Do I need to comply with both DORA and NIS2?

Yes, if you are a financial entity that also qualifies as an "essential" or "important" entity under NIS2 (e.g. a large bank, major payment institution, or financial market infrastructure). However, DORA acts as lex specialis: where DORA and NIS2 requirements overlap, DORA takes precedence for financial entities. In practice, full DORA compliance will satisfy most equivalent NIS2 obligations, but you should verify this with your national competent authority for each requirement.

Which takes precedence — DORA or NIS2?

DORA takes precedence for financial entities covered by both regulations. Article 1(2) of DORA explicitly states that it constitutes a lex specialis to NIS2 (Directive 2022/2555) for entities within its scope. This means DORA's more specific and sector-tailored requirements override NIS2's general obligations wherever the two instruments cover the same matter. NIS2 obligations continue to apply in areas not addressed by DORA.

Does DORA replace GDPR?

No. DORA and NIS2 do not replace the GDPR (General Data Protection Regulation). The three frameworks address different aspects of digital governance: GDPR governs the processing of personal data and data subjects' rights; NIS2 sets baseline cybersecurity requirements for essential and important entities; DORA sets operational resilience requirements for financial institutions. All three may apply simultaneously. For example, an ICT incident at a bank may trigger DORA incident reporting obligations AND a GDPR personal data breach notification — on different timelines and to different authorities.

Does DORA apply to ICT third-party providers?

DORA creates indirect obligations for ICT third-party providers through the contractual requirements placed on financial entities (Article 30). Providers designated as Critical ICT Third-Party Providers (CTPPs) are subject to direct ESA oversight. NIS2 also covers ICT providers that qualify as "digital infrastructure" providers (e.g. cloud services, data centres, DNS providers, internet exchange points). A hyperscaler like AWS or Azure may therefore be subject to both frameworks: direct NIS2 obligations in their own right, and DORA contractual obligations through their financial entity customers.

What are the main differences between DORA and NIS2 incident reporting?

DORA mandates harmonised templates (RTS 2025/301) with strict 4h / 72h / 1-month deadlines for major ICT-related incidents, reported to a single competent financial authority per Member State. NIS2 imposes early warning within 24h, an incident notification within 72h and a final report within one month, but without harmonised templates — the format depends on the national CSIRT or competent authority. For financial entities subject to both, DORA reporting prevails (lex specialis); the same incident is reported once via the DORA channel.

Are penalties higher under DORA or NIS2?

Both regimes are severe. DORA caps penalties at up to 2% of annual worldwide turnover (Articles 50-52) plus periodic penalty payments of up to 1% of average daily turnover for as long as compliance fails. NIS2 imposes up to 10 million EUR or 2% of worldwide turnover (whichever higher) for essential entities, and 7 million EUR or 1.4% for important entities. In practice, DORA penalties scale more aggressively for very large entities; NIS2 caps are more punitive for medium-size entities.

DORA vs NIS2 2026: Interactive Comparison & Scope Decoder

Q: How should I run a dual DORA + NIS2 compliance programme?

Run them as one programme, not two. Anchor on DORA as the primary framework (it is the most prescriptive and acts as lex specialis), then map NIS2 deltas — areas NIS2 covers that DORA does not address: cyber awareness training (Art. 20), national CSIRT cooperation (Art. 10-15), EU-CyCLONe coordination, sectoral baseline measures. Produce an equivalence matrix showing how each NIS2 obligation is satisfied — either by an existing DORA control or by a NIS2-only delta control. Use a single platform to manage both programmes; duplicating tooling triples cost.

Q: Is there a single platform that covers both DORA and NIS2?

Yes. Specialised SaaS platforms designed for EU financial entities can cover both regulations from a single source of truth: the Register of Information feeds NIS2 supply-chain security; the BIA feeds both ICT risk frameworks; incidents are reported once with two destinations; the equivalence matrix is auto-generated. Resiplan is one such platform — purpose-built for DORA compliance with native NIS2 coverage for entities subject to both.

Which one applies to you?

A 3-step decoder. No forms, no signup — just click your way to the answer.

1What kind of entity are you?

Both apply

You are in scope of DORA AND NIS2.

As a medium or large financial entity, both regulations apply. DORA prevails as lex specialis for the requirements both texts cover (incident reporting, third-party risk, governance). NIS2 still applies to areas DORA does not address — for example general cybersecurity hygiene at corporate level. In practice, full DORA compliance covers ~80% of equivalent NIS2 obligations; the remaining gaps must be assessed against your national NIS2 transposition.

