NIS2 vs DORA: Key Differences for EU Organizations
By ArvexLab Team — Compliance Research
Two Regulations, One Goal
The EU has introduced two major cybersecurity regulations that took effect in 2024–2025: NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act). Both aim to improve cybersecurity resilience, but they differ significantly in scope, requirements, and enforcement.
Scope: Who Do They Apply To?
NIS2: Broad, Cross-Sector
NIS2 applies to 18 sectors including energy, transport, health, digital infrastructure, and manufacturing. Any medium or large organization (50+ employees or €10M+ turnover) in these sectors is in scope.
Estimated impact: 160,000+ entities across the EU.
DORA: Financial Sector Only
DORA applies exclusively to financial entities — banks, insurance companies, investment firms, crypto-asset service providers, and their critical ICT third-party service providers.
Estimated impact: ~22,000 financial entities + their ICT providers.
Key Differences
| Aspect | NIS2 | DORA |
|---|---|---|
| Type | Directive (requires national transposition) | Regulation (directly applicable) |
| Scope | 18 sectors, broad | Financial sector only |
| Incident reporting | 24h/72h/1-month to CSIRT | 4h/72h to competent authority |
| Supply chain | General requirements | Detailed ICT third-party risk framework with ESA register |
| Testing | Effectiveness assessment | Threat-led penetration testing (TLPT) for significant entities |
| Penalties | Up to €10M / 2% turnover | Determined by national regulators |
| Effective | Member State transposition (Oct 2024) | January 2025 (directly applicable) |
Where They Overlap
For financial entities, both regulations apply — but DORA takes precedence as the sector-specific regulation (lex specialis). NIS2 Article 4 explicitly states that where sector-specific EU legislation imposes equivalent or stricter requirements, those requirements apply instead.
In practice, this means:
- Incident reporting: Follow DORA's 4h initial notification (stricter than NIS2's 24h)
- Risk management: DORA's ICT risk management framework satisfies NIS2's Art. 21 requirements
- Testing: DORA's TLPT requirements go beyond NIS2's general effectiveness assessment
- Supply chain: DORA's ICT third-party risk framework is more detailed than NIS2's supply chain requirements
How to Comply with Both Efficiently
Step 1: Determine your primary regulation
If you're a financial entity: DORA is your primary obligation. Compliance with DORA will cover most NIS2 requirements.
If you're in another sector: NIS2 is your obligation. DORA doesn't apply to you (unless you're a critical ICT provider to financial entities).
Step 2: Map the overlaps
Use a cross-framework approach to identify which controls satisfy both regulations. An ISO 27001 certification provides a strong baseline for both.
Step 3: Address the gaps
Focus on the unique requirements of each regulation:
- NIS2-specific: Management body training and accountability, broader supply chain requirements
- DORA-specific: ICT third-party register (ESA templates), TLPT testing, digital operational resilience strategy
Step 4: Unified evidence collection
Maintain a single evidence repository that maps controls to both frameworks. This avoids duplicate work during audits.
FAQ
Q: If I comply with DORA, am I automatically NIS2 compliant?
Largely yes, for the areas DORA covers. However, NIS2 has some requirements that go beyond DORA's scope — particularly around management body accountability and broader (non-ICT) supply chain security.
Q: Can a non-financial company be subject to DORA?
Yes, if you're designated as a critical ICT third-party service provider to financial entities. The European Supervisory Authorities (ESAs) maintain a list of these providers.
Q: Which regulation should I prioritize?
Start with whichever has the earlier enforcement deadline in your jurisdiction. For most organizations, building an ISO 27001-aligned security program provides the strongest foundation for both.
Ready to assess your NIS2 readiness?
Use our free self-assessment tool or speak with our compliance team.