DORA vs NIS2: Key Differences, Overlaps, and What They Mean for Your Business
DORA and NIS2 are the EU's two most impactful cybersecurity laws. This guide compares scope, legal form, incident reporting timelines, penalties, and how lex specialis resolves overlap.
DORA vs NIS2: Key Differences, Overlaps, and What They Mean for Your Business
Two EU cybersecurity regulations now apply across Europe: the NIS2 Directive (EU 2022/2555) and the Digital Operational Resilience Act — DORA (Regulation EU 2022/2554). Both demand cybersecurity risk management, incident reporting, and third-party oversight. But they differ in who they target, how they work as legal instruments, and what they specifically require.
If you are a compliance officer, CTO, or GRC professional trying to understand which framework applies to your organisation — or how to handle both — this guide gives you a practical comparison.
At a Glance: DORA vs NIS2
| Dimension | DORA | NIS2 |
|---|---|---|
| Legal form | Regulation — directly applicable | Directive — required national transposition |
| Legal reference | Regulation (EU) 2022/2554 | Directive (EU) 2022/2555 |
| Entered into force | 16 January 2023 | 16 January 2023 |
| Applies / Transposition deadline | 17 January 2025 | 17 October 2024 |
| Scope | Financial entities only (20 categories) | Cross-sector: 18 critical sectors |
| Size threshold | All regulated financial entities (no size minimum) | 50+ employees OR €10M+ annual turnover |
| Incident reporting — early notification | 4 hours (after classifying as major) | 24 hours (after detecting a significant incident) |
| Incident reporting — full notification | 24 hours initial, 72 hours intermediate | 72 hours |
| Incident reporting — final report | 1 month after resolution | 30 days |
| Max fine (organisations) | ~2% global annual turnover (Tier 1) | Essential: €10M or 2% turnover; Important: €7M or 1.4% turnover |
| Personal liability | Up to €1M for senior managers | Management body liability (national law dependent) |
| Penetration testing | Mandatory TLPT for significant entities | Not explicitly required |
| Third-party provider oversight | Formal CTPP designation + supervision | Supply chain risk management required |
What Is NIS2?
The NIS2 Directive — formally Directive (EU) 2022/2555 — is the EU's primary cross-sector cybersecurity legislation. It replaced the original NIS Directive (2016/1148) and expanded coverage from 7 to 18 sectors, including energy, transport, healthcare, financial market infrastructure, digital infrastructure, waste management, and food production.
NIS2 applies to any organisation in a covered sector with at least 50 employees or €10 million in annual turnover. These organisations are classified as either essential entities or important entities, with different supervisory intensity and fine levels applying to each.
As a directive, NIS2 required each EU Member State to transpose it into national law by 17 October 2024. Implementation has varied:
- Germany: NIS2 Implementation and Adjustment Act (NIS2UmsuCG) entered into force on 6 December 2025; essential and important entities must register with the BSI (Bundesamt für Sicherheit in der Informationstechnik) by 6 March 2026
- Netherlands: The Cyberbeveiligingswet transposing NIS2 is expected to enter into force in Q2 2026, building on the existing Wbni framework
- Belgium: Active enforcement since late 2024
For the full scope, requirements, and Article 21 measures, see our NIS2 Compliance Guide and NIS2 Requirements.
What Is DORA?
The Digital Operational Resilience Act — DORA (Regulation EU 2022/2554) — is the EU's dedicated framework for ICT risk management in the financial sector. Unlike NIS2, DORA is a regulation, not a directive. It applies directly in every EU Member State without requiring national implementation legislation.
DORA has applied since 17 January 2025, covering 20 categories of financial entities: banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, trading venues, central counterparties, and more. The European Supervisory Authorities (ESAs) — EBA, ESMA, and EIOPA — explicitly stated in December 2024 that "DORA does not provide for a transitional period."
