Docs

Appearance

NIS2 vs DORA

NIS2 (Directive (EU) 2022/2555) is the European Union's horizontal cybersecurity framework. DORA (Regulation (EU) 2022/2554) is the sector-specific operational-resilience regime for the EU financial sector. The two acts overlap on cybersecurity governance, incident reporting, and supply-chain (ICT third-party) risk; they diverge on supervisory route, sanction regime, and the breadth of testing obligations.

This page is the structured pairwise walk-through.

Quick decision

  • Financial entity that would otherwise be a NIS2 essential or important entity under national transposition → Under DORA Article 1(2), DORA is considered a sector-specific Union legal act for the purposes of NIS2 Article 4. DORA's specialised provisions apply on the matters DORA covers; NIS2 obligations remain relevant where DORA does not cover the matter. Read DORA first.
  • Essential or important entity outside the financial sector → NIS2 only. Read NIS2 scope and applicability first.
  • ICT third-party service provider serving financial entities → Articles 28–30 of DORA apply through contractual arrangements with the financial entities. If designated critical under Article 31, the EU oversight framework (Articles 31–44) applies. NIS2 may also apply to the TPP if it qualifies as an essential or important entity in its own right (e.g. cloud service provider; managed service provider).
  • Cross-sectoral group operating both financial and non-financial entities → apply DORA to financial entities and NIS2 to non-financial entities; coordinate the two programmes around shared infrastructure (ICT third-party risk, identity, incident handling).

TL;DR

  • NIS2 = Directive (EU) 2022/2555. Horizontal cybersecurity framework. Scope by Annex I / II sectors + size cap (Recommendation 2003/361/EC). Member-State transposition by 17 October 2024, application of transposing measures from 18 October 2024.
  • DORA = Regulation (EU) 2022/2554. Sector-specific financial-sector operational resilience. Scope by entity type (Article 2(1)). Directly applicable from 17 January 2025 (Article 64).
  • DORA Article 1(2) is the operative provision: DORA operates as a sector-specific Union legal act for the purposes of NIS2 Article 4 in relation to financial entities also identified as essential or important under the national NIS2 transposition.
  • Separate competent authorities: NIS2 designates a national cybersecurity authority + CSIRT; DORA designates the prudential / conduct supervisor under Article 46.
  • Significant procedural differences on incident reporting (NIS2 Art 23 staged timeline vs DORA Arts 17–19 with 2025/301 + 2025/302 forms), testing (DORA Arts 24–27 + TLPT in Arts 26–27 vs no NIS2 TLPT equivalent), and ICT third-party regime (DORA Arts 28–30 + 31–44 oversight vs NIS2 Art 21(2)(d) + 21(3)).

Primary source

Directive (EU) 2022/2555 on EUR-Lex (CELEX 32022L2555) · Regulation (EU) 2022/2554 on EUR-Lex (CELEX 32022R2554) · both published in OJ L 333, 27.12.2022

Side-by-side comparison

DimensionNIS2 (Directive (EU) 2022/2555)DORA (Regulation (EU) 2022/2554)
Legal instrumentDirective — transposed into Member State lawRegulation — directly applicable in every Member State
Sectoral scopeAnnex I / II sectors (broad cross-sectoral)Financial-services sectors only
Entity scope testSize cap (medium-sized or larger under Rec 2003/361/EC) + regardless-of-size additions in Art 2(2) + Member State identification in Art 2(2)(b)–(e)Entity type list in Art 2(1); no size cap
Sub-cohortsEssential (Art 3(1)) vs important (Art 3(2))Full RMF (Arts 5–15) vs simplified RMF (Art 16(1)) for specific entity types, plus per-provision microenterprise carve-outs
Adopted14 December 202214 December 2022
Entered into force16 January 202316 January 2023
ApplicationTransposition deadline 17 Oct 2024; application of transposing measures from 18 Oct 202417 January 2025 (Art 64)
Risk-management baselineArt 21(1) framing + Art 21(2)(a)–(j) ten measure categoriesArt 6(1) ICT RMF cornerstone + Arts 7–14 substance + Art 16 simplified (both specified by Delegated Reg 2024/1774)
Incident-reporting timelineArt 23(4): 24h early warning + 72h notification + intermediate report on request + 1 month final report + progress report for ongoingArt 19(4): initial notification + intermediate report + final report (timings in Delegated Reg 2025/301)
Incident-report templatesNo EU-level template act; Art 23(11), first subparagraph, allows implementing acts on format and procedure (national CSIRT forms in practice). Impl. Reg 2024/2690 specifies significant-incident criteria for its Article 1 relevant entitiesImplementing Reg 2025/302 specifies the standard forms and templates for all in-scope financial entities
Resilience testingArt 21(2)(f) effectiveness assessment; for Impl. Reg 2024/2690 relevant entities, Annex point 6.5 mandates security-testing policy and procedures — no TLPT equivalentArts 24–25 testing programme + Arts 26–27 TLPT for identified entities
ICT third-party regimeArt 21(2)(d) + Art 21(3) supply-chain measuresArts 28–30 contractual baseline + register of information + subcontracting; Arts 31–44 EU oversight of designated critical TPPs
Public / recipient informationArt 23(1)–(2): entities notify service recipients of significant incidents and communicate threat remedies; Art 23(7): the authority may inform the public, or require the entity to do so, after consulting itArt 19(3): entities inform clients of major incidents affecting their financial interests; Art 14 crisis-communication plans; Art 50(4)(e) competent-authority public notices
SanctionsArt 34: Member States provide for max admin fines of at least EUR 10m / 2% (essential), EUR 7m / 1.4% (important) for Art 21 / 23 infringementsArt 50: Member-State administrative penalties and remedial measures, no harmonised fine ceilings; Art 35(6)–(11) periodic penalty payments for designated critical TPPs
Competent authorityNational cybersecurity authority + CSIRT (designated by Member State)Prudential / conduct supervisor designated under Art 46
Cross-Member-State coordinationNIS Cooperation Group + CSIRTs network + EU-CyCLONeESAs + Lead Overseer for critical TPPs