Recommended action: use DORA as your primary framework, run a NIS2 gap assessment against the national transposition, document the equivalence mapping and consolidate evidence in a single platform.

→ See how Resiplan covers both in one platform

DORA only

DORA applies. NIS2 likely does not.

Microenterprises and small financial entities below NIS2 size thresholds typically fall outside NIS2 scope. DORA still applies in full, but you may benefit from the simplified ICT risk management framework (Article 16). Some Member States extend NIS2 to small entities under specific conditions — verify with your national authority.

→ Start with CIF identification · Free 5-min DORA assessment

Maximum stack

DORA + NIS2 + national CII obligations apply.

Large financial entities operating critical infrastructure stack three regimes: DORA (operational resilience), NIS2 (baseline cybersecurity) and national critical-infrastructure rules (e.g. France's LPM/IIV, Germany's KRITIS). DORA prevails for ICT-risk topics; NIS2 fills cyber-baseline gaps; national CII rules add bespoke obligations on top. Plan for three reporting flows and three competent authorities.

→ Talk to a specialist · Resiplan unified workspace

Direct + indirect

NIS2 directly. DORA contractually. Possibly designated CTPP.

Cloud hyperscalers, datacentres, DNS and other digital infrastructure are directly subject to NIS2. They are contractually subject to DORA via the mandatory clauses (RTS 2024/1773) imposed by their financial-entity customers. If designated as a Critical ICT Third-Party Provider (CTPP) under DORA Articles 31-44, they fall under direct ESA oversight as well. The first list of designated CTPPs was published in late 2025.

→ Mandatory contractual clauses · CTPP designation list

NIS2 direct · DORA cascade

NIS2 directly. DORA cascades through your contracts.

Managed Service Providers (MSP/MSSP) are explicitly listed in NIS2 Annex II as "essential" or "important" entities. You also inherit DORA obligations through contracts with your financial-entity customers: mandatory clauses, audit rights, sub-contracting controls (RTS 2025/532). Building a single control framework that satisfies both is the only way to scale.

→ DORA contractual stack · Resiplan vendor-side workflow

DORA flow-down

DORA contractual obligations flow down to you.

Even if you are below NIS2 size thresholds, your financial-entity customers will require you to accept DORA-mandated contractual clauses: incident notification, audit rights, exit plan, sub-contracting authorisation, jurisdiction. Refusal usually means contract loss. Plan early.

→ 15+ mandatory clauses checklist

NIS2 only

NIS2 applies. DORA does not.

Non-financial entities in NIS2 sectors are only subject to NIS2. Your obligations come from your national transposition, not from DORA. However, if you provide ICT services to a financial entity, DORA-style contractual clauses will be imposed on you indirectly. Use NIS2 as your primary framework; track DORA developments to anticipate flow-down clauses from financial customers.

This site focuses on DORA — for NIS2-only entities, refer to your national CSIRT / competent authority.

NIS2 + national

NIS2 plus national public-sector cybersecurity rules.

Public administrations are covered by NIS2, with member-state discretion on scope and obligations. Most countries combine NIS2 transposition with sector-specific rules for government bodies. DORA does not apply unless the public body operates regulated financial activity.

The overlap, visualised

Click each zone to explore who is covered, what each regime imposes uniquely, and where DORA and NIS2 intersect.

DORA exclusive zone

Critical or Important Functions (CIFs) — service-level materiality test
Register of Information (RoI) — annual xBRL-CSV submission per ITS 2024/2956
Threat-Led Penetration Testing (TLPT) — TIBER-EU, every 3 years for significant entities
Critical ICT Third-Party Provider (CTPP) direct oversight regime
Mandatory contractual clauses — RTS 2024/1773 + RTS 2025/532 sub-contracting
4h / 72h / 1-month harmonised incident reporting (RTS 2025/301)
Information sharing arrangements (Article 45)

Overlap zone — DORA prevails (Article 1(2))

ICT-risk management framework — both texts mandate one; DORA's RTS 2024/1774 is the binding standard for financial entities
Major incident reporting — DORA's harmonised template overrides NIS2 reporting at national authority level
Governance and management body accountability — DORA Article 5 supersedes NIS2 Article 20 for FEs
Business continuity and crisis management — DORA Article 11 prevails over NIS2 Article 21 for FEs
Supply-chain security — DORA's Articles 28-30 prevail over NIS2 Article 21(2)(d) for FEs
Penetration testing — DORA TLPT is the binding regime; NIS2 baseline testing is satisfied