DORA's five pillars are:
- ICT risk management — Governance framework and risk appetite
- ICT-related incident reporting — Standardised major incident reporting to competent authorities
- Digital operational resilience testing — Including mandatory Threat-Led Penetration Testing (TLPT) for significant entities
- ICT third-party risk management — Oversight of critical ICT third-party service providers (CTPPs)
- Information sharing — Voluntary sharing of cyber threat intelligence
In 2026, DORA enforcement has shifted from guidance to active supervision. National competent authorities including BaFin (Germany), the AFM and DNB (Netherlands), and the ACPR and AMF (France) are conducting supervisory reviews and audits.
Incident Reporting: A Critical Difference
For organisations subject to both frameworks, incident reporting is where the divergence is most operationally significant.
NIS2 Incident Reporting
Under NIS2 Article 23, organisations must follow a three-stage process when a significant incident occurs:
- Early warning — within 24 hours of becoming aware of a significant incident
- Incident notification — within 72 hours, with initial severity assessment and indicators of compromise
- Final report — within 30 days of the notification, including root cause analysis and remediation measures
DORA Incident Reporting
DORA's requirements — set out in the Joint Technical Standards (JC 2024-33) — are stricter and more prescriptive for major ICT-related incidents:
- Initial notification — within 4 hours of classifying the incident as major
- Initial report — within 24 hours of detection
- Intermediate report — within 72 hours
- Final report — within 1 month after resolution
The 4-hour initial notification under DORA is the most demanding requirement in either framework. Financial entities need real-time incident classification capability and pre-prepared templates to meet this deadline.
For a detailed comparison of DORA incident reporting requirements, see our dedicated guide.
Penalties: How the Fine Structures Compare
NIS2 Fines
NIS2 creates a two-tier fine structure based on entity classification:
| Entity type | Maximum fine |
|---|---|
| Essential entities | €10,000,000 or 2% of global annual turnover (whichever is higher) |
| Important entities | €7,000,000 or 1.4% of global annual turnover (whichever is higher) |
Beyond financial penalties, NIS2 allows national authorities to impose temporary bans on senior managers in cases of gross negligence following a serious incident.
DORA Fines
DORA does not establish a single EU-wide fine schedule for all financial entities — instead, Member States must establish effective, proportionate, and dissuasive national penalties. In practice:
- Tier 1 violations: Fines up to 2% of annual worldwide turnover (aligned with NIS2 maximum)
- Daily penalty payments: Up to 1% of average daily turnover to force ongoing compliance
- Personal liability: Senior managers can face penalties of up to €1 million individually
- National variations: Germany's BaFin has established ceilings of up to €5 million for certain specific breaches; Italy can levy fines up to €20 million
For critical ICT third-party service providers (CTPPs) under DORA's direct ESA oversight, periodic penalty payments and compliance orders apply directly from the ESAs.
Who Must Comply With Both?
The question most compliance teams face is: which framework governs us?
Financial Entities: DORA Primarily
If you are a regulated financial entity (bank, insurer, investment firm, payment institution, etc.), DORA is your primary framework for ICT risk management and incident reporting. NIS2 may also list financial entities as covered sectors, but DORA takes precedence as lex specialis.
ICT Providers: Potentially Both
ICT service providers face the most complex dual-obligation scenario:
- Critical ICT Third-Party Providers (CTPPs) designated under DORA face direct ESA supervision — applicable to 19 providers as of November 2025 including AWS, Microsoft Azure, Google Cloud, IBM, and Bloomberg
- ICT providers not designated as CTPPs but operating in covered NIS2 sectors must comply with NIS2
- ICT providers serving multiple sectors (financial + others) may have obligations under both frameworks for different parts of their business
Non-Financial Sectors
For healthcare, energy, transport, digital infrastructure, and other sectors covered by NIS2 but not DORA, NIS2 is the only applicable framework. DORA does not apply.
Lex Specialis: How the Overlap Is Resolved in Practice
The principle of lex specialis — the specific law takes precedence over the general law — is codified directly in NIS2 Article 4. For financial entities, DORA's more detailed ICT risk management and incident reporting requirements supersede the equivalent NIS2 obligations.
