Learn
After reading this, you’ll know definitively which regulation applies to your organisation, where they overlap, where they diverge, and how to handle the awkward case where you need both.
I got an email last month from a compliance officer at a mid-sized payment institution. She’d just come out of a board meeting where a director asked: “Do we need to comply with DORA or NIS2?” She said “both.” The director said “but they’re the same thing, right?”
They’re not the same thing. At all. But I understand the confusion. Both are EU regulations (well, DORA is a regulation, NIS2 is technically a directive - and yes, that distinction matters). Both deal with cybersecurity and digital resilience. Both came out of the same wave of EU digital regulation. And both use enough similar terminology that it’s easy to assume they’re just different labels for the same set of rules.
That assumption will cost you. Let me explain why.
The 60-Second Version
For the impatient (I get it), here’s the executive summary:
DORA
Full name: Digital Operational Resilience Act (Regulation 2022/2554)
Type: Regulation (directly applicable in all EU Member States)
Scope: Financial sector only - banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT providers
Focus: ICT risk management, operational resilience, third-party ICT risk, incident reporting, resilience testing
Applicable since: 17 January 2025
NIS2
Full name: Network and Information Security Directive 2 (Directive 2022/2555)
Type: Directive (must be transposed into national law by each Member State)
Scope: Cross-sector - energy, transport, health, digital infrastructure, banking, financial market infrastructure, public administration, space, ICT service management, and more
Focus: Cybersecurity risk management, incident reporting, supply chain security, governance obligations
Transposition deadline: 17 October 2024 (most Member States missed it)
Already you can see the key difference. DORA is laser-focused on the financial sector and goes deep into ICT-specific requirements. NIS2 casts a wide net across many sectors but stays at a higher level of abstraction. They’re complementary, not interchangeable.
The Lex Specialis Principle: Why This Changes Everything
Here’s the legal concept that most articles mention but few explain properly.
DORA is what lawyers call lex specialis in relation to NIS2. In plain language: when two laws cover the same ground, the more specific law takes precedence. DORA is the specific law for the financial sector; NIS2 is the general law for critical sectors broadly.
DORA Article 1(2) makes this explicit. It says that for financial entities, DORA takes precedence over NIS2 on matters that both cover - specifically ICT risk management, incident reporting, and resilience testing.
What does this mean in practice?
- If you’re a bank and both DORA and NIS2 require incident reporting, you follow DORA’s rules (4-hour initial notification, specific RTS criteria), not NIS2’s rules (24-hour early warning, 72-hour notification).
- If both require cybersecurity risk management, DORA’s detailed ICT risk management framework (Articles 5-16) overrides NIS2’s more general requirements (Article 21).
- If both require governance, DORA’s specific board-level ICT risk oversight requirements (Article 5) take precedence.
But - and this is the crucial “but” - lex specialis only applies where both laws address the same topic. Where NIS2 covers something that DORA doesn’t, NIS2 still applies in full. And there are several areas where NIS2 goes further.
This is where most compliance teams trip up. They hear “DORA takes precedence” and assume they can ignore NIS2 entirely. They can’t.
Where They Overlap, Where They Diverge
The detailed breakdown your compliance team actually needs
Incident Reporting: Same Goal, Different Mechanics
Both DORA and NIS2 require incident reporting. But the specifics are meaningfully different:
| Aspect | DORA | NIS2 |
|---|---|---|
| What triggers reporting | Major ICT-related incidents meeting specific RTS thresholds | “Significant” incidents with criteria set by each Member State |
| Initial notification | Within 4 hours of classification as major | Early warning within 24 hours; full notification within 72 hours |
| Intermediate report | Within 72 hours (or sooner if status changes) | Updates upon request |
| Final report | Within 1 month | Within 1 month |
| Report to whom | National financial supervisor (NCA) | CSIRT and/or competent authority (varies by Member State) |
For financial entities: DORA’s incident reporting framework applies (lex specialis). The 4-hour initial notification is more demanding than NIS2’s 24-hour early warning, which means if you’re DORA-compliant on incident reporting, you’re effectively exceeding NIS2’s requirements in that area.