NIS2 exclusive zone

Cross-sector "essential" / "important" classification regime (energy, transport, health, water, digital infra...)
National CSIRT cooperation obligations
EU-CyCLONe coordination during large-scale cybersecurity crises
Cybersecurity training and awareness at management body level (Art. 20)
National competent authority registration regime
Sectoral baseline measures for non-financial sectors (datacentres, MSPs, public admin...)
Cybersecurity certification schemes (Article 24) under EU Cybersecurity Act

Obligations heatmap

Intensity of each obligation theme — from 0 (not addressed) to 5 (highly prescriptive). The redder, the more granular and binding the requirement.

Obligation theme

DORA

NIS2

What it means

ICT risk management framework

5 / 5

3 / 5

DORA's RTS 2024/1774 is exhaustive; NIS2 sets a baseline of 10 measures (Art. 21).

Major incident reporting

5 / 5

3 / 5

DORA imposes harmonised 4h/72h/1-month timelines; NIS2 only sets early warning + reports without harmonised templates.

Third-party risk management

5 / 5

2 / 5

DORA codifies 15+ mandatory clauses, register of information, sub-contracting rules. NIS2 requires "supply-chain security" with broad discretion.

Penetration testing

5 / 5

2 / 5

DORA mandates TLPT (TIBER-EU) every 3 years for significant entities. NIS2 broadly requires "policies and procedures to assess effectiveness of cybersecurity risk-management measures".

Management body accountability

4 / 5

Both texts make the management body personally accountable. DORA Art. 5 + NIS2 Art. 20 are equally strict.

Cyber awareness & training

3 / 5

4 / 5

NIS2 Article 20 explicitly requires management body cybersecurity training. DORA addresses awareness as part of the risk framework but with less specificity.

5 / 5

1 / 5

DORA mandates the Register of Information (xBRL-CSV ITS 2024/2956) annually. NIS2 has no equivalent register.

National CSIRT cooperation

1 / 5

5 / 5

NIS2 Articles 10-15 set the national CSIRT cooperation regime. DORA relies on competent authorities (EBA, EIOPA, ESMA) only.

Cross-border crisis coordination

3 / 5

5 / 5

NIS2 introduces EU-CyCLONe for large-scale cyber incidents. DORA has joint exercises and information sharing but no equivalent network.

Penalty regime

4 / 5

DORA: up to 1% daily until compliance + 2% turnover (Art. 50-52). NIS2: up to 10M EUR or 2% turnover (essential), 7M EUR or 1.4% (important).

Intensity: 1 — baseline 2 — light 3 — medium 4 — high 5 — maximum

Parallel timeline

DORA and NIS2 milestones on a single timeline. Top track = DORA. Bottom track = NIS2. Yellow markers = both.

14 Dec 2022

DORA published in OJEU

27 Dec 2022

NIS2 published in OJEU

17 Oct 2024

NIS2 transposition deadline

17 Jan 2025

DORA enters into force (regulation)

30 Apr 2026

First annual RoI submission deadline

17 Jan 2028

First TLPT cycle deadline

DORA NIS2 Both

Cohabitation playbook — the right way to do both

Forty percent of EU financial entities will face dual DORA + NIS2 exposure. Treating each as a separate programme triples cost. Run them as one.

Anchor on DORA

Build your primary control framework around DORA — it is the most prescriptive of the two and acts as lex specialis. Cover the 5 pillars: ICT risk, incidents, testing, third-party risk, information sharing.

Map NIS2 deltas

Identify NIS2 obligations not satisfied by DORA: cyber awareness training (Art. 20), national CSIRT cooperation (Art. 10-15), EU-CyCLONe coordination, sectoral baseline measures applicable beyond financial activity.

Document equivalence

Produce a DORA-NIS2 equivalence matrix. Each NIS2 obligation maps to either: (a) a DORA control covering the same matter, (b) a NIS2-only delta with its own control. Supervisors will ask for this matrix.

Single source of truth

Run both programmes from one system. The Register of Information feeds NIS2 supply-chain security, the BIA feeds both ICT risk frameworks, incidents are reported once with two destinations. Stop duplicating.