What this means in practice:
Covered by DORA only (NIS2 doesn't apply for financial entities):
- ICT risk management framework (DORA Articles 5–16)
- Major ICT incident reporting (DORA Article 19)
- Digital operational resilience testing (DORA Articles 24–27)
- ICT third-party risk management and CTPP oversight (DORA Articles 28–44)
Areas where NIS2 may still apply to financial entities:
- Physical security of infrastructure not covered by DORA
- Supply chain security obligations in non-ICT domains
- Sector-specific provisions not addressed by DORA's scope
As PayTechLaw analysis notes, Germany's NIS2UmsuCG explicitly addresses this interface, stating that the lex specialis clause covers exclusively ICT risk management and ICT incident reporting — not all NIS2 obligations. This is an important nuance: a bank is not fully exempt from NIS2, only from the specific obligations DORA replaces.
Compliance Strategy for Dual-Obligation Entities
If your organisation operates across sectors or your ICT providers serve both financial and non-financial clients, a pragmatic compliance strategy integrates both frameworks:
1. Map your entity type precisely. Determine whether you are: (a) a regulated financial entity covered primarily by DORA, (b) a non-financial entity covered by NIS2, or (c) an ICT service provider potentially subject to both.
2. Build a unified ICT risk management framework. DORA's ICT risk management requirements (Articles 5–16) are more detailed than NIS2's Article 21. Building to DORA's standard typically satisfies NIS2's equivalent requirements — invest once at the higher standard.
3. Design incident response for DORA's 4-hour threshold. If DORA applies, your incident response process must support a 4-hour initial notification timeline. This demands automated alerting, pre-built notification templates, and defined escalation paths to competent authorities. Organisations meeting DORA's timelines automatically satisfy NIS2's 24-hour threshold.
4. Manage your third-party ICT risk with evidence. Both frameworks require supply chain and third-party risk management. DORA's Register of Information (ROI) deadline for 2026 submissions varies by national authority — BaFin requires submission between 9–30 March 2026; the AFM (Netherlands) requires firm submission by 22 March 2026; the ESA consolidated deadline for NCAs to report to the ESAs is 31 March 2026. Building continuous vendor monitoring aligned to DORA's ROI requirements satisfies NIS2's third-party risk provisions simultaneously.
5. Use continuous compliance monitoring. Both DORA and NIS2 require demonstrable, ongoing compliance — not point-in-time snapshots. Orbiq's continuous monitoring platform provides real-time evidence collection, automated incident classification support, and supply chain risk dashboards that align with both frameworks.
How Orbiq Helps
Orbiq is built for EU-regulated organisations navigating DORA, NIS2, and their intersection. The platform provides:
- Continuous monitoring of your security posture mapped to DORA and NIS2 control frameworks
- Vendor assurance workflows that support DORA's Register of Information and NIS2 supply chain risk requirements
- Incident management with configurable timelines aligned to both the 4-hour DORA and 24-hour NIS2 thresholds
- Trust Center to demonstrate compliance posture to regulators, customers, and auditors
For financial entities facing the 2026 DORA enforcement shift, Orbiq bridges the gap between framework documentation and operational capability.
Sources & References
- Regulation (EU) 2022/2554 (DORA) — Official text of the Digital Operational Resilience Act
- Directive (EU) 2022/2555 (NIS2) — Official text of the NIS2 Directive
- ESAs Statement on DORA Application (December 2024) — Confirms no transitional period for DORA
- JC 2024-33 Final Report on Incident Reporting RTS/ITS — DORA incident reporting timelines (4h/24h/72h/1 month)
- NIS2 meets DORA — PayTechLaw — Analysis of lex specialis clause in Germany's NIS2UmsuCG
- Morrison Foerster: Germany's NIS2 Implementation (December 2025) — NIS2UmsuCG entry into force and BSI registration deadline
- DORA 2026 Enforcement Shift — aqmetrics — Transition from guidance to active enforcement, BaFin/CBI supervisory reviews
- DORA vs NIS2 — activeMind.legal — Legal analysis of dual compliance and common misconceptions
- NIS2 Fine Structure — Hornetsecurity — Essential vs. important entity fine tiers
- DORA Register of Information 2026 — Thomas Murray — BaFin and ESA ROI submission deadlines for 2026