DORA vs NIS2: How the Two EU Frameworks Differ
DORA is a sector-specific EU regulationfor financial entities' ICT operational resilience; NIS2 is a broad EU directive raising cybersecurity across many essential sectors. Where both could apply to a financial entity, DORA takes precedence as lex specialis for ICT resilience matters.
Side-by-side
| Aspect | DORA | NIS2 |
|---|---|---|
| Legal instrument | Regulation (directly applicable) | Directive (nationally transposed) |
| Primary scope | Financial entities + critical ICT providers | Essential & important entities across many sectors |
| Focus | Digital operational resilience of ICT | General cybersecurity risk management |
| Incident reporting | Harmonised, ICT-specific timelines | Sector-wide reporting to national CSIRTs |
| Third-party oversight | Direct EU oversight of critical ICT providers | Supply-chain security obligations |
| Applies since | 17 January 2025 | Transposition deadline 17 October 2024 |
Which one applies to you?
Regulated financial entities should treat DORAas the governing framework for ICT operational resilience. Organisations outside financial services, or financial firms' non-financial group entities, may fall under NIS2 as transposed in their member state. Many groups must map both.
Frequently asked questions
Does DORA or NIS2 apply to my financial firm?
If you are a regulated financial entity, DORA applies to your ICT operational resilience as lex specialis. NIS2 obligations that would otherwise overlap are generally displaced by DORA for those matters.
Is DORA a regulation or a directive?
DORA is a regulation, directly applicable in all member states without national transposition. NIS2 is a directive, which each member state transposes into national law.