NIS2 vs. DORA: Key differences & why they matter
In 2023, cyberattacks in Europe surged by 57%. The unprecedented barrage of attacks drove the European Union and its Member States to take cybersecurity seriously, adopting the updated Network and Information Systems Directive (NIS2) and the Digital Operations Resilience Act (DORA). Though the two directives seem similar, understanding NIS2 vs DORA is essential to regulatory compliance and minimizing risk exposure.
Here, we will disentangle NIS2 and DORA to help you understand critical distinctions, including:
- What NIS2 and DORA are
- The scope of both directions
- NIS2 vs. DORA reporting requirements
- Importance deadlines for compliance and associated penalties
- Oversight and responsibility
- Interaction and integration
- Tools for complying with the impending NIS2 directive
What are NIS2 and DORA?
NIS2 and DORA are both cybersecurity regulations in the EU. But they aren’t exactly the same, and the differences matter.
NIS2 Overview
NIS2 is a cybersecurity directive that sets a common objective for all Member States regarding digital resilience. It was first implemented in 2016 and amended in 2024.
Version two of the directive includes additional sectors, highlights personal accountability for cybersecurity resilience, implements a risk-based approach and introduces more rigorous reporting. Member states must then create their own legislation that meets the NIS2 directive’s objectives, with the first compliance deadline set for October 2024.
Navigate NIS2 with confidence
Download our NIS2 checklist for the actionable steps your organisation can take to comply and elevate your cyber security resilience.
Download the checklistDORA Overview
DORA is a regulatory framework that governs financial institutions specifically. With a looming compliance deadline of January 2025, its goal is to provide a unified standard by which the EU financial sector can protect itself against cyberattacks, IT system failures and other digital risks.
Unlike NIS2, DORA mandates specific requirements — rather than objectives — the EU has deemed critical to operational resilience.
NIS2 vs DORA: 4 critical distinctions
Comparing the covered entities for NIS2 vs. DORA is essential to understanding your compliance burden once both DORA and NIS2 come into force in January 2025.
Scope
NIS2
The scope of the NIS2 directive includes eighteen highly critical and other critical sectors. As part of the update, the EU also introduced a size threshold rule to include all medium and large-sized companies.
Highly critical sectors
- Energy
- Transport
- Financial market infrastructures
- Banking
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management
- Public administration
- Space
Other critical sectors
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing
- Digital providers
- Research
Essential and important entities further define these scopes; authorities will monitor and audit the former more closely.
- Essential entities operate in a highly critical sector with over 250 employees and an annual turnover of €50 million or a balance sheet of €43 million.
- Important entities operate in one of the highly critical or other critical sectors and have over 50 employees, an annual turnover of €10 million or a balance sheet of €10 million.
DORA
This regulation applies to 20 financial entity types, spanning the entire ecosystem of banking, financial services and intermediary service providers. For these organizations, DORA takes precedence over NIS2.
Notably, some ICT third-party service providers will be deemed “critical” and become subject to regulatory supervision. This scrutiny includes organizations outside the EU, like the U.K., that provide services to EU-based financial entities.
Covered financial entity types
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset providers
- Central securities repositories
- Central counterparties
- Trading venues
- Trading repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions of occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding services providers
- Securitisation repositories
Incident reporting requirements
NIS2
In a departure from its predecessor, NIS2 includes stricter and more detailed incident reporting requirements. The new requirements are intended to aid swifter and more effective communication about cybersecurity incidents. Covered entities must report any incident that leads to a significant service disruption or has the potential to harm the provision of services.
Organizations should be prepared to submit several incident reports after becoming aware of them:
- 24 hours after: A notification about the incident, the suspected cause and the possible severity and scope.
- 72 hours after: A more detailed report about the incident, its root cause (if known) and mitigation measures.
- One month after: A final report with investigation findings, full details of the impact and steps taken to address it.
DORA
Like NIS2, the DORA framework mandates three post-incident reports. However, the reporting deadlines for DORA are less strict and defer to the competent authorities to implement specific milestones. Under DORA, covered entities must report incidents if they meet thresholds based on disruption to critical or important services, potential harm to consumers, financial markets or the economy and whether it affects multiple EU jurisdictions.
DORA compliance simplified
Follow our step-by-step guide to ensure you meet DORA's stringent standards effortlessly.
Get your checklistCompliance deadlines and penalties
NIS2
NIS2 went into full effect as of October 18, 2024, meaning Member States must have transposed the directive into their national legislation. Many states are behind, which means they could face a range of penalties, including:
Non-financial penalties:
- Binding instructions that must be followed
- Mandatory implementation of security audit recommendations
- Orders to bring secure measures in line with NIS2
- Mandatory alerts to entities’ customers about risks
Financial penalties:
- Essential entities: A maximum fine of at least €10 million or 2% of the total global annual turnover of the preceding financial year, whichever is higher
- Important entities: A maximum fine of at least €7 million or 1.4% of the total global annual turnover of the preceding financial year, whichever is higher.
Individual organization leaders directly accountable for breaches may also face sanctions, such as mandatory public disclosures of breaches and publication of their identities alongside specific information about the incident.
DORA
DORA will come into force as of January 2025. This regulation gives competent authorities significant power to intervene in non-compliant organizations, meaning EU financial entities should take compliance seriously. Under DORA, financial entities can face a range of penalties, including:
- Effective, proportionate and dissuasive penalties laid down by each member state
- Investigations and periodic penalty payments for third-party ICT suppliers, up to 1% of the provider’s average daily worldwide turnover
Oversight and responsibility
NIS2
The NIS2 directive includes provision for oversight — who will enforce compliance — and responsibility — who within covered entities must uphold it. NIS2 oversight falls to the competent authorities, who must monitor compliance, conduct regular and ad-hoc audits, handle incident management and collaborate across borders.
Because the directive holds individuals accountable, ensuring the entity complies falls to the management bodies of essential and important entities. They must approve risk management measures, oversee incident response and have cybersecurity expertise.
DORA
DORA requires that member states designate national coordinating authorities to supervise compliance, much like NIS2 oversight. However, these authorities must work with European supervisory authorities, who are critical in guiding and developing technical standards and coordinating oversight across the EU. These responsibilities include leading oversight for critical ICT providers that serve financial entities across the EU.
Multiple departments within financial entities are responsible for complying. While DORA doesn’t prescribe responsibility to specific people, it does hold entities accountable for strict risk management, incident reporting and audit measures. This prescription makes DORA not only a cybersecurity measure but also integral to governance, risk and compliance.
Interaction and integration of NIS2 vs. DORA
Given the similarities between NIS2 vs. DORA, entities covered by either directive understandably wonder where one rule ends and the other begins. The reality is that they are interconnected in many ways.
For example, financial entities regulated by DORA rely on services from sectors regulated under NIS2, like energy and telecommunications. Collaborating across sectors to promote compliance with the relevant directive is essential to ensure resilience across the supply chain.
Incident reporting will also interlink entities. Financial sector authorities governed by DORA must collaborate with critical infrastructure authorities following NIS2 to handle incidents fully. As such, coordinating reporting channels between DORA and NIS2 reduces duplication and bolsters the unified response major threats require.
Finally, authorities supervising DORA and NIS2 must interact to address overlapping risks, particularly those that cross borders to affect multiple sectors. Because both rules cover the entire EU, understanding NIS2 vs DORA will be fundamental to furthering joint efforts to manage far-reaching cyber risks.
Take a unified approach to NIS2 compliance
NIS2 won’t exist in a vacuum. Its interconnected nature with DORA shows that the future of risk mitigation is collaborating across sectors and borders. This new reality demands a unified approach to governance, risk and compliance.
Organizations that effectively balance NIS2 vs. DORA will be those with visibility across different areas of cybersecurity risk and third-party risk to deliver the right assurance to the appropriate management bodies. It's always important to implement the right policies and practices but the Diligent One Platform can help deliver that assurance.
Download our our NIS2 Checklist today to learn how you can streamline your organization’s efforts to meet the Directive's requirements efficiently and how our NIS2 Compliance Toolkit (available through the Diligent One Platform) provides comprehensive tools and insights to help essential and important entities align with EU cybersecurity mandates. Empower your organization to manage risk and compliance effectively. Download the checklist now to get started.
Keep exploring
NIS2 webinar: Adopting a risk-based approach for compliance
Read our blog to discover key insights from our NIS2 webinar.
Addressing the challenges of AI and cyber resilience regulations
Discover how to address the trends in AI and cyber resilience as the topics become top of mind for regulators.
Preparing for NIS2: A checklist to elevate cybersecurity resilience
If your organisation is one of the estimated 160,000 directly affected by the NIS2 directive, you need to prepare. This checklist explains how.
Building cyber resilience: Complying with NIS2 and DORA
Comply with NIS2 and DORA to enhance cyber resilience, mitigate risks, and protect your supply chain.
