FinlexProAll Posts
Guide

NIS2 vs DORA: The Financial Sector Overlap Explained

James Callahan
April 16, 2026
8 min read

Two Cybersecurity Frameworks, One Compliance Team

If you work in compliance at a bank, payment institution, or CASP, you are now subject to two distinct EU cybersecurity frameworks: DORA (Digital Operational Resilience Act, Regulation EU 2022/2554) and NIS2 (Network and Information Security Directive 2, Directive EU 2022/2555).

Both entered application in January 2025. Both impose incident reporting obligations. Both require ICT risk management. Both regulate third-party ICT providers.

Yet they are not duplicates. They have different legal instruments (regulation vs. directive), different supervisory authorities, different scope, and — critically — different incident reporting timelines. Getting this wrong means either over-reporting (wasting resources) or under-reporting (regulatory breach).

This guide resolves the confusion.

---

The Fundamental Legal Difference

DORA is an EU Regulation. It applies directly and uniformly across all 27 EU member states. No national transposition is required or permitted. Every bank, investment firm, insurance company, payment institution, crypto-asset service provider, and credit rating agency subject to DORA faces identical obligations regardless of which member state they operate in.

NIS2 is an EU Directive. It sets minimum standards that each member state must implement through national law. This means NIS2 obligations vary — sometimes significantly — between Germany, France, Ireland, and the Netherlands. A financial firm operating across multiple EU jurisdictions faces NIS2 obligations in multiple different national legal frameworks simultaneously.

This distinction is not academic. It means your DORA compliance programme can be standardised globally across your EU operations. Your NIS2 compliance programme must be jurisdiction-specific.

---

Who Does Each Framework Cover?

DORA Scope (Article 2)

DORA applies to a defined list of financial entities:

  • Credit institutions (banks)
  • Payment institutions (including e-money institutions)
  • Investment firms
  • Crypto-asset service providers (CASPs under MiCA)
  • Central securities depositories (CSDs)
  • Central counterparties (CCPs)
  • Trading venues
  • Insurance and reinsurance undertakings
  • Insurance intermediaries
  • UCITS management companies and AIFMs
  • Credit rating agencies
  • Data reporting service providers
  • ICT third-party service providers designated as "critical" by ESMA/EBA/EIOPA

DORA explicitly excludes: Microenterprises (fewer than 10 employees, under €2M turnover). Proportionality applies to small financial entities.

NIS2 Scope (Annex I and II)

NIS2 covers "essential entities" (Annex I) and "important entities" (Annex II). Financial firms appear in Annex I as essential entities — meaning the strictest NIS2 obligations apply.

NIS2 Annex I financial sector includes:

  • Credit institutions
  • Operators of trading venues
  • Central counterparties

NIS2 Annex II includes:

  • Digital providers (cloud, data centres, CDNs)
  • Postal services, digital infrastructure

The critical point: NIS2 uses size thresholds — firms with 50+ employees OR €10M+ annual turnover are covered. Very large firms (250+ employees, €50M+ turnover) are "essential entities" subject to the stricter regime.

The Scope Overlap

Most regulated financial firms are subject to both DORA and NIS2. Banks, payment institutions, and investment firms appear in both regimes. The practical question is not "which applies" but "how do the obligations interact."

---

Incident Reporting: The Critical Difference

This is where firms make the most costly mistakes. The incident reporting timelines are different under DORA and NIS2.

DORA Incident Reporting (Articles 17–23)

DORA establishes a three-stage reporting process for "major ICT-related incidents":

Stage 1 — Early notification: Within 4 hours of classifying an incident as major (or within 24 hours of becoming aware if classification is delayed).

Stage 2 — Intermediate report: Within 72 hours of the early notification. Must include initial assessment, estimated impact, preliminary containment measures.

Stage 3 — Final report: Within 1 month of the intermediate report. Full root cause analysis, total financial impact, cross-border effects.

DORA also requires reporting of "significant cyber threats" — threats that have not yet materialised into incidents but could have significant impact. This is a voluntary notification under DORA Article 19.

Reporting recipient: Your national competent authority (NCA) under DORA — the same regulator that supervises your licence (BaFin for German banks, AMF for French investment firms, etc.).