One platform, two regulations

Stop running parallel programmes. Resiplan covers DORA and NIS2.

Resiplan is the specialised SaaS for DORA, business continuity and GRC — designed for EU financial entities and the ICT providers who serve them. Every module produces evidence valid for both regulations, with native equivalence mapping. One CIF inventory, one Register of Information, one incident workflow, two compliance certificates.

Module → regulation coverage

CIF Evaluation Module Service-level mapping with Article 3(22) gate, BIA import, MTPD threshold, T1/T2/T3 tier.

DORA Art. 3(22) NIS2 Annex I scope test

Register of Information xBRL-CSV ITS 2024/2956. Doubles as the supply-chain security register required by NIS2 Art. 21(2)(d).

DORA Art. 28 NIS2 Art. 21(2)(d)

Incident workflow 4h/72h/1m DORA timeline + NIS2 early-warning notification path. One trigger, two destinations.

RTS 2025/301 NIS2 Art. 23

BCM & BIA Service catalogue, RTO/RPO/MTPD, recovery testing, plans — covers DORA Art. 11 and NIS2 Art. 21(2)(c).

DORA Art. 11 NIS2 Art. 21(2)(c)

Vendor risk & contracts Mandatory clauses tracker, sub-contracting controls, audit rights — satisfies both texts.

RTS 2024/1773 + 2025/532 NIS2 Art. 21(2)(d)

Governance & training Management body sign-off workflow, evidence trail, awareness programme tracker.

DORA Art. 5 NIS2 Art. 20

TLPT programme tracker Five-phase TIBER-EU lifecycle: scoping, intel, attack, closure, attestation.

DORA Art. 26 NIS2 Art. 21(2)(f) baseline

DORA-NIS2 equivalence matrix Auto-generated mapping showing which DORA controls satisfy each NIS2 obligation. Supervisor-ready.

Lex specialis Art. 1(2) National transposition

Try Resiplan free 14 days Book a dual-compliance demo →

14-day free trial · No credit card · Built for EU financial entities

Overview: Two Frameworks, One Landscape

DORA EU Regulation — directly applicable Digital Operational Resilience Act

NIS2 EU Directive — requires national transposition Network and Information Security Directive 2

DORA — The Sector-Specific Framework

DORA (Regulation EU 2022/2554) entered into force on 17 January 2025 and applies directly across all EU member states without requiring national transposition. It covers 21 types of financial entities — from banks and insurers to crypto-asset service providers and payment institutions — plus their critical ICT third-party providers.

DORA is the financial sector's answer to the growing recognition that ICT risk is not just a technical issue but a systemic financial stability risk. It builds on existing EBA, EIOPA, and ESMA guidelines and replaces them with legally binding obligations.

                    Key legal character: DORA is a Regulation — it applies uniformly across the EU from day one, with no room for national variation. There is no implementation period for member states.
                

NIS2 — The Cross-Sector Framework

NIS2 (Directive EU 2022/2555) replaces the original NIS Directive (2016) and sets a baseline cybersecurity standard for "essential" and "important" entities across 18 sectors including energy, transport, health, digital infrastructure, and financial markets.

As a Directive, NIS2 required transposition into national law by 17 October 2024. Implementation progress varies across member states — as of early 2026, several countries are still finalising their national frameworks, creating a patchwork of obligations.

                    Key legal character: NIS2 is a Directive — member states have flexibility in how they implement it. Obligations may vary by country, sector, and entity size.
                

             The critical rule — Article 1(2) DORA: DORA explicitly states that it constitutes a lex specialis to NIS2 for entities within its scope. Where the two instruments address the same matter, DORA's requirements take precedence for financial entities. This means a bank that complies fully with DORA will have satisfied its equivalent NIS2 obligations — but NIS2 still applies to areas DORA does not cover.
        

Scope: Who Is Covered?

DORA Scope — 21 Financial Entity Types

DORA Article 2 applies to:

Credit institutions (banks)
Payment institutions and e-money institutions
Investment firms and fund managers (UCITS, AIFMs)
Insurance and reinsurance undertakings
Insurance intermediaries (above size thresholds)
Institutions for occupational retirement provision (IORPs)
Central counterparties (CCPs) and central securities depositories (CSDs)
Trading venues and trade repositories
Credit rating agencies and securitisation repositories
Crypto-asset service providers (CASPs) and issuers of asset-referenced tokens
Crowdfunding service providers
Data reporting service providers
Critical ICT third-party providers (CTPPs) — through the oversight framework

                    Proportionality: Microenterprises and small entities may qualify for the simplified ICT risk management framework under Article 16, reducing some obligations.
                

