DORA and NIS2: two EU regulations, one goal
Both DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive) are EU regulations that strengthen the cyber resilience of European organizations. Yet they differ fundamentally in approach, scope, and requirements. For organizations in the financial sector, it is crucial to understand which regulation applies and how they relate to each other.
Scope: who falls under which?
DORA specifically targets the financial sector: banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT service providers. DORA is a regulation directly applicable in all EU member states without national transposition.
NIS2 targets essential and important entities in 18 sectors, including energy, transport, healthcare, digital infrastructure, and the financial sector. NIS2 is a directive that must be transposed into national legislation by member states.
The key point: NIS2 Article 4 determines that sector-specific EU regulation (such as DORA) takes precedence over NIS2 insofar as that regulation imposes at least equally stringent requirements. This means financial institutions must primarily comply with DORA, not NIS2.
The five pillars of DORA
DORA is built around five pillars: ICT risk management (comparable to NIS2 but specific to financial ICT), ICT-related incident reporting (stricter than NIS2 with specific classification criteria), digital operational resilience testing (including threat-led penetration testing for major institutions), ICT third-party risk management (more detailed than NIS2 supply chain responsibility), and information sharing about cyber threats.
Concrete differences in requirements
Incident reporting: DORA requires incident classification according to specific criteria (client impact, geographic spread, economic impact) and reporting to the financial supervisor. NIS2 requires notification to the CSIRT within 24 hours (initial), 72 hours (full), and 30 days (final report). DORA has a separate timeline set by European supervisory authorities.
Testing: DORA requires annual ICT security tests and triennial Threat-Led Penetration Tests (TLPT) for significant financial entities. NIS2 does not set comparable explicit testing requirements.
Third parties: DORA introduces an EU-wide oversight framework for critical ICT service providers to the financial sector. These parties are directly supervised by European supervisory authorities (ESAs). NIS2 has no comparable direct oversight of service providers.
ICT service providers: dual compliance
ICT service providers to the financial sector are in a unique position: they may fall under both DORA (as a critical ICT service provider to financial institutions) and NIS2 (as a digital service provider or managed service provider). In that case, they must comply with both regulations, with DORA imposing the strictest requirements for financial services.
Practical recommendations
For financial institutions: focus primarily on DORA compliance. Use ISO 27001 as the foundation and supplement with DORA-specific requirements around ICT risk management, incident reporting, and operational resilience testing. For ICT service providers to the financial sector: prepare for DORA requirements your clients will contractually impose, and ensure NIS2 compliance as an additional baseline.
A GRC platform supporting both DORA and NIS2 prevents duplicate work and provides an integrated compliance status overview. The iso2700x platform offers specific DORA and NIS2 modules from a single central dashboard.
How does iso2700x help?
Our consultants specialize in both DORA and NIS2 and guide financial institutions and their ICT service providers in implementing both frameworks. Contact us for a free consultation about the optimal compliance strategy for your organization.