORA uses six specific criteria; NIS2 uses a two-prong test
Incident reportingArt 23(4) (24h / 72h / intermediate / 1 month final / progress)Art 19(4) (initial / intermediate / final) + Delegated Reg 2025/301 (content + time limits) + Implementing Reg 2025/302 (forms + templates)Different competent authorities; different templates
Supply-chain securityArt 21(2)(d) + Art 21(3) (assess direct suppliers; Art 22(1) coordinated risk assessments)Arts 28–30 (contractual baseline + register of information + subcontracting) + Delegated Reg 2024/1773 + Implementing Reg 2024/2956 + Delegated Reg 2025/532DORA is significantly more detailed
TestingArt 21(2)(f) effectiveness assessmentArts 24–25 testing programme + Arts 26–27 TLPT + Delegated Reg 2025/1190NIS2 has no TLPT obligation
Information sharingArt 29 cybersecurity information-sharing arrangements + Art 30 voluntary notificationArt 45 information-sharing arrangementsSimilar voluntary frameworks
Cross-Member-State coordinationArt 23(6) and (8); NIS Cooperation GroupArt 22 cross-MS coordination; ESAs cooperationNIS2 routes through national CSIRT / SPOC; DORA through ESAs
Critical infrastructure oversight(not in NIS2 — partly in CER Directive 2022/2557)Arts 31–44 EU oversight of designated critical ICT TPPsDORA introduces a new EU oversight layer

When DORA prevails: the Article 1(2) / Article 4 mechanism

The operative provision that allocates competence between DORA and NIS2 for financial entities is DORA Article 1(2). It is structured to operate as a sector-specific Union legal act for the purposes of NIS2 Article 4. NIS2 Article 4 in turn provides that where a sector-specific Union legal act requires essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and those requirements are at least equivalent in effect to the obligations in NIS2, the provisions of that sector-specific Union legal act, including its supervision and enforcement, shall apply instead.

The practical effect for a financial entity that would otherwise also be an essential or important entity under the national NIS2 transposition:

  • DORA's specialised provisions apply on matters DORA covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk);
  • the national NIS2 transposition still applies where DORA does not cover the matter and where the national transposition extends further;
  • the competent authority for the DORA matters is the prudential / conduct supervisor designated under Article 46 of DORA, not the national cybersecurity authority designated under NIS2;
  • the supervisory regime is the one in DORA Chapter VII (Articles 46–56), not the NIS2 Chapters VII (Articles 31–37) and VIII.

In practice, the national NIS2 transposition typically addresses this allocation explicitly — either by disapplying NIS2 Article 23 reporting for in-scope financial entities, or by routing financial-entity notifications through the DORA channels and treating that as equivalent for NIS2 purposes. The exact mechanism depends on each Member State's transposing law.

Incident-reporting coordination

The most visible operational interaction between NIS2 and DORA is incident reporting. For a financial entity that is in scope of both:

  • DORA Article 19 reporting applies on matters DORA covers (ICT-related incidents). The reports follow the Article 19(4) sequence (initial / intermediate / final) with content per Delegated Regulation 2025/301 (Art 20(a) RTS) and forms per Implementing Regulation 2025/302 (Art 20(b) ITS). The reports are submitted to the DORA competent authority under Article 46.
  • NIS2 Article 23 reporting applies for matters DORA does not cover and where the national NIS2 transposition extends further. The reports follow Article 23(4) (24h / 72h / intermediate / 1 month final / progress) and are submitted to the CSIRT or competent authority designated under NIS2.
  • Cross-authority coordination is built into both regimes: NIS2 Article 23(8) provides for SPOC-to-SPOC forwarding; DORA Article 19(5) lists the Union authorities that the DORA competent authority may distribute the notification to (including the competent authority designated under NIS2 and the NIS2 single points of contact).

In Modulos, the standard pattern for dual-regime financial entities is to attach both OFF-15 (NIS2) and OFF-16 (DORA) to the organisation project and to record incident reports as evidence linked to the relevant requirement under each framework — typically with the same underlying incident postmortem document evidencing both requirements.

When to choose which

  • Read DORA first if you are a financial entity. Even if you are also in scope of NIS2, DORA's specialised provisions apply on the matters DORA covers.
  • Read NIS2 first if you are outside the financial sector. Article 21 (cybersecurity measures) and Article 23 (incident reporting) are the central operative provisions.
  • Read both if you are an ICT third-party service provider serving financial entities. DORA Articles 28–30 apply through your contracts with financial entities; NIS2 may also apply if you qualify as an essential or important entity in your own right (e.g. cloud service provider).
  • Read both if you are a financial group with non-financial subsidiaries. Apply DORA to the financial entities and NIS2 to non-financial entities; coordinate through shared policies (ICT risk management, vendor due diligence, incident handling).

What this looks like in Modulos

Modulos models NIS2 and DORA as separate framework templates that coexist on the same organisation project:

  • OFF-15 (NIS2 (org), 28 requirements) + OFF-16 (DORA (org), 28 requirements) attached to the organisation project.
  • MFF-15 (NIS2 (app), 18 requirements) + MFF-16 (DORA (app), 18 requirements) attached to each in-scope service / ICT system project as applicable.
  • Shared substance (ICT risk management policy, incident-handling SOP, BC/DR plan, vendor due-diligence policy, AI-BOM, training records) is recorded once as evidence and linked to controls under both frameworks.
  • Different reporting workflows for incidents — NIS2 Article 23 staged reports stored as evidence against the relevant NIS2 requirement; DORA Article 19 staged reports stored as evidence against the relevant DORA requirement; same underlying incident postmortem document evidences both.

This single-source / multi-link pattern is the core of how Modulos avoids duplicate evidence work while keeping the legal traceability auditable.

NIS2 overview

Directive (EU) 2022/2555: framework structure, dates, key facts

DORA overview

Regulation (EU) 2022/2554: framework structure, dates, key facts

NIS2 cybersecurity measures (Article 21)

The ten Article 21(2) categories quoted verbatim

DORA ICT risk and resilience operations

DORA Articles 5–23 — RMF, incident process, classification, reporting

DORA testing and third-party risk

DORA Articles 24–30 — testing, TLPT, register of information, subcontracting

Framework comparison hub

Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA

Source attribution

This comparison is drawn from the published texts of Directive (EU) 2022/2555 (NIS2, OJ L 333, 27.12.2022, pp. 80–152) and Regulation (EU) 2022/2554 (DORA, OJ L 333, 27.12.2022, pp. 1–79). The eight DORA Commission Delegated and Implementing Regulations referenced on this page (2024/1772, 2024/1773, 2024/1774, 2024/2956, 2025/301, 2025/302, 2025/532, 2025/1190) are individually published on EUR-Lex.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The interaction between NIS2 (a Directive transposed into national law) and DORA (a directly-applicable Regulation) is determined by each Member State's NIS2 transposing law plus DORA Article 1(2). For binding interpretation in your jurisdiction, consult the published EUR-Lex text, the national NIS2 transposition, and qualified counsel.