Risk Management: Different Depth, Different Focus
NIS2 Article 21 lists ten categories of cybersecurity risk management measures that entities must implement, including risk analysis policies, incident handling, supply chain security, encryption, access control, and more. It’s comprehensive but high-level - it tells you what to do without specifying how in granular detail.
DORA goes much deeper. Articles 5-16 lay out a detailed ICT risk management framework with specific requirements for:
- ICT asset management and classification
- Change management procedures
- ICT business continuity management with specific recovery time objectives
- Communication strategies during ICT incidents
- Learning and evolving from incidents
- Board-level approval and oversight of the ICT risk management framework
For financial entities, DORA’s framework is the one you build to. But if you’re a financial entity that also falls under NIS2 for non-ICT cybersecurity matters (e.g., physical security of network infrastructure), those NIS2 requirements may still apply alongside DORA.
Third-Party Risk: DORA Goes Way Further
This is where the gap between the two is widest. NIS2 Article 21(2)(d) requires entities to address “supply chain security” as part of their risk management. That’s one paragraph. One.
DORA dedicates an entire chapter (Articles 28-44) to ICT third-party risk management. It requires:
- A Register of Information documenting all ICT third-party relationships
- Specific contractual provisions for ICT outsourcing (audit rights, exit strategies, data location, sub-outsourcing controls)
- Due diligence and risk assessment before entering ICT contracts
- Ongoing monitoring of ICT third-party risk
- Concentration risk assessment
- Exit strategies for critical ICT providers
- A new ESA oversight framework for critical third-party ICT providers (CTPPs)
If you’re doing DORA properly, you’re doing supply chain security to a standard that far exceeds what NIS2 requires. This is the one area where DORA compliance gives you NIS2 compliance almost for free.
When You Need Both: The Financial Entity + Essential Entity Problem
Here’s the scenario that keeps compliance teams up at night.
NIS2 Annex I lists “banking” and “financial market infrastructures” as essential sectors. This means many financial entities are also classified as essential or important entities under NIS2. DORA takes precedence on overlapping matters, but NIS2 adds some things that DORA doesn’t cover:
NIS2 management liability. NIS2 Article 20 introduces personal liability for management body members who fail to ensure compliance with cybersecurity obligations. DORA Article 5 requires board oversight of ICT risk, but the personal liability angle in NIS2 is more explicit and punitive in some Member State transpositions.
NIS2 cybersecurity training. NIS2 Article 20(2) requires management bodies to follow cybersecurity training and encourages similar training for all employees. DORA addresses ICT security awareness (Article 13(6)) but doesn’t match NIS2’s specific management training mandate.
NIS2 registration requirements. NIS2 Article 27 requires entities to register with the relevant CSIRT or competent authority. Financial entities may need to complete this registration even if they’re primarily regulated under DORA.
NIS2 penalty framework. NIS2’s penalties are harmonised at the EU level: up to €10 million or 2% of global annual turnover for essential entities. DORA’s penalties are set by each Member State. Depending on the jurisdiction, NIS2 penalties might actually be higher for certain violations.
The practical implication? Even if you’re fully DORA-compliant, you may still need to satisfy specific NIS2 requirements that DORA doesn’t address. This requires a gap analysis between the two - mapping exactly which obligations are covered by DORA and which remain open under NIS2.
Which Applies to You? A Decision Framework
Rather than give you another table comparing 20 dimensions, let me give you the decision tree that actually helps:
Are you a financial entity under DORA Article 2?
Credit institutions, investment firms, payment institutions, electronic money institutions, insurance undertakings, reinsurance undertakings, insurance intermediaries, IORPs, CRAs, securitisation repositories, trade repositories, CSDs, CCPs, trading venues, management companies, AIFMs, data reporting providers, crypto-asset service providers, crowdfunding service providers. If yes → DORA applies. It’s your primary regulation.
Are you also an essential or important entity under NIS2?
Banks and financial market infrastructures are listed in NIS2 Annex I as essential sectors. If you’re a credit institution or a financial market infrastructure, you’re likely dual-scope. Check your Member State’s NIS2 transposition for the exact entity classification. If yes → Both apply. DORA takes precedence on overlapping areas; NIS2 fills the gaps.
Are you NOT a financial entity but you provide ICT services to financial entities?