NIS2 Incident Reporting (Article 23)

NIS2 has a two-stage reporting process:

Stage 1 — Early warning: Within 24 hours of becoming aware of a significant incident. This is a brief notification — just the basic facts.

Stage 2 — Incident notification: Within 72 hours of awareness. Must include initial assessment, severity indicator, indicators of compromise.

There is a voluntary update mechanism and a final report within 1 month.

Reporting recipient: The national CSIRT (Computer Security Incident Response Team) — a different authority from your financial supervisor. In Germany, this is BSI; in France, ANSSI; in Ireland, the National Cyber Security Centre (NCSC).

The Overlap Problem in Practice

A cyberattack on a bank's payment processing system may trigger both DORA and NIS2 reporting simultaneously — to two different authorities, on different timelines, using different templates.

| Obligation | DORA | NIS2 |

|---|---|---|

| Early notification | 4 hours | 24 hours |

| Full notification | 72 hours | 72 hours |

| Final report | 1 month | 1 month |

| Recipient | Financial NCA | National CSIRT |

| Template | DORA ITS (ESMA/EBA) | National NIS2 template |

| Voluntary threat reporting | Yes (Art. 19) | Yes (Art. 30) |

Practical implication: Your incident response plan must include parallel notification workflows to two different authorities. The 4-hour DORA early notification is the binding constraint — if you meet DORA's timeline, you automatically meet NIS2's 24-hour requirement.

---

ICT Risk Management: Where the Frameworks Align

Both DORA and NIS2 require a risk management framework for ICT systems. The requirements are broadly similar but use different terminology.

DORA ICT Risk Management (Articles 5–14): Requires a governance framework, risk identification, protection measures, detection capabilities, response and recovery plans, learning and evolving processes, and communication plans. The DORA RTS on ICT Risk Management (published by EBA/ESMA/EIOPA in 2024) provides detailed technical requirements.

NIS2 Security Measures (Article 21): Requires risk analysis and information systems security policies, incident handling, business continuity and crisis management, supply chain security, network and information systems security, policies and procedures to assess ICT risk management measures, use of cryptography and encryption, HR security, access control, and multi-factor authentication.

The practical overlap is high. A compliant DORA ICT risk management framework will satisfy most NIS2 Article 21 requirements. The main gaps are:

  • NIS2 explicitly requires multi-factor authentication policies (Article 21(2)(j)) — confirm your DORA programme covers this explicitly
  • NIS2's supply chain security requirements (Article 21(2)(d)) extend to your ICT vendors' own suppliers — DORA's third-party provisions (Articles 28–44) are more detailed but may not capture indirect supply chain risks

---

Third-Party ICT Risk: DORA Goes Further

Both frameworks regulate third-party ICT providers. DORA goes significantly further.

DORA (Articles 28–44): Establishes a comprehensive third-party ICT risk management regime including mandatory contractual provisions (Article 30), pre-contractual due diligence, ongoing monitoring, termination rights, and a Supervision Framework for Critical ICT Third-Party Providers (CTPPs). The CTPP designation by ESMA/EBA/EIOPA subjects major cloud providers and data vendors to direct EU regulatory oversight.

NIS2 (Article 21(2)(d)): Requires supply chain security policies addressing "relationships with direct suppliers or service providers." The scope is broader than DORA (covers all supply chain, not just ICT) but the depth of requirements is less prescriptive.

For financial firms, the DORA third-party regime is the lex specialis — it provides a more detailed framework. Satisfying DORA's Article 30 contractual requirements will generally satisfy NIS2's supply chain security obligation for ICT vendors.

---

The Lex Specialis Rule: When DORA Overrides NIS2

NIS2 Recital 16 and Article 4 establish that sector-specific EU legislation that achieves "at least equivalent" cybersecurity requirements takes precedence over NIS2 for entities covered by that legislation.

DORA is explicitly recognised as equivalent to NIS2 for the financial entities it covers. This means:

  • Banks, investment firms, and payment institutions supervised under DORA are **exempt from NIS2 supervision** in member states where national law has implemented this carve-out correctly
  • However, the **incident reporting to the national CSIRT** (NIS2 Article 23) may still be required even where DORA applies — this varies by member state implementation
  • The **lex specialis carve-out does not eliminate NIS2** — it reduces duplication of supervisory oversight, not reporting obligations

The practical consequence: check your member state's NIS2 transposition law. Germany's BSIG reform (NIS2UmsuCG), France's transposition, and Ireland's NIS2 legislation handle this carve-out differently.

---

Supervisory Authority Map

Understanding who supervises you under each framework is essential for incident reporting and enforcement.

| Entity Type | DORA Supervisor | NIS2 Supervisor |

|---|---|---|

| Banks | National banking supervisor (BaFin, AMF, etc.) | National CSIRT (BSI, ANSSI, NCSC) |

| Payment institutions | National payment supervisor | National CSIRT |

| Investment firms | National securities supervisor | National CSIRT |

| CASPs | National CASP supervisor (post-MiCA) | National CSIRT |

| Cloud providers (CTPP) | ESMA/EBA/EIOPA directly | National NIS2 authority |

---

Compliance Priorities for 2026

Both frameworks are now in application. Enforcement activity is expected to accelerate through 2026. The following are the highest-priority gaps most financial firms still have:

1. Dual incident response procedures: Most firms have a single incident response playbook. It needs parallel tracks for DORA (4h/72h/1m → financial NCA) and NIS2 (24h/72h/1m → national CSIRT). The 4-hour DORA clock starts at classification of "major" — define your classification criteria precisely.

2. CTPP register: Maintain a register of all ICT third-party providers. Identify which are DORA "critical" (systemic importance) vs. general ICT vendors. Apply DORA Article 30 contractual requirements to critical providers.

3. NIS2 jurisdiction mapping: For every EU country you operate in, identify the national NIS2 transposition law and the relevant CSIRT. Confirm whether the lex specialis DORA carve-out eliminates or merely reduces NIS2 obligations locally.

4. TLPT programme: DORA's Threat-Led Penetration Testing (Articles 26–27) applies to significant financial entities. If your firm is in scope, you need a TLPT programme using TIBER-EU methodology — this cannot be substituted with standard pen testing.

---

Frequently Asked Questions

Do financial firms have to comply with both DORA and NIS2?

Yes, in most cases. Most regulated financial entities fall within scope of both frameworks. The lex specialis rule reduces supervisory duplication but does not eliminate all NIS2 obligations.

Which incident reporting deadline is binding — DORA's 4 hours or NIS2's 24 hours?

DORA's 4-hour early notification is more demanding and is the binding constraint. Meeting DORA's timeline automatically satisfies NIS2's 24-hour requirement. However, the notification goes to different authorities — your financial supervisor for DORA and your national CSIRT for NIS2.

Does NIS2 apply to CASPs?

CASPs are not explicitly listed in NIS2 Annex I or II. However, if a CASP exceeds NIS2's size thresholds (50+ employees or €10M+ turnover), it may fall under NIS2 as a "digital provider" depending on member state implementation. DORA explicitly covers CASPs, which provides the primary cybersecurity framework.

What is the CTPP designation and does it affect my firm?

Critical ICT Third-Party Provider designation is made by the Joint Oversight Network (ESMA, EBA, EIOPA). It applies to major cloud, data, and technology vendors serving the financial sector — not to financial firms themselves. However, if your firm relies on a CTPP-designated vendor, you must update your contractual arrangements to meet DORA Article 30 requirements.

---

*Sources: DORA Regulation (EU) 2022/2554; NIS2 Directive (EU) 2022/2555; DORA RTS on ICT Risk Management (EBA/ESMA/EIOPA, 2024); DORA ITS on Incident Reporting (2024); NIS2 Recital 16 (lex specialis); ENISA NIS2 Implementation Guidance (2025).*

Search Related Regulations

Use FinlexPro to find specific articles mentioned in this post.

Start Searching

Related Resources

MiCA Regulation Guide
Complete overview — Arts. 1–149
DORA Regulation Guide
ICT risk, incident reporting, TLPT
MiCA Capital Calculator
Free tool
ART / EMT Classifier
Free tool

Related Posts

The EU AML Package Explained: AMLR, AMLD6, and AMLA for Crypto & Finance

14 min read

Stablecoin Regulation in the EU: ART vs EMT - The Complete Guide

12 min read