DORA and NIS2 are the two big European cybersecurity frameworks. The practical rule: if you're a financial entity in DORA article 2, DORA prevails over NIS2 by virtue of lex specialis (NIS2 article 1.2). The rest of the NIS2 universe (energy, transport, health, water, digital infrastructure, public administration, manufacturing, food…) remains subject to NIS2. DORA is a Regulation (directly applicable since 17 January 2025) and NIS2 is a Directive (requires national transposition). They overlap on governance, ICT risk management and incident notification; they diverge on mandatory TLPT (only DORA), direct oversight of critical ICT providers (CTPP, only DORA) and sanctioning regime.
Executive summary: which one applies to my company?
Step 1: Are you a financial entity in DORA article 2 (bank, insurer, fund, fintech under MiCA, CASP, payment institution, asset manager, etc.)?
- Yes → DORA applies. NIS2 doesn't apply directly because of lex specialis (see next section).
- No → continue to Step 2.
Step 2: Are you in Annex I or Annex II of NIS2 with ≥50 employees or > €10M turnover?
- Yes → NIS2 applies. If you're also a public administration, it coexists with ENS.
- No → NIS2 doesn't apply directly. But if you're a provider to a regulated entity under NIS2 or DORA, you'll receive contractual clauses that impose equivalent measures on you.
Note: a financial entity may have non-financial subsidiaries (e.g., a group real estate management company) that fall under NIS2 directly.
DORA vs NIS2 comparison table
| Dimension | DORA | NIS2 |
|---|---|---|
| Type of rule | EU Regulation | EU Directive |
| Application | Direct, no transposition | Requires transposition (partial in Spain via RD-ley 7/2025) |
| Date of application | 17 January 2025 | 18 October 2024 (transposition); progressive national application |
| Scope | Financial sector (21 categories + CTPP) | 11 essential sectors + 7 important sectors |
| Minimum size | No general threshold; proportionality | ≥50 employees or >€10M turnover (specific exceptions) |
| Categorisation | No formal categories; single proportional regime | Essential / Important |
| Governance | Management body directly responsible; trained board | Management body responsible; trained board |
| ICT risk management | Full framework (articles 5-15 + RTS) | Minimum areas of article 21 |
| Incident notification | Deadlines defined by RTS (initial / intermediate / final) | 24h early alert / 72h notification / 1-month final report |
| Technical testing | Structured programme + mandatory TLPT every 3 years for designated entities | Pentesting recommended, not formally mandatory |
| Supply chain | Information register of providers + article 30 clauses + exit strategy | Supply chain risk management (article 21 letter d) |
| Critical ICT providers | CTPP designation by ESAs with direct European oversight | No equivalent figure |
| Sanctioning regime | Up to 1% of average daily global turnover; coercive fines on CTPPs | Up to €10M or 2% turnover (essential) / €7M or 1.4% (important) |
| Lex specialis | Over NIS2 for financial entities | - |
Lex specialis: why DORA prevails for financial entities
Article 1.2 of NIS2 literally establishes that when specific sectoral legislation imposes at least equivalent requirements, that legislation prevails. For financial entities, that legislation is DORA.
In practice this means:
- DORA applies in full and is mandatory for every financial entity in article 2.
- NIS2 doesn't apply directly to that financial entity (it doesn't notify the CSIRT under NIS2, but the sectoral authority under DORA; it doesn't get an essential/important categorisation).
- Exception: if part of the financial group provides services outside the financial scope (public administration, telecommunications, independent digital infrastructure), that part can fall under NIS2.
Watch out: the lex specialis clause doesn't exempt from Directive (EU) 2022/2557 (CER) on resilience of critical entities, which applies in a complementary way to certain critical financial entities.
Overlapping obligations
| Obligation | DORA | NIS2 | Common implementation |
|---|---|---|---|
| ICT governance framework approved by management | ✓ | ✓ | Single policy, approved and reviewed by the board |
| Periodic risk analysis | ✓ | ✓ | Single methodology ISO 27005 / NIST RMF |
| Business continuity and disaster recovery | ✓ | ✓ | Single BCP/DRP with RTO/RPO per service |
| MFA on privileged and remote access | ✓ | ✓ | Single IAM + MFA system |
| Cryptography and key management policy | ✓ | ✓ | Single corporate cryptography standard |
| Mandatory training for staff and board | ✓ | ✓ | Single training plan with role-differentiated content |
| Notification of serious incidents to competent authority | ✓ | ✓ | Integrated procedure: first detection triggers both channels where applicable |
| Identity and access management | ✓ | ✓ | Single IAM/PAM |
| Configuration hardening | ✓ | ✓ | Single secure configuration standard |
Operational conclusion: if a financial entity already complies with DORA correctly, it covers ~95% of NIS2 with no extra effort. Coordinated management allows a single ISMS, a single risk analysis, a single incident procedure with two notification channels, a single provider policy.
DORA-exclusive obligations
TLPT: Threat-Led Penetration Testing
DORA requires designated financial entities to run TLPT tests at least every 3 years, following the TIBER-EU framework, executed by accredited independent external providers (TI provider + RT provider).
NIS2 doesn't formally require TLPT. Its article 21 letter f requires "assessing effectiveness" but leaves methodological freedom.
Dedicated analysis in TIBER-EU and TLPT.
ICT provider information register
DORA requires a structured and up-to-date register of all ICT contractual agreements, reportable to the competent authority in a format defined by the ESAs. NIS2 doesn't require a formal register in that format.
Direct oversight of CTPPs by the ESAs
Critical ICT providers designated by the European Supervisory Authorities are subject to direct European oversight and daily coercive fines for non-compliance. NIS2 doesn't contemplate direct cross-border provider oversight.
Documented exit strategy
DORA requires a documented exit strategy for every provider that performs a critical or important function. NIS2 recommends it as good practice but doesn't formally require it.
Notification of significant cyber threats
DORA allows (and promotes) voluntary notification of significant cyber threats detected, not only materialised incidents. NIS2 only requires reporting on actual incidents.
NIS2-exclusive obligations
Coverage of non-financial sectors
NIS2 covers 18 sectors not in DORA: energy, transport, health, water, waste management, manufacturing, food, public administration, space, etc.
Essential / important categorisation
NIS2 distinguishes between essential entities (stricter sanctioning and oversight regime) and important entities. DORA doesn't use this distinction.
24h/72h/1 month notification deadlines in the directive
NIS2 sets deadlines directly in the directive's text. DORA delegates exact deadlines to the RTS published by the ESAs.
Fines as a percentage of global annual turnover
NIS2 sets fines up to 2% of total global annual turnover (essential entities). DORA sets fines up to 1% of average daily global turnover during the non-compliance period.
Practical case 1: Mid-sized bank operating in several EU countries
Context: mid-sized Spanish bank, with branches in Portugal and France, offers digital banking services and has contracts with AWS, Microsoft 365 and Salesforce. The group's real estate management subsidiary bills €15M and has 60 employees.
Analysis:
- Bank: credit institution → DORA. NIS2 doesn't apply directly because of lex specialis.
- Real estate management subsidiary: not a financial entity; review NIS2 Annexes I/II. If it qualifies, NIS2 applies to the subsidiary.
- AWS, Microsoft, Salesforce: candