NIS2 vs DORA: What to know?

Introduction

Two recent cybersecurity and regulatory compliance frameworks have emerged: the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). Both aim to bolster the EU’s defenses against cyber threats, yet they differ in type of legislation, scope, applicability, and specific requirements. Let’s dive into how NIS2 and DORA differ, and which organizations are affected by these policies.

Overview of the NIS2 Directive

NIS2 is the second version of the original NIS Directive (2016), designed to enhance cybersecurity of essential and important sectors across the EU for both public and private entities. The directive includes a wide array of sectors, including energy, transport, health, digital infrastructure, and more. Read more about NIS2 here (https://risksight.io/resources/nis2-directive-what-is-it-and-how-to-get-prepared/).

Overview of Digital Operational Resilience Act (DORA)

DORA, on the other hand, is a regulation specifically targeting the financial sector. Its goal is to ensure that financial entities can withstand, respond to, and recover from all types of Information and Communication Technology (ICT)-related disruptions and threats. DORA seeks to harmonize requirements across the EU financial sector, covering entities such as banks, insurance companies, investment firms, and critical third-party service providers. Read more about DORA here (https://risksight.io/resources/digital-operational-resilience-act-dora/).

Key Differences Between NIS2 and DORA

Legislative Types and Deadlines

NIS2 Directive: NIS2 is a directive, meaning it outlines goals that EU member states must achieve through their own national laws. Each member state has the flexibility to implement the directive according to its legal framework. The deadline for transposing NIS2 into national law was October 2024, with companies having up to two additional years to comply with the new requirements.

DORA: DORA is a regulation, which means it is directly applicable in all EU member states without the need for national implementation. It came into full force on January 17, 2025, exactly 24 months after its publication in the Official Journal of the EU. Companies must comply with DORA’s requirements from this date onwards.

Scope and Applicability

NIS2: Applies to a broad range of sectors deemed essential or important, including energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, and space. The directive introduces a size-cap rule, meaning all medium and large entities in these sectors fall under its scope. ​Read more about the specific thresholds here (https://risksight.io/resources/nis2-compliance-checklist/#:~:text=Is%20My%20Organization%20Affected%20by%20NIS2%3F).

DORA: Specifically targets the financial sector, including entities such as credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and ICT third-party service providers.

Supervisory Framework

NIS2: Supervision is conducted by national authorities designated by each member state. These authorities are responsible for monitoring compliance, conducting audits, and enforcing the directive within their jurisdictions.

DORA: While national authorities oversee compliance, there is significant involvement from European Supervisory Authorities (ESAs) such as the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA). This collaborative approach ensures consistent supervision across the EU financial sector.

Incident Reporting Requirements

NIS2: Entities must report significant incidents to their respective national authorities within 24 hours of detection, followed by a detailed report within 72 hours.

DORA: Financial entities are required to report major ICT-related incidents to their competent authorities promptly, though specific timelines may vary. The emphasis is on timely communication to mitigate potential systemic risks. ​

Penalties for Non-Compliance

NIS2: Non-compliance with NIS2 can result in significant fines. Significant entities, such as those in the energy and transport sectors, can face fines up to €10 million or 2% of their global annual turnover. Important organizations, like digital service providers, may be fined up to €7 million or 1.4% of their global annual turnover ​

DORA: While DORA does not specify exact fines for non-compliance, it grants authorities the power to impose effective, proportionate penalties. Additionally, critical ICT third-party service providers can face fines of up to 1% of their average daily worldwide turnover for non-compliance.

Both NIS2 and DORA also hold management personally liable for gross negligence or willful misconduct.

Conclusion

While NIS2 and DORA have distinct focuses, they complement each other in strengthening the EU’s cybersecurity framework. NIS2 aims to enhance overall cybersecurity across various critical sectors, while DORA ensures the operational resilience of the financial sector. For organizations subject to both regulations, compliance with DORA takes precedence due to its specific focus on the financial sector. However, the general requirements of NIS2 must still be observed in areas not fully covered by DORA.