Skip to main content
DORA Auditor

DORA vs NIS2: How the Two EU Frameworks Differ

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

DORA is a sector-specific EU regulationfor financial entities' ICT operational resilience; NIS2 is a broad EU directive raising cybersecurity across many essential sectors. Where both could apply to a financial entity, DORA takes precedence as lex specialis for ICT resilience matters.

Side-by-side

AspectDORANIS2
Legal instrumentRegulation (directly applicable)Directive (nationally transposed)
Primary scopeFinancial entities + critical ICT providersEssential & important entities across many sectors
FocusDigital operational resilience of ICTGeneral cybersecurity risk management
Incident reportingHarmonised, ICT-specific timelinesSector-wide reporting to national CSIRTs
Third-party oversightDirect EU oversight of critical ICT providersSupply-chain security obligations
Applies since17 January 2025Transposition deadline 17 October 2024

Which one applies to you?

Regulated financial entities should treat DORAas the governing framework for ICT operational resilience. Organisations outside financial services, or financial firms' non-financial group entities, may fall under NIS2 as transposed in their member state. Many groups must map both.

Frequently asked questions

Does DORA or NIS2 apply to my financial firm?
Is DORA a regulation or a directive?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. Directive (EU) 2022/2555 (NIS2), EUR-Lex