menu
menu
In 2023, cyberattacks in Europe surged by 57%. This ongoing trend, coupled with the need to harmonise regulatory efforts across the EU and to respond to increasing levels of digital transformation, drove the European Union and its Member States to enhance cybersecurity and operational resilience requirements by adopting the updated Network and Information Systems Directive (NIS2) and the Digital Operations Resilience Act (DORA). Though very similar, understanding the differences between NIS2 vs DORA is essential to regulatory compliance and minimizing risk exposure.
Here, we will disentangle NIS2 and DORA to help you understand critical distinctions, including:
NIS2 and DORA are both cybersecurity regulations in the EU. But they aren’t exactly the same, and the differences matter.
NIS2 is a cybersecurity directive that sets a common objective for all Member States regarding digital resilience. It was first implemented in 2016 and amended in 2024.
Version two of the directive includes additional sectors, highlights personal accountability for cybersecurity resilience, implements a risk-based approach and introduces more rigorous reporting. Member states must then create their own legislation that meets the NIS2 directive’s objectives, with the first compliance deadline set for October 2024.
Download our NIS2 checklist for the actionable steps your organisation can take to comply and elevate your cyber security resilience.
DORA is a regulatory framework that governs financial institutions specifically. With a compliance deadline of 17 January 2025, its goal is to provide a unified standard by which the EU financial sector can protect itself against cyberattacks, IT system failures and other digital risks.
Unlike NIS2, DORA mandates specific requirements — rather than objectives — the EU has deemed critical to operational resilience.
Comparing the covered entities for NIS2 vs. DORA is essential to understanding your potential compliance burden for DORA and NIS2.
The scope of the NIS2 directive includes eighteen highly critical and other critical sectors. As part of the update, the EU also introduced a size threshold rule to include all medium and large-sized companies.
Highly critical sectors
Other critical sectors
Essential and important entities further define these scopes; authorities will monitor and audit the former more closely.
Essential entities operate in a highly critical sector with over 250 employees and an annual turnover of €50 million or a balance sheet of €43 million.
Important entities operate in one of the highly critical or other critical sectors and have over 50 employees, an annual turnover of €10 million or a balance sheet of €10 million.
This regulation applies to 20 financial entity types, spanning the entire ecosystem of banking, financial services and intermediary service providers. For these organizations, DORA takes precedence over NIS2.
Notably, some ICT third-party service providers will be deemed “critical” and become subject to regulatory supervision. This scrutiny includes organizations outside the EU, like the U.K., that provide services to EU-based financial entities.
Covered financial entity types
Supply chain focus
NIS2 requires organisations to address cybersecurity weaknesses in their supply chain. This inclusion of security-related requirements between each organisation and its direct suppliers or service providers will ensure a top-down contractually driven effect that impacts an entire ecosystem of suppliers supporting the estimated 160,000 essential and important entities that are directly in scope of NIS2.Direct suppliers or service providers should ready themselves for these contractual obligations.
DORA also mandates enhanced third-party ICT risk management. Third-party ICT risk must be managed as an integral component of ICT risk within the ICT risk management framework. Thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements. Elements include the criticality or importance of the services supported by the envisaged ICT contract, the necessary supervisory approvals, the possible concentration risk, the locations where the services are provided, where data is to be processed and rights of access, inspection and audit by the financial entity.
In a departure from its predecessor, NIS2 includes stricter and more detailed incident reporting requirements. The new requirements are intended to aid swifter and more effective communication about cybersecurity incidents. Covered entities must report any incident that leads to a significant service disruption or has the potential to harm the provision of services.
Organizations should be prepared to submit several incident reports after becoming aware of them:
Like NIS2, the DORA framework mandates three post-incident reports. However, the reporting deadlines for DORA are less strict and defer to the competent authorities to implement specific milestones. Under DORA, covered entities must report incidents if they meet thresholds based on disruption to critical or important services, potential harm to consumers, financial markets or the economy and whether it affects multiple EU jurisdictions.
Follow our step-by-step guide to ensure you meet DORA's stringent standards effortlessly.
NIS2 went into full effect as of October 18, 2024, meaning Member States should have transposed the directive into their national legislation. Although many states failed to meet this deadline, efforts are ongoing. 9 countries have released an updated law and a draft law has been published in 17 countries.
Organisations that fail to comply with NIS2 face a range of penalties including:
Non-financial penalties
Financial penalties
Individual organization leaders directly accountable for breaches may also face sanctions, such as mandatory public disclosures of breaches and publication of their identities alongside specific information about the incident.
DORA entered into force on 16 January 2023 and became applicable from 17 January 2025. This regulation gives competent authorities significant power to intervene in non-compliant organizations, meaning EU financial entities should take compliance seriously. DORA gives significant powers to supervisory authorities, including:
• Administrative penalties
• Remedial measures
• Operational shutdowns
• Criminal penalties
Those penalties and measures shall be effective, proportionate, and dissuasive and imposed in accordance with the materiality, gravity and the duration of the non-compliance, the profits gained, or losses experienced (by third parties), and the level of cooperation.
Management bodies are assigned an active role and will have the responsibility to approve the cybersecurity risk-management measures taken by their organisations and to oversee implementation. A failure to ensure compliance can result in individuals being found liable for breach of their duties. Sanctions include temporarily prohibiting a person who is responsible for discharging managerial responsibilities at the CEO or legal representative level from exercising their managerial functions.
The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework and has the ultimate responsibility for managing a financial entity’s ICT risk, including the continuous engagement of the management body in the control of the monitoring of the ICT risk management.
Multiple departments within financial entities are responsible for complying. While DORA doesn’t prescribe responsibility to specific people, it does hold entities accountable for strict risk management, incident reporting and audit measures. This prescription makes DORA not only a cybersecurity measure but also integral to governance, risk and compliance.
Given the similarities between NIS2 vs. DORA, entities covered by either regulation understandably wonder where one rule ends and the other begins. The reality is that they are interconnected in many ways.
DORA and NIS2 represent parallel efforts to enhance cybersecurity and operational resilience within the European Union, particularly across critical sectors. While both regulations address similar concerns, their scopes and specific targets differ. DORA focuses strongly on ICT third-party service providers within the financial sector's supply chain, whereas NIS2 adopts a broader perspective, encompassing various critical sectors and addressing supply chain risks beyond just ICT. Both seek to reduce uneven national approaches, harmonise improvements in resilience and increase the sector’s resilience to disruption originating in ICT. A shared principle of proportionality guides implementation, ensuring that organizations implement rules in a manner appropriate to their size, overall risk profile, and the complexity of their operations. Although NIS2 includes banking as a highly critical sector, DORA takes precedence for financial entities, tasking them to follow DORA first as a sector-specific regulation. Finally, both regulations assert extraterritorial application, extending their reach to entities not establishedwithin the EU but offering services within the EU.
NIS2 won’t exist in a vacuum. Its interconnected nature with DORA shows that the future of risk mitigation is collaborating across sectors and borders. This new reality demands a unified approach to governance, risk and compliance.
Organizations that effectively balance NIS2 vs. DORA will be those with visibility across different areas of cybersecurity risk and third-party risk to deliver the right assurance to the appropriate management bodies. It's always important to implement the right policies and practices but the Diligent One Platform can help deliver that assurance.
Download our NIS2 Checklist today to learn how you can streamline your organization’s efforts to meet the Directive's requirements efficiently and how our NIS2 Compliance Toolkit (available through the Diligent One Platform) provides comprehensive tools and insights to help essential and important entities align with EU cybersecurity mandates. Empower your organization to manage risk and compliance effectively. Download the checklist now to get started.