NIS2 Scope — 18 Sectors, 2 Tiers

NIS2 Annex I & II cover entities in:

Energy (electricity, gas, oil, hydrogen)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health (hospitals, labs, pharma)
Drinking water and wastewater
Digital infrastructure (DNS, TLDs, cloud, data centres, CDNs, trust services)
ICT service management (managed service providers)
Public administration
Space
Postal and courier services, waste management, food production, manufacturing, digital providers (search engines, online marketplaces, social networks)

                    Tier classification: "Essential entities" (larger, higher risk) face stricter requirements and ex-ante supervision. "Important entities" face lighter obligations and ex-post supervision.
                

The Overlap — Financial Entities Covered by Both

DORA only

Small payment institution below NIS2 size thresholds. Subject to DORA proportionality rules, but not NIS2 "essential"/"important" designation.

DORA + NIS2

Large bank or major insurer. Covered by both — DORA prevails for overlapping requirements. NIS2 fills remaining gaps.

NIS2 only

IT managed service provider that serves financial entities but is not itself a financial entity. Subject to NIS2 directly (and DORA contractually through its customers).

Cloud hyperscalers

AWS, Azure, Google Cloud: covered by NIS2 as digital infrastructure providers. Subject to DORA contractually via financial entity customers. Potentially designated as CTPPs under DORA direct oversight.

Requirements: Side-by-Side Comparison

The table below compares the key obligations across both frameworks. Where DORA and NIS2 address the same topic, DORA's requirement is the binding one for financial entities.

Requirement	DORA	NIS2
Incident reporting	3-stage process: initial report within 4 hours of classification as major; interim report within 72 hours; final report within 1 month. Reported to national competent authority (NCA).	2-stage process: early warning within 24 hours of becoming aware; full notification within 72 hours. Optional final report within 1 month. Reported to CSIRT or NCA.
Risk management	ICT-specific, 5 pillars: governance, protection, detection, response/recovery, learning. Detailed RTS on methodology (RTS 2024/1774). Management body directly accountable.	General cybersecurity risk management. 10 minimum measures (Art. 21) including policies, incident handling, business continuity, supply chain, access controls, MFA, cryptography, HR security.
Third-party oversight	Comprehensive: Register of Information mandatory (xBRL-CSV format); 15+ contractual clauses required (Art. 30); CTPP framework with direct ESA oversight of 19 designated providers; concentration risk assessment.	Supply chain security requirements: entities must address cybersecurity risks in the supply chain (Art. 21(2)(d)). No register mandate, no direct supplier oversight framework.
Resilience testing	Full programme: vulnerability assessments, network security assessments, scenario-based testing, source code reviews. TLPT mandatory for designated significant entities (every 3 years). RTS specifies methodology.	Security testing required as part of risk management policies, but no TLPT mandate. National authorities may impose specific testing requirements on essential entities.
Penalties	Up to 2% of total annual worldwide turnover (financial entities, Art. 50); up to 1% daily compulsion payments for ongoing non-compliance; up to €1,000,000 for natural persons. CTPPs: up to 1% daily turnover.	Essential entities: up to €10,000,000 or 2% of global turnover (whichever higher). Important entities: up to €7,000,000 or 1.4%. Management liability provisions.
Supervision model	Multi-level: ESAs (EBA, EIOPA, ESMA) issue binding RTS and guidelines; NCAs supervise individual financial entities; JOC oversees CTPPs directly. Cross-border: ESA coordination.	National competent authorities (NCAs) designated by each member state. NIS2 Cooperation Group for cross-border coordination. No pan-EU supervisory body equivalent to ESAs.
Information sharing	Voluntary information sharing arrangements encouraged (Art. 45). ESAs may share threat intelligence with entities. CTPPs subject to incident notification to ESAs.	Member states must establish national CSIRTs; peer-to-peer sharing encouraged. CyCLONe network for large-scale incidents. EU-CyCLONe for crisis management.
Governance	Management body (board) formally accountable for ICT risk (Art. 5). Board must approve ICT risk framework, receive regular reports. Individual board member training required.	Management bodies must approve risk management measures and are personally liable for infringements (Art. 20). Training for management recommended but not prescribed in detail.