You might be designated as a critical third-party ICT provider (CTPP) under DORA’s oversight framework. Separately, if you’re a managed service provider, cloud computing provider, or digital infrastructure operator, NIS2 likely applies to you as an essential or important entity. If yes → NIS2 is your primary regulation, plus potential DORA CTPP oversight.
Are you in a non-financial sector covered by NIS2?
Energy, transport, health, water, digital infrastructure, public administration, space, postal services, waste management, food, manufacturing, chemicals, research. If yes → NIS2 only. DORA doesn’t apply to you.
If You’re Dual-Scope: The Efficient Approach
For financial entities subject to both DORA and NIS2, the good news is that DORA’s requirements are almost always equal to or more stringent than NIS2’s corresponding requirements. So if you build your compliance programme around DORA, you’re covering most of NIS2 as a byproduct.
The efficient approach has three steps:
Step 1: Build for DORA first. It’s the more detailed and demanding framework. Your ICT risk management framework, incident reporting process, third-party risk management, and resilience testing programme should all be built to DORA specifications.
Step 2: Gap-analyse against NIS2. Once your DORA programme is in place, map it against your Member State’s NIS2 transposition. Identify the specific NIS2 requirements that DORA doesn’t cover - management liability provisions, training mandates, registration requirements, any sector-specific measures.
Step 3: Fill the gaps with targeted controls. For each NIS2 requirement not covered by DORA, add a specific control to your compliance programme. This is usually a relatively small number of items, because the overlap is substantial.
This is exactly the kind of cross-framework gap analysis that multi-framework compliance platforms are designed for. Venvera, for instance, supports both DORA and NIS2 (along with 11 other regulatory frameworks) and maps the overlaps automatically - showing you which DORA controls satisfy NIS2 requirements and where additional work is needed.
The alternative - building two separate compliance programmes with separate teams, separate documentation, and separate risk assessments - is roughly twice the work for the same outcome. I’ve seen it happen. It’s painful, expensive, and ultimately produces worse results because the two programmes inevitably contradict each other in places.
The NIS2 Transposition Problem
One more wrinkle that makes the DORA-NIS2 comparison harder than it should be: NIS2 is a directive, not a regulation. Unlike DORA (which applies directly and identically across all EU Member States), NIS2 had to be transposed into national law by each Member State by 17 October 2024.
Most Member States missed that deadline. As of early 2026, several are still finalising their national transpositions. And the transpositions that do exist aren’t identical - they have different entity classification thresholds, different penalty levels, different registration procedures, and different national CSIRT arrangements.
For a multi-jurisdictional financial group, this means:
- DORA applies identically across all your EU entities (good for consistency)
- NIS2 varies by country, so your German subsidiary faces different NIS2 specifics than your French or Irish one (less good for consistency)
- You need to track multiple national transpositions to understand your NIS2 obligations in each jurisdiction
This is honestly one of the most frustrating aspects of the current regulatory landscape. DORA gives you one set of rules. NIS2 gives you 27 slightly different sets of rules. Managing this without a system that tracks regulatory frameworks across jurisdictions is, frankly, a headache nobody should have to endure manually.
The Bottom Line
DORA and NIS2 are not the same thing. They’re not interchangeable. For financial entities, DORA is your primary framework, but NIS2 likely applies too - and ignoring it creates real regulatory risk.
The smart approach is to build for DORA (the harder, more specific framework), then gap-analyse against NIS2 (the broader, more general one). The cross-framework overlap is substantial - around 70-80% by most estimates - so the incremental effort for NIS2 compliance, once you’re DORA-ready, is manageable.
But only if you do it intentionally, with proper mapping between the two frameworks, rather than hoping that DORA compliance magically covers everything NIS2 requires. It doesn’t. Close, but not quite.
Map DORA and NIS2 Together
Venvera supports DORA, NIS2, and 11 other regulatory frameworks with built-in cross-framework mapping. See exactly where your DORA compliance satisfies NIS2 and where gaps remain - starting at €399/month.
Book a Demo →Last updated: March 2026. NIS2 transposition status varies by Member State. Consult your local competent authority for jurisdiction-specific NIS2 requirements.