Two major EU regulations now shape the cybersecurity and resilience landscape for financial institutions: the Digital Operational Resilience Act (DORA) and the NIS2 Directive. Both address cybersecurity, but from different angles and with different scopes. For financial entities operating in the EU, understanding the relationship between these two frameworks is essential for efficient compliance planning.
DORA - sector-specific digital resilience
DORA (Regulation (EU) 2022/2554) is a regulation - meaning it applies directly and uniformly across all EU member states. It focuses exclusively on the financial sector and addresses digital operational resilience comprehensively. DORA covers:
- ICT risk management - governance, asset mapping, protection, detection, response, recovery
- ICT incident reporting - classification criteria, mandatory reporting to competent authorities
- Digital operational resilience testing - basic testing and threat-led penetration testing (TLPT)
- Third-party ICT risk - register of information, due diligence, concentration risk, oversight of critical providers
- Information sharing - voluntary cyber threat intelligence exchange
DORA applies to a wide range of financial entities: credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and more - approximately 22,000 entities across the EU.
NIS2 - cross-sector cybersecurity
NIS2 (Directive (EU) 2022/2555) is a directive, meaning each member state must transpose it into national law. It takes a broader, cross-sector approach to cybersecurity and applies to essential and important entities across many sectors, including energy, transport, health, digital infrastructure - and, notably, banking and financial market infrastructure.
Key NIS2 requirements include:
- Risk management measures - policies on risk analysis, incident handling, supply chain security, encryption, access control
- Incident reporting - early warning within 24 hours, incident notification within 72 hours, final report within one month
- Supply chain security - assessment of supply chain risks and security measures
- Governance accountability - management bodies must approve and oversee cybersecurity measures
The lex specialis principle
The most important concept for financial entities is that DORA is lex specialis - it takes precedence over NIS2 for entities within DORA's scope. This principle is explicitly stated in DORA's recitals and confirmed by the European Commission.
Where DORA's requirements are at least equivalent to corresponding NIS2 provisions, DORA applies instead. Financial entities do not need to comply with both sets of overlapping obligations.
In practice, this means financial entities should treat DORA as their primary compliance framework. However, this does not mean NIS2 is entirely irrelevant.
Key comparison
| Dimension | DORA | NIS2 |
|---|---|---|
| Legal form | Regulation (directly applicable) | Directive (requires transposition) |
| Sector scope | Financial sector only | Cross-sector (18 sectors) |
| Focus | Digital operational resilience | Network and information security |
| Incident reporting | To financial competent authority | To national CSIRT or authority |
| Third-party oversight | Detailed (RoI, CTPP oversight) | Supply chain risk assessment |
| Resilience testing | Mandatory (including TLPT) | Not explicitly required |
| Penalties | Defined by financial supervisors | Up to 10M EUR or 2% turnover |
Where NIS2 adds value beyond DORA
While DORA is the primary framework, NIS2 introduces some elements worth considering:
- Supply chain breadth - NIS2's supply chain security requirements extend beyond ICT providers. Financial entities may benefit from applying NIS2's broader supply chain thinking to non-ICT suppliers.
- National CSIRT coordination - NIS2 strengthens national computer security incident response teams. Financial entities may benefit from the improved threat intelligence sharing that NIS2 facilitates at the national level.
- Cross-sector dependency awareness - Financial entities depend on sectors covered by NIS2 (energy, telecommunications, cloud). As NIS2 raises the baseline for these sectors, it indirectly improves the resilience of the financial sector's supply chain.
- Governance accountability - NIS2's explicit management liability provisions may influence how financial supervisors interpret DORA's governance requirements.
The UK perspective
Following Brexit, neither DORA nor NIS2 applies directly to UK-based entities. However, the UK is developing its own frameworks:
- The UK's existing NIS Regulations 2018 remain in force and will be updated through the upcoming Cyber Security and Resilience Bill
- The PRA and FCA have their own operational resilience requirements, which share many concepts with DORA
- UK-based financial entities serving EU customers or operating EU subsidiaries will need to comply with DORA for their EU operations
- Many UK firms are aligning with DORA voluntarily as a benchmark for operational resilience best practice
Practical implications for financial entities
Based on the lex specialis principle and the practical overlap between the two frameworks, here is our recommendation:
- Focus on DORA compliance first. It is the primary obligation and covers the most specific requirements for financial entities.
- Map DORA to NIS2. Identify where your DORA compliance already satisfies NIS2 requirements. In most areas, it will.
- Address NIS2 gaps selectively. For any NIS2 requirements not covered by DORA, assess whether they are relevant to your risk profile.
- Monitor national transposition. NIS2 is transposed differently in each member state. Check your local implementation for any financial-sector-specific additions.
- Leverage DORA for competitive advantage. Strong DORA compliance demonstrates operational maturity that benefits relationships with regulators, clients, and partners.
For EU financial entities, DORA is the primary compliance framework. Treat it as your foundation. NIS2 is relevant primarily through its impact on your supply chain and the broader cybersecurity ecosystem, not as a separate compliance obligation.
Further reading
- DORA Regulation full text (EU 2022/2554) - EUR-Lex
- NIS2 Directive full text (EU 2022/2555) - EUR-Lex
- EIOPA - DORA Overview
Want to simplify your DORA compliance?
See how DoraLytics can help you manage DORA requirements with a purpose-built compliance platform for financial entities.
Explore DoraLytics