Need the full RTS text? All 13 DORA technical standards are available in our free reference guide.

Browse All RTS/ITS Standards

Practical Implications: What This Means for You

Your obligations depend on your organisation type and the sectors you operate in. The scenarios below cover the most common situations.

Bank or Insurer DORA primary

DORA is your primary compliance framework. Full DORA compliance satisfies all equivalent NIS2 obligations. Your NCA will supervise you under DORA. NIS2 applies only to areas DORA does not cover (e.g. some physical security aspects). Focus 95% of your resources on DORA.

ICT Provider to Finance Both apply

You face NIS2 obligations directly (as a cloud service, data centre, or managed service provider) AND DORA contractual obligations through your financial entity customers. Largest risk: being designated as a CTPP under DORA, triggering direct ESA oversight. Align NIS2 baseline with DORA contractual requirements — they are largely complementary.

Fintech / Payment Institution Both may apply

In scope for DORA as a payment institution or e-money institution. May also qualify as NIS2 "important entity" depending on size and national transposition. Use DORA as your compliance backbone. Verify NIS2 designation with your national authority. DORA's proportionality provisions (Art. 16) may reduce your burden if you are a small entity.

Mixed Holding (Finance + Other) Complex overlap

Regulated financial subsidiaries: DORA. Non-financial subsidiaries in NIS2 sectors (energy, transport, health): NIS2 only. Group-level: consider implementing a unified security baseline that satisfies both, with DORA-level requirements applied to all critical ICT shared services. Legal entity mapping is essential.

Key Practical Actions for Dual-Scope Entities

Map your scope legally: Confirm which entities within your group are subject to DORA, which to NIS2, and which to both. Document this in your ICT risk framework.
Identify your NIS2 "tier": Are you an "essential" or "important" entity under your national NIS2 transposition? This determines supervision intensity and penalty scale.
Merge your reporting processes: DORA (4h/72h/1month) and NIS2 (24h/72h) timelines are different. A single incident may require parallel notifications to different authorities on different schedules.

Align ICT supplier contracts: DORA Article 30 clauses are more detailed than NIS2 supply chain requirements. DORA-compliant contracts will generally satisfy NIS2 supply chain obligations for ICT providers.
Single management body accountability: Both frameworks require board-level accountability. One governance structure covering both is more efficient than parallel frameworks.
Coordinate with your CSIRT: NIS2 requires coordination with national CSIRTs for major incidents. This is separate from your DORA reporting channel to your financial NCA.

Timeline Comparison

DORA Timeline

January 2023

DORA entered into force — 24-month implementation period begins
June–November 2024

First batch of RTS/ITS published in EU Official Journal (risk management, incident classification, third-party policies, register templates)
17 January 2025

DORA mandatory application date — all financial entities must comply. No grace period.
February–April 2025

Final RTS/ITS published: incident reporting (RTS 2025/301), subcontracting (RTS 2025/532)
April 2025

First Register of Information submissions to NCAs (xBRL-CSV format)
November 2025

19 CTPPs officially designated by ESAs — direct oversight begins
Q1 2026

Second RoI submission cycle — heightened supervisory expectations
17 January 2026

Article 58 review deadline — Commission report on extending DORA to auditors
17 January 2028

First TLPT completion deadline for designated significant entities

NIS2 Timeline

January 2023

NIS2 Directive entered into force — 21-month transposition period begins
17 October 2024

NIS2 transposition deadline — member states must have enacted national implementing legislation. Many states missed this deadline.
Late 2024 – 2025

Ongoing national transpositions — Germany (NIS2UmsuCG), France (ANSSI framework), Netherlands, Belgium, etc. Progress varies widely.
2025–2026

Entity registration with national CSIRTs / NCAs. Entities self-assess "essential" vs "important" classification under national implementing laws.
2026 onwards

Active NIS2 enforcement by national authorities. First significant penalties expected. European Commission monitoring transposition quality.

                     Transposition status: Check your national authority's website for the current status of NIS2 transposition in your country — obligations may already apply even if formal notification of your entity has not yet occurred.
                

Frequently Asked Questions

Yes, if you are a financial entity that also qualifies as an "essential" or "important" entity under NIS2 (e.g. a large bank, major payment institution, or financial market infrastructure). However, DORA acts as lex specialis: where DORA and NIS2 requirements overlap, DORA takes precedence for financial entities.

