In the last 10 years, the EU has made a concerted effort to tighten cyber security controls in the region. NIS was released in 2016 and by the end of 2024, NIS2 and DORA had been introduced as two of the most significant pieces of EU legislature regarding data and system safety, especially in the financial sector.
Though these two can overlap, there are distinctions that make them relevant to some organizations rather than others. Understanding where each piece of legislature fits in can help those operating in the EU do so without accidentally running into fines or legal issues.
Among other benefits of adopting NIS2, DORA, or both, the focus on risk mitigation and resilience built into each significantly strengthens how organizations handle their cybersecurity.
Contents
Before we break down the differences and overlaps between the two, here’s an overview of what NIS2 and DORA each comprise:
Establishing a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU, the NIS2 Directive calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement.
NIS2 was first transposed into national law for some EU member states (including Belgium and Germany) at the end of 2024. It expanded upon the original Network and Information Systems Directive in its mission to improve cybersecurity in critical sectors. Healthcare, transport, energy, finance, water management and digital infrastructure and service companies are some of the main entities to which NIS1 applied, now expanded to providers of public electronic communications services, more digital services such as social platforms, waster water and waste management, manufacturing of critical products, postal and courier services, and public administration, both at central and regional level or space. When an incident that could cause significant disruption or damage occurs to a medium-sized or large entity in any of these sectors, under NIS2 they are mandated to take appropriate cybersecurity risk-management measures and notify relevant authorities of significant incidents.
NIS2 calls for relevant organizations to have mandatory cyber security risk management and incident plans in place. Failure to comply can cost companies as much as 2% of their global annual turnover.
Aiming at strengthening the IT security of financial entities such as banks, insurance companies, and investment firms and making sure that the EU's financial sector is able to stay resilient in the event of a severe operational disruption, DORA ensures financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.
Bringing harmonization of the rules related to operational resilience, DORA applies to 20 different types of financial entities and ICT third-party service providers.
The Digital Operational Resilience Act came into effect in 2023 but it’s only in 2025 that organizations have been made to comply. Unlike the broad strokes of NIS2, DORA is aimed squarely at the financial industry.
Banks and any businesses in the investment, insurance, or crypto-asset world all need to fall in line with the digital operational framework. It’s intended to boost resilience so that these companies are less likely to fall prey to cyber security issues and other ICT disruptions. Some of the main requirements include regular penetration testing, and timely incident reporting to government entities.
Here is a detailed look at the main features of NIS2 and DORA:
These pieces of legislature by no means apply to everyone but there is sometimes overlap. When that occurs, however, DORA takes precedence over NIS2. Here’s a closer look at who these documents are relevant to:
NIS2 is only relevant to organizations that fall under the EU’s designated essential and important entities within critical sectors. In some instances, it’s only organizations with over 50 employees or a certain amount of turnover that NIS2 is applicable to but critical sectors are included regardless of these factors. Public administration is an example of this.
Here’s a more detailed list of the sectors and entities required to have NIS2 in the EU (dependent, however, on whether the directive has been applied to the member state’s national laws):
Any organization in the financial sector or that acts as a critical ICT third-party provider to these organizations must comply with the DORA EU regulation. That includes banks, pension funds, investment firms, etc., and their ICT providers such as cloud and analytics services, sometimes applying to providers that aren’t even based in the EU.
These two pieces of EU legislation, though both intended to improve cybersecurity practices and resilience in applicable organizations, are very distinctive:
NIS2 is a directive whereas DORA is a regulation. This has major implications for the scope of coverage. DORA is applicable to all in the EU, over and above national laws, whereas NIS2 lays out objectives that EU member states need to individually transpose to their national laws.
In the same way that the legalities of DORA are tighter than NIS2, so too is the scope in terms of the regulated entities it’s aimed at. DORA is only for the financial sector and its third-party ICT providers. NIS2 has a much broader focus in that it encompasses a number of entities in critical sectors.
Though NIS2 does somewhat share DORA’s purpose in improving operational resilience in certain entities, it is far more focused on cybersecurity. DORA, on the other hand, is all about resilience and as we’ll explore in the next point, requires far more vigorous testing as a result.
Resilience testing is simply encouraged for NIS2. It’s not required. DORA, however, mandates advanced resilience testing with compliance reliant on threat-led penetration testing occurring every 3 years.
DORA and NIS2 differ quite a bit when it comes to incident reporting. DORA’s timelines differ depending on which authority the entity falls under. They do however still have to report any major incidents according to a defined threshold.
Those that fall under NIS2 have to report all significant incidents within 24 hours as an initial step and then follow up at the 72-hour and one-month marks.
Though we’ve discussed the distinction between NIS2 and DORA, it’s worth taking a moment to look at what the implications are for businesses that have to comply with them:
This is true of both DORA and NIS2. The frameworks they lay out are very much focused on managing cyber security risks more effectively so that critical services in the EU are not slowed by these potential threats. The benefit of this is that businesses themselves are better protected from the potential fallout of a cyber-attack or ICT disaster.
The benefit of cyber security compliance in any context, EU or otherwise, is that it raises the level of accountability for this important issue. The fact that DORA and NIS2 include incident reporting requirements in itself ensures a greater level of accountability than what anyone in cyber security would have seen 10 or 15 years ago.
Cyber threats and ICT-related disruptions can’t be swept under the rug anymore. This benefits all of us as it makes things like banking and healthcare data safer and less likely to end up in the wrong hands. The heightened accountability also helps drive important changes in organizations and is often what helps push stronger policies through.
Let’s be honest, it’s the financial cost of non-compliance that really drives things. Poor cybersecurity isn’t just expensive because it increases risk exposure, but because it can cost thousands, or even millions of Euros in penalties.
The business implication of this is simple: organizations have to take NIS2 and DORA seriously and make sure that they have experts on hand who understand how best to navigate the legislature.
This then ensures that in the case of an ICT incident, for example, the response and reporting process operates appropriately. There are different timelines on this with DORA and NIS2 that can be very frustrating if there isn’t proper collaboration.
Prescient Security isn’t just here for U.S. compliance and support, but global assistance. If you’re a business in the EU or subject to the region’s legislature on cybersecurity, our team is here to help.
We offer audit services for the NIS2 directive and DORA that make the compliance process feel simpler than ever. Our approach is designed to lessen your legal worries and ensure that your organization gets the maximum strategic benefits from compliance.