Do I need to comply with both DORA and NIS2?

Yes, if you are a financial entity that also qualifies as an "essential" or "important" entity under NIS2 (e.g. a large bank, major payment institution, or financial market infrastructure). However, DORA acts as lex specialis: where DORA and NIS2 requirements overlap, DORA takes precedence for financial entities. In practice, full DORA compliance will satisfy most equivalent NIS2 obligations, but you should verify this with your national competent authority for each requirement.

Which takes precedence — DORA or NIS2?

DORA takes precedence for financial entities covered by both regulations. Article 1(2) of DORA explicitly states that it constitutes a lex specialis to NIS2 (Directive 2022/2555) for entities within its scope. This means DORA's more specific and sector-tailored requirements override NIS2's general obligations wherever the two instruments cover the same matter. NIS2 obligations continue to apply in areas not addressed by DORA.

Does DORA replace GDPR?

No. DORA and NIS2 do not replace the GDPR (General Data Protection Regulation). The three frameworks address different aspects of digital governance: GDPR governs the processing of personal data and data subjects' rights; NIS2 sets baseline cybersecurity requirements for essential and important entities; DORA sets operational resilience requirements for financial institutions. All three may apply simultaneously. For example, an ICT incident at a bank may trigger DORA incident reporting obligations AND a GDPR personal data breach notification — on different timelines and to different authorities.

Does DORA apply to ICT third-party providers?

DORA creates indirect obligations for ICT third-party providers through the contractual requirements placed on financial entities (Article 30). Providers designated as Critical ICT Third-Party Providers (CTPPs) are subject to direct ESA oversight. NIS2 also covers ICT providers that qualify as "digital infrastructure" providers (e.g. cloud services, data centres, DNS providers, internet exchange points). A hyperscaler like AWS or Azure may therefore be subject to both frameworks: direct NIS2 obligations in their own right, and DORA contractual obligations through their financial entity customers.

DORA vs NIS2: Key Differences, Scope & Requirements (2026)

Overview: Two Frameworks, One Landscape

DORA EU Regulation — directly applicable Digital Operational Resilience Act

vs

NIS2 EU Directive — requires national transposition Network and Information Security Directive 2

DORA — The Sector-Specific Framework

DORA (Regulation EU 2022/2554) entered into force on 17 January 2025 and applies directly across all EU member states without requiring national transposition. It covers 21 types of financial entities — from banks and insurers to crypto-asset service providers and payment institutions — plus their critical ICT third-party providers.

DORA is the financial sector's answer to the growing recognition that ICT risk is not just a technical issue but a systemic financial stability risk. It builds on existing EBA, EIOPA, and ESMA guidelines and replaces them with legally binding obligations.

                    Key legal character: DORA is a Regulation — it applies uniformly across the EU from day one, with no room for national variation. There is no implementation period for member states.
                

NIS2 — The Cross-Sector Framework

NIS2 (Directive EU 2022/2555) replaces the original NIS Directive (2016) and sets a baseline cybersecurity standard for "essential" and "important" entities across 18 sectors including energy, transport, health, digital infrastructure, and financial markets.

As a Directive, NIS2 required transposition into national law by 17 October 2024. Implementation progress varies across member states — as of early 2026, several countries are still finalising their national frameworks, creating a patchwork of obligations.

                    Key legal character: NIS2 is a Directive — member states have flexibility in how they implement it. Obligations may vary by country, sector, and entity size.
                

             The critical rule — Article 1(2) DORA: DORA explicitly states that it constitutes a lex specialis to NIS2 for entities within its scope. Where the two instruments address the same matter, DORA's requirements take precedence for financial entities. This means a bank that complies fully with DORA will have satisfied its equivalent NIS2 obligations — but NIS2 still applies to areas DORA does not cover.
        

Scope: Who Is Covered?

DORA Scope — 21 Financial Entity Types

DORA Article 2 applies to:

Credit institutions (banks)
Payment institutions and e-money institutions
Investment firms and fund managers (UCITS, AIFMs)
Insurance and reinsurance undertakings
Insurance intermediaries (above size thresholds)
Institutions for occupational retirement provision (IORPs)
Central counterparties (CCPs) and central securities depositories (CSDs)
Trading venues and trade repositories
Credit rating agencies and securitisation repositories
Crypto-asset service providers (CASPs) and issuers of asset-referenced tokens
Crowdfunding service providers
Data reporting service providers
Critical ICT third-party providers (CTPPs) — through the oversight framework

                    Proportionality: Microenterprises and small entities may qualify for the simplified ICT risk management framework under Article 16, reducing some obligations.
                

NIS2 Scope — 18 Sectors, 2 Tiers

NIS2 Annex I & II cover entities in:

Energy (electricity, gas, oil, hydrogen)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, labs, pharma)
Drinking water and wastewater
Digital infrastructure (DNS, TLDs, cloud, data centres, CDNs, trust services)
ICT service management (managed service providers)
Public administration
Space
Postal and courier services, waste management, food production, manufacturing, digital providers (search engines, online marketplaces, social networks)

                    Tier classification: "Essential entities" (larger, higher risk) face stricter requirements and ex-ante supervision. "Important entities" face lighter obligations and ex-post supervision.
                

The Overlap — Financial Entities Covered by Both

DORA only

Small payment institution below NIS2 size thresholds. Subject to DORA proportionality rules, but not NIS2 "essential"/"important" designation.

DORA + NIS2

Large bank or major insurer. Covered by both — DORA prevails for overlapping requirements. NIS2 fills remaining gaps.

NIS2 only

IT managed service provider that serves financial entities but is not itself a financial entity. Subject to NIS2 directly (and DORA contractually through its customers).

Cloud hyperscalers

AWS, Azure, Google Cloud: covered by NIS2 as digital infrastructure providers. Subject to DORA contractually via financial entity customers. Potentially designated as CTPPs under DORA direct oversight.

Requirements: Side-by-Side Comparison

The table below compares the key obligations across both frameworks. Where DORA and NIS2 address the same topic, DORA's requirement is the binding one for financial entities.

Requirement	DORA	NIS2
Incident reporting	3-stage process: initial report within 4 hours of classification as major; interim report within 72 hours; final report within 1 month. Reported to national competent authority (NCA).	2-stage process: early warning within 24 hours of becoming aware; full notification within 72 hours. Optional final report within 1 month. Reported to CSIRT or NCA.
Risk management	ICT-specific, 5 pillars: governance, protection, detection, response/recovery, learning. Detailed RTS on methodology (RTS 2024/1774). Management body directly accountable.	General cybersecurity risk management. 10 minimum measures (Art. 21) including policies, incident handling, business continuity, supply chain, access controls, MFA, cryptography, HR security.
Third-party oversight	Comprehensive: Register of Information mandatory (xBRL-CSV format); 15+ contractual clauses required (Art. 30); CTPP framework with direct ESA oversight of 19 designated providers; concentration risk assessment.	Supply chain security requirements: entities must address cybersecurity risks in the supply chain (Art. 21(2)(d)). No register mandate, no direct supplier oversight framework.
Resilience testing	Full programme: vulnerability assessments, network security assessments, scenario-based testing, source code reviews. TLPT mandatory for designated significant entities (every 3 years). RTS specifies methodology.	Security testing required as part of risk management policies, but no TLPT mandate. National authorities may impose specific testing requirements on essential entities.
Penalties	Up to 2% of total annual worldwide turnover (financial entities, Art. 50); up to 1% daily compulsion payments for ongoing non-compliance; up to €1,000,000 for natural persons. CTPPs: up to 1% daily turnover.	Essential entities: up to €10,000,000 or 2% of global turnover (whichever higher). Important entities: up to €7,000,000 or 1.4%. Management liability provisions.
Supervision model	Multi-level: ESAs (EBA, EIOPA, ESMA) issue binding RTS and guidelines; NCAs supervise individual financial entities; JOC oversees CTPPs directly. Cross-border: ESA coordination.	National competent authorities (NCAs) designated by each member state. NIS2 Cooperation Group for cross-border coordination. No pan-EU supervisory body equivalent to ESAs.
Information sharing	Voluntary information sharing arrangements encouraged (Art. 45). ESAs may share threat intelligence with entities. CTPPs subject to incident notification to ESAs.	Member states must establish national CSIRTs; peer-to-peer sharing encouraged. CyCLONe network for large-scale incidents. EU-CyCLONe for crisis management.
Governance	Management body (board) formally accountable for ICT risk (Art. 5). Board must approve ICT risk framework, receive regular reports. Individual board member training required.	Management bodies must approve risk management measures and are personally liable for infringements (Art. 20). Training for management recommended but not prescribed in detail.

Need the full RTS text? All 13 DORA technical standards are available in our free reference guide.

Browse All RTS/ITS Standards

Practical Implications: What This Means for You

Your obligations depend on your organisation type and the sectors you operate in. The scenarios below cover the most common situations.

Bank or Insurer DORA primary

DORA is your primary compliance framework. Full DORA compliance satisfies all equivalent NIS2 obligations. Your NCA will supervise you under DORA. NIS2 applies only to areas DORA does not cover (e.g. some physical security aspects). Focus 95% of your resources on DORA.

ICT Provider to Finance Both apply

You face NIS2 obligations directly (as a cloud service, data centre, or managed service provider) AND DORA contractual obligations through your financial entity customers. Largest risk: being designated as a CTPP under DORA, triggering direct ESA oversight. Align NIS2 baseline with DORA contractual requirements — they are largely complementary.

Fintech / Payment Institution Both may apply

In scope for DORA as a payment institution or e-money institution. May also qualify as NIS2 "important entity" depending on size and national transposition. Use DORA as your compliance backbone. Verify NIS2 designation with your national authority. DORA's proportionality provisions (Art. 16) may reduce your burden if you are a small entity.

Mixed Holding (Finance + Other) Complex overlap

Regulated financial subsidiaries: DORA. Non-financial subsidiaries in NIS2 sectors (energy, transport, health): NIS2 only. Group-level: consider implementing a unified security baseline that satisfies both, with DORA-level requirements applied to all critical ICT shared services. Legal entity mapping is essential.

