NIS2 vs. DORA: Key differences & why they matter
In 2023, cyberattacks in Europe surged by 57%. This ongoing trend, coupled with the need to harmonise regulatory efforts across the EU and to respond to increasing levels of digital transformation, drove the European Union and its Member States to enhance cybersecurity and operational resilience requirements by adopting the updated Network and Information Systems Directive (NIS2) and the Digital Operations Resilience Act (DORA). Though very similar, understanding the differences between NIS2 vs DORA is essential to regulatory compliance and minimizing risk exposure.
Here, we will disentangle NIS2 and DORA to help you understand critical distinctions, including:
- What NIS2 and DORA are
- The scope of both directions
- NIS2 vs. DORA reporting requirements
- Importance deadlines for compliance and associated penalties
- Oversight and responsibility
- Interaction and integration
- Tools for complying with the impending NIS2 directive
What are NIS2 and DORA?
NIS2 and DORA are both cybersecurity regulations in the EU. But they aren’t exactly the same, and the differences matter.
NIS2 Overview
NIS2 is a cybersecurity directive that sets a common objective for all Member States regarding digital resilience. It was first implemented in 2016 and amended in 2024.
Version two of the directive includes additional sectors, highlights personal accountability for cybersecurity resilience, implements a risk-based approach and introduces more rigorous reporting. Member states must then create their own legislation that meets the NIS2 directive’s objectives, with the first compliance deadline set for October 2024.
Navigate NIS2 with confidence
Download our NIS2 checklist for the actionable steps your organisation can take to comply and elevate your cyber security resilience.
Download your checklistDORA Overview
DORA is a regulatory framework that governs financial institutions specifically. With a compliance deadline of 17 January 2025, its goal is to provide a unified standard by which the EU financial sector can protect itself against cyberattacks, IT system failures and other digital risks.
Unlike NIS2, DORA mandates specific requirements — rather than objectives — the EU has deemed critical to operational resilience.
NIS2 vs DORA: 4 critical distinctions
Comparing the covered entities for NIS2 vs. DORA is essential to understanding your potential compliance burden for DORA and NIS2.
Scope
NIS2
The scope of the NIS2 directive includes eighteen highly critical and other critical sectors. As part of the update, the EU also introduced a size threshold rule to include all medium and large-sized companies.
Highly critical sectors
- Energy
- Transport
- Financial market infrastructures
- Banking
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management
- Public administration
- Space
Other critical sectors
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
Essential and important entities further define these scopes; authorities will monitor and audit the former more closely.
Essential entities operate in a highly critical sector with over 250 employees and an annual turnover of €50 million or a balance sheet of €43 million.
Important entities operate in one of the highly critical or other critical sectors and have over 50 employees, an annual turnover of €10 million or a balance sheet of €10 million.
DORA
This regulation applies to 20 financial entity types, spanning the entire ecosystem of banking, financial services and intermediary service providers. For these organizations, DORA takes precedence over NIS2.
Notably, some ICT third-party service providers will be deemed “critical” and become subject to regulatory supervision. This scrutiny includes organizations outside the EU, like the U.K., that provide services to EU-based financial entities.
Covered financial entity types
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset providers
- Central securities repositories
- Central counterparties
- Trading venues
- Trading repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions of occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding services providers
- Securitisation repositories
Supply chain focus
NIS2 requires organisations to address cybersecurity weaknesses in their supply chain. This inclusion of security-related requirements between each organisation and its direct suppliers or service providers will ensure a top-down contractually driven effect that impacts an entire ecosystem of suppliers supporting the estimated 160,000 essential and important entities that are directly in scope of NIS2.Direct suppliers or service providers should ready themselves for these contractual obligations.
DORA also mandates enhanced third-party ICT risk management. Third-party ICT risk must be managed as an integral component of ICT risk within the ICT risk management framework. Thorough pre-contracting analysis should underpin and precede the formal conclusion of contractual arrangements. Elements include the criticality or importance of the services supported by the envisaged ICT contract, the necessary supervisory approvals, the possible concentration risk, the locations where the services are provided, where data is to be processed and rights of access, inspection and audit by the financial entity.
Incident reporting requirements
NIS2
In a departure from its predecessor, NIS2 includes stricter and more detailed incident reporting requirements. The new requirements are intended to aid swifter and more effective communication about cybersecurity incidents. Covered entities must report any incident that leads to a significant service disruption or has the potential to harm the provision of services.
Organizations should be prepared to submit several incident reports after becoming aware of them:
- 24 hours after: A notification about the incident, the suspected cause and the possible severity and scope.
- 72 hours after: A more detailed report about the incident, its root cause (if known) and mitigation measures.
- One month after: A final report with investigation findings, full details of the impact and steps taken to address it.
DORA
Like NIS2, the DORA framework mandates three post-incident reports. However, the reporting deadlines for DORA are less strict and defer to the competent authorities to implement specific milestones. Under DORA, covered entities must report incidents if they meet thresholds based on disruption to critical or important services, potential harm to consumers, financial markets or the economy and whether it affects multiple EU jurisdictions.