In practice, full DORA compliance will satisfy most equivalent NIS2 obligations. The areas where NIS2 adds obligations beyond DORA are relatively narrow — mainly around national CSIRT coordination, physical security elements, and some aspects of supply chain security. Verify the specific gap with your national competent authority and legal counsel.
DORA takes precedence for financial entities covered by both regulations. Article 1(2) of DORA explicitly states that it constitutes a lex specialis to NIS2 (Directive 2022/2555) for entities within its scope. DORA's more specific and sector-tailored requirements override NIS2's general obligations wherever the two instruments cover the same matter.

NIS2 obligations continue to apply in areas not addressed by DORA. For example, DORA does not prescribe detailed physical security measures for data centres — NIS2's general requirements would fill that gap.
No. Neither DORA nor NIS2 replaces the GDPR. The three frameworks address different aspects of digital governance and may all apply simultaneously:
- GDPR: governs processing of personal data and data subjects' rights
- NIS2: sets baseline cybersecurity requirements for essential and important entities
- DORA: sets operational resilience requirements specific to financial institutions
A single ICT incident at a bank may simultaneously trigger DORA incident reporting (4h initial notification to NCA), NIS2 early warning (24h to CSIRT), and GDPR breach notification (72h to data protection authority) — on different timelines and to different authorities.
DORA creates indirect obligations for ICT providers through the contractual requirements placed on financial entities (Article 30). Providers designated as Critical ICT Third-Party Providers (CTPPs) are subject to direct ESA oversight — but this applies to only 19 designated providers as of November 2025.

NIS2 also covers ICT providers that qualify as "digital infrastructure" entities (cloud services, data centres, DNS, internet exchange points, managed service providers). A hyperscaler like AWS or Azure may therefore face: direct NIS2 obligations in their own right, DORA contractual obligations through financial entity customers, and potential DORA direct oversight as a CTPP.

See the full list of 19 designated CTPPs for which providers are subject to direct DORA oversight.

Assess Your DORA Compliance Gap

Not sure where you stand across the 5 DORA pillars? Our free tools help you benchmark your current posture and prioritise remediation.

Free Gap Analysis Download DORA Guides All RTS/ITS Standards

Related Resources

What is DORA? Full Explainer All DORA RTS & ITS Standards DORA TLPT Requirements Guide DORA Penalties & Enforcement Guide DORA Critical ICT Providers (CTPPs) DORA Gap Analysis Tool (Free)

DORA vs NIS2

DORA

NIS2

Which one applies to you?

1What kind of entity are you?

2Are you above the NIS2 size threshold (medium-large)?

2What kind of ICT services do you provide?

2Which sector?

You are in scope of DORA AND NIS2.

DORA applies. NIS2 likely does not.

DORA + NIS2 + national CII obligations apply.

NIS2 directly. DORA contractually. Possibly designated CTPP.

NIS2 directly. DORA cascades through your contracts.

DORA contractual obligations flow down to you.

NIS2 applies. DORA does not.

NIS2 plus national public-sector cybersecurity rules.

The overlap, visualised

DORA exclusive zone

Overlap zone — DORA prevails (Article 1(2))

NIS2 exclusive zone

Obligations heatmap

Parallel timeline

Cohabitation playbook — the right way to do both

Anchor on DORA

Map NIS2 deltas

Document equivalence

Single source of truth

Stop running parallel programmes. Resiplan covers DORA and NIS2.

Module → regulation coverage

Overview: Two Frameworks, One Landscape

DORA — The Sector-Specific Framework

NIS2 — The Cross-Sector Framework

Scope: Who Is Covered?

DORA Scope — 21 Financial Entity Types

NIS2 Scope — 18 Sectors, 2 Tiers

The Overlap — Financial Entities Covered by Both

DORA only

DORA + NIS2

NIS2 only

Cloud hyperscalers

Requirements: Side-by-Side Comparison

Practical Implications: What This Means for You

Bank or Insurer DORA primary

ICT Provider to Finance Both apply

Fintech / Payment Institution Both may apply

Mixed Holding (Finance + Other) Complex overlap

Key Practical Actions for Dual-Scope Entities

Timeline Comparison

DORA Timeline

NIS2 Timeline

Frequently Asked Questions

Assess Your DORA Compliance Gap

Related Resources

How Compliant Is Your Institution?