Key Practical Actions for Dual-Scope Entities

Map your scope legally: Confirm which entities within your group are subject to DORA, which to NIS2, and which to both. Document this in your ICT risk framework.
Identify your NIS2 "tier": Are you an "essential" or "important" entity under your national NIS2 transposition? This determines supervision intensity and penalty scale.
Merge your reporting processes: DORA (4h/72h/1month) and NIS2 (24h/72h) timelines are different. A single incident may require parallel notifications to different authorities on different schedules.

Align ICT supplier contracts: DORA Article 30 clauses are more detailed than NIS2 supply chain requirements. DORA-compliant contracts will generally satisfy NIS2 supply chain obligations for ICT providers.
Single management body accountability: Both frameworks require board-level accountability. One governance structure covering both is more efficient than parallel frameworks.
Coordinate with your CSIRT: NIS2 requires coordination with national CSIRTs for major incidents. This is separate from your DORA reporting channel to your financial NCA.

Timeline Comparison

DORA Timeline

January 2023

DORA entered into force — 24-month implementation period begins
June–November 2024

First batch of RTS/ITS published in EU Official Journal (risk management, incident classification, third-party policies, register templates)
17 January 2025

DORA mandatory application date — all financial entities must comply. No grace period.
February–April 2025

Final RTS/ITS published: incident reporting (RTS 2025/301), subcontracting (RTS 2025/532)
April 2025

First Register of Information submissions to NCAs (xBRL-CSV format)
November 2025

19 CTPPs officially designated by ESAs — direct oversight begins
Q1 2026

Second RoI submission cycle — heightened supervisory expectations
17 January 2026

Article 58 review deadline — Commission report on extending DORA to auditors
17 January 2028

First TLPT completion deadline for designated significant entities

NIS2 Timeline

January 2023

NIS2 Directive entered into force — 21-month transposition period begins
17 October 2024

NIS2 transposition deadline — member states must have enacted national implementing legislation. Many states missed this deadline.
Late 2024 – 2025

Ongoing national transpositions — Germany (NIS2UmsuCG), France (ANSSI framework), Netherlands, Belgium, etc. Progress varies widely.
2025–2026

Entity registration with national CSIRTs / NCAs. Entities self-assess "essential" vs "important" classification under national implementing laws.
2026 onwards

Active NIS2 enforcement by national authorities. First significant penalties expected. European Commission monitoring transposition quality.

                     Transposition status: Check your national authority's website for the current status of NIS2 transposition in your country — obligations may already apply even if formal notification of your entity has not yet occurred.
                

Frequently Asked Questions

Yes, if you are a financial entity that also qualifies as an "essential" or "important" entity under NIS2 (e.g. a large bank, major payment institution, or financial market infrastructure). However, DORA acts as lex specialis: where DORA and NIS2 requirements overlap, DORA takes precedence for financial entities.

In practice, full DORA compliance will satisfy most equivalent NIS2 obligations. The areas where NIS2 adds obligations beyond DORA are relatively narrow — mainly around national CSIRT coordination, physical security elements, and some aspects of supply chain security. Verify the specific gap with your national competent authority and legal counsel.
DORA takes precedence for financial entities covered by both regulations. Article 1(2) of DORA explicitly states that it constitutes a lex specialis to NIS2 (Directive 2022/2555) for entities within its scope. DORA's more specific and sector-tailored requirements override NIS2's general obligations wherever the two instruments cover the same matter.

NIS2 obligations continue to apply in areas not addressed by DORA. For example, DORA does not prescribe detailed physical security measures for data centres — NIS2's general requirements would fill that gap.
No. Neither DORA nor NIS2 replaces the GDPR. The three frameworks address different aspects of digital governance and may all apply simultaneously:
- GDPR: governs processing of personal data and data subjects' rights
- NIS2: sets baseline cybersecurity requirements for essential and important entities
- DORA: sets operational resilience requirements specific to financial institutions
A single ICT incident at a bank may simultaneously trigger DORA incident reporting (4h initial notification to NCA), NIS2 early warning (24h to CSIRT), and GDPR breach notification (72h to data protection authority) — on different timelines and to different authorities.
DORA creates indirect obligations for ICT providers through the contractual requirements placed on financial entities (Article 30). Providers designated as Critical ICT Third-Party Providers (CTPPs) are subject to direct ESA oversight — but this applies to only 19 designated providers as of November 2025.

NIS2 also covers ICT providers that qualify as "digital infrastructure" entities (cloud services, data centres, DNS, internet exchange points, managed service providers). A hyperscaler like AWS or Azure may therefore face: direct NIS2 obligations in their own right, DORA contractual obligations through financial entity customers, and potential DORA direct oversight as a CTPP.

See the full list of 19 designated CTPPs for which providers are subject to direct DORA oversight.

Related Resources

What is DORA? Full Explainer All DORA RTS & ITS Standards DORA TLPT Requirements Guide DORA Penalties & Enforcement Guide DORA Critical ICT Providers (CTPPs) DORA Gap Analysis Tool (Free)

Core Pillars

Need Help?

DORA vs NIS2: Complete Comparison for EU Financial Institutions