DORA compliance simplified
Follow our step-by-step guide to ensure you meet DORA's stringent standards effortlessly.
Get your checklistCompliance deadlines and penalties
NIS2
NIS2 went into full effect as of October 18, 2024, meaning Member States should have transposed the directive into their national legislation. Although many states failed to meet this deadline, efforts are ongoing. 9 countries have released an updated law and a draft law has been published in 17 countries.
Organisations that fail to comply with NIS2 face a range of penalties including:
Non-financial penalties
- Binding instructions that must be followed
- Mandatory implementation of security audit recommendations
- Orders to bring secure measures in line with NIS2
- Mandatory alerts to entities’ customers about risks
Financial penalties
- Essential entities: A maximum fine of at least €10 million or 2% of the total global annual turnover of the preceding financial year, whichever is higher
- Important entities: A maximum fine of at least €7 million or 1.4% of the total global annual turnover of the preceding financial year, whichever is higher.
Individual organization leaders directly accountable for breaches may also face sanctions, such as mandatory public disclosures of breaches and publication of their identities alongside specific information about the incident.
DORA
DORA entered into force on 16 January 2023 and became applicable from 17 January 2025. This regulation gives competent authorities significant power to intervene in non-compliant organizations, meaning EU financial entities should take compliance seriously. DORA gives significant powers to supervisory authorities, including:
• Administrative penalties
• Remedial measures
• Operational shutdowns
• Criminal penalties
Those penalties and measures shall be effective, proportionate, and dissuasive and imposed in accordance with the materiality, gravity and the duration of the non-compliance, the profits gained, or losses experienced (by third parties), and the level of cooperation.
Oversight and responsibility
NIS2
Management bodies are assigned an active role and will have the responsibility to approve the cybersecurity risk-management measures taken by their organisations and to oversee implementation. A failure to ensure compliance can result in individuals being found liable for breach of their duties. Sanctions include temporarily prohibiting a person who is responsible for discharging managerial responsibilities at the CEO or legal representative level from exercising their managerial functions.
DORA
The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework and has the ultimate responsibility for managing a financial entity’s ICT risk, including the continuous engagement of the management body in the control of the monitoring of the ICT risk management.
Multiple departments within financial entities are responsible for complying. While DORA doesn’t prescribe responsibility to specific people, it does hold entities accountable for strict risk management, incident reporting and audit measures. This prescription makes DORA not only a cybersecurity measure but also integral to governance, risk and compliance.
Interaction and integration of NIS2 vs. DORA
Given the similarities between NIS2 vs. DORA, entities covered by either regulation understandably wonder where one rule ends and the other begins. The reality is that they are interconnected in many ways.
DORA and NIS2 represent parallel efforts to enhance cybersecurity and operational resilience within the European Union, particularly across critical sectors. While both regulations address similar concerns, their scopes and specific targets differ. DORA focuses strongly on ICT third-party service providers within the financial sector's supply chain, whereas NIS2 adopts a broader perspective, encompassing various critical sectors and addressing supply chain risks beyond just ICT. Both seek to reduce uneven national approaches, harmonise improvements in resilience and increase the sector’s resilience to disruption originating in ICT. A shared principle of proportionality guides implementation, ensuring that organizations implement rules in a manner appropriate to their size, overall risk profile, and the complexity of their operations. Although NIS2 includes banking as a highly critical sector, DORA takes precedence for financial entities, tasking them to follow DORA first as a sector-specific regulation. Finally, both regulations assert extraterritorial application, extending their reach to entities not establishedwithin the EU but offering services within the EU.
Take a unified approach to NIS2 compliance
NIS2 won’t exist in a vacuum. Its interconnected nature with DORA shows that the future of risk mitigation is collaborating across sectors and borders. This new reality demands a unified approach to governance, risk and compliance.
Organizations that effectively balance NIS2 vs. DORA will be those with visibility across different areas of cybersecurity risk and third-party risk to deliver the right assurance to the appropriate management bodies. It's always important to implement the right policies and practices but the Diligent One Platform can help deliver that assurance.
Download our NIS2 Checklist today to learn how you can streamline your organization’s efforts to meet the Directive's requirements efficiently and how our NIS2 Compliance Toolkit (available through the Diligent One Platform) provides comprehensive tools and insights to help essential and important entities align with EU cybersecurity mandates. Empower your organization to manage risk and compliance effectively. Download the checklist now to get started.
Keep exploring
NIS2 webinar: Adopting a risk-based approach for compliance
Read our blog to discover key insights from our NIS2 webinar.
Addressing the challenges of AI and cyber resilience regulations
Discover how to address the trends in AI and cyber resilience as the topics become top of mind for regulators.
Preparing for NIS2: A checklist to elevate cybersecurity resilience
If your organisation is one of the estimated 160,000 directly affected by the NIS2 directive, you need to prepare. This checklist explains how.
Building cyber resilience: Complying with NIS2 and DORA
Comply with NIS2 and DORA to enhance cyber resilience, mitigate risks, and protect your supply chain.