How NIS2 and DORA map onto each other

The two regimes overlap on three central topics: ICT risk management measures, incident reporting, and supply-chain / third-party risk. The mapping below shows the equivalent provisions.

TopicNIS2DORANotes
Management-body dutiesArt 20(1) approval / oversight / liability; Art 20(2) trainingArt 5 (overall responsibility + specific responsibilities + training)DORA Art 5 lists more specific responsibilities and is more prescriptive
Risk-management frameworkArt 21(1) framing + Art 21(2)(a) policiesArt 6(1) ICT RMF cornerstone + Arts 7–14 substanceDORA RMF is more detailed; NIS2 is more programme-level
Incident handlingArt 21(2)(b)Art 17 incident management processDORA Art 17 is more detailed and prescriptive
Incident classificationArt 23(3) two-prong significance testArt 18 six criteria + Delegated Reg 2024/1772DORA uses six specific criteria; NIS2 uses a two-prong test
Incident reportingArt 23(4) (24h / 72h / intermediate / 1 month final / progress)Art 19(4) (initial / intermediate / final) + Delegated Reg 2025/301 (content + time limits) + Implementing Reg 2025/302 (forms + templates)Different competent authorities; different templates
Supply-chain securityArt 21(2)(d) + Art 21(3) (assess direct suppliers; Art 22(1) coordinated risk assessments)Arts 28–30 (contractual baseline + register of information + subcontracting) + Delegated Reg 2024/1773 + Implementing Reg 2024/2956 + Delegated Reg 2025/532DORA is significantly more detailed
TestingArt 21(2)(f) effectiveness assessmentArts 24–25 testing programme + Arts 26–27 TLPT + Delegated Reg 2025/1190NIS2 has no TLPT obligation
Information sharingArt 29 cybersecurity information-sharing arrangements + Art 30 voluntary notificationArt 45 information-sharing arrangementsSimilar voluntary frameworks
Cross-Member-State coordinationArt 23(6) and (8); NIS Cooperation GroupArt 19(6)–(7) distribution and cross-border relevance assessment (ESAs / ECB / ENISA); Art 22 supervisory feedbackNIS2 routes through national CSIRT / SPOC; DORA through the competent authority and the ESAs
Critical infrastructure oversight(not in NIS2 — partly in CER Directive 2022/2557)Arts 31–44 EU oversight of designated critical ICT TPPsDORA introduces a new EU oversight layer

When DORA prevails: the Article 1(2) / Article 4 mechanism

The operative provision that allocates competence between DORA and NIS2 for financial entities is DORA Article 1(2). Under it, DORA is considered a sector-specific Union legal act for the purposes of NIS2 Article 4. NIS2 Article 4(1) in turn provides that where a sector-specific Union legal act requires essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and those requirements are at least equivalent in effect to the obligations in NIS2, the relevant provisions of NIS2 — including the Chapter VII supervision and enforcement provisions — do not apply to those entities (the sector act applies of its own force; recital 23 glosses this as the sector act, including its supervision and enforcement, applying instead).

The practical effect for a financial entity that would otherwise also be an essential or important entity under the national NIS2 transposition:

  • DORA's specialised provisions apply on matters DORA covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk);
  • the national NIS2 transposition still applies where DORA does not cover the matter and where the national transposition extends further;
  • the competent authority for the DORA matters is the prudential / conduct supervisor designated under Article 46 of DORA, not the national cybersecurity authority designated under NIS2;
  • the supervisory regime is the one in DORA Chapter VII (Articles 46–56), not NIS2 Chapter VII (Articles 31–37).

In practice, the national NIS2 transposition typically addresses this allocation explicitly — either by disapplying NIS2 Article 23 reporting for in-scope financial entities, or by routing financial-entity notifications through the DORA channels and treating that as equivalent for NIS2 purposes. The exact mechanism depends on each Member State's transposing law.

Incident-reporting coordination

The most visible operational interaction between NIS2 and DORA is incident reporting. For a financial entity that is in scope of both:

  • DORA Article 19 reporting applies on matters DORA covers (ICT-related incidents). The reports follow the Article 19(4) sequence (initial / intermediate / final) with content per Delegated Regulation 2025/301 and forms per Implementing Regulation 2025/302 (the RTS and ITS under Article 20, first paragraph, points (a) and (b)). The reports are submitted to the DORA competent authority under Article 46.
  • NIS2 Article 23 reporting applies for matters DORA does not cover and where the national NIS2 transposition extends further. The reports follow Article 23(4) (24h / 72h / intermediate / 1 month final / progress) and are submitted to the CSIRT or competent authority designated under NIS2.
  • Cross-authority coordination is built into both regimes: NIS2 Article 23(8) provides for SPOC-to-SPOC forwarding; DORA Article 19(6) requires the competent authority to provide details of the major incident, in a timely manner, to the relevant authorities — including the competent authorities, single points of contact or CSIRTs designated under NIS2 — and Article 19(7) adds the cross-border relevance assessment by the ESAs and the ECB in consultation with ENISA.

In Modulos, the standard pattern for dual-regime financial entities is to attach both OFF-15 (NIS2) and OFF-16 (DORA) to the organisation project and to record incident reports as evidence linked to the relevant requirement under each framework — typically with the same underlying incident postmortem document evidencing both requirements.

When to choose which

  • Read DORA first if you are a financial entity. Even if you are also in scope of NIS2, DORA's specialised provisions apply on the matters DORA covers.
  • Read NIS2 first if you are outside the financial sector. Article 21 (cybersecurity measures) and Article 23 (incident reporting) are the central operative provisions.
  • Read both if you are an ICT third-party service provider serving financial entities. DORA Articles 28–30 apply through your contracts with financial entities; NIS2 may also apply if you qualify as an essential or important entity in your own right (e.g. cloud service provider).
  • Read both if you are a financial group with non-financial subsidiaries. Apply DORA to the financial entities and NIS2 to non-financial entities; coordinate through shared policies (ICT risk management, vendor due diligence, incident handling).

What this looks like in Modulos

Modulos models NIS2 and DORA as separate framework templates that coexist on the same organisation project:

  • OFF-15 (NIS2 (org), 28 requirements) + OFF-16 (DORA (org), 29 requirements) attached to the organisation project.
  • MFF-15 (NIS2 (app), 18 requirements) + MFF-16 (DORA (app), 18 requirements) attached to each in-scope service / ICT system project as applicable.
  • Shared substance (ICT risk management policy, incident-handling SOP, BC/DR plan, vendor due-diligence policy, AI-BOM, training records) is recorded once as evidence and linked to controls under both frameworks. The shared governance controls are framework-agnostic by design — the NIS2- and DORA-specific substance sits on dedicated overlay controls per framework.
  • Per-framework tag families make the legal structure navigable: NIS2 requirements carry NIS2 Scope, NIS2 Domain, and NIS2 Basis tags (e.g. Directive Art 21 vs Implementing Regulation 2024/2690 legal basis); DORA requirements carry DORA Pillar, DORA Framework (Full / Simplified), and DORA Addressee tags (per-limb cohort carve-outs).
  • Different reporting workflows for incidents — NIS2 Article 23 staged reports stored as evidence against the relevant NIS2 requirement; DORA Article 19 staged reports stored as evidence against the relevant DORA requirement; same underlying incident postmortem document evidences both.

This single-source / multi-link pattern is the core of how Modulos avoids duplicate evidence work while keeping the legal traceability auditable.

NIS2 overview

Directive (EU) 2022/2555: framework structure, dates, key facts

DORA overview

Regulation (EU) 2022/2554: framework structure, dates, key facts

NIS2 cybersecurity measures (Article 21)

The ten Article 21(2) categories quoted verbatim

DORA ICT risk and resilience operations

DORA Articles 5–23 — RMF, incident process, classification, reporting

DORA testing and third-party risk

DORA Articles 24–30 — testing, TLPT, register of information, subcontracting

Framework comparison hub

Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA

Source attribution

This comparison is drawn from the published texts of Directive (EU) 2022/2555 (NIS2, OJ L 333, 27.12.2022, pp. 80–152), Regulation (EU) 2022/2554 (DORA, OJ L 333, 27.12.2022, pp. 1–79), and Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 (technical and methodological requirements for the relevant entities listed in its Article 1). The eight DORA Commission Delegated and Implementing Regulations referenced on this page (2024/1772, 2024/1773, 2024/1774, 2024/2956, 2025/301, 2025/302, 2025/532, 2025/1190) are individually published on EUR-Lex.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. The interaction between NIS2 (a Directive transposed into national law) and DORA (a directly-applicable Regulation) is determined by each Member State's NIS2 transposing law plus DORA Article 1(2). For binding interpretation in your jurisdiction, consult the published EUR-Lex text, the national NIS2 transposition, and qualified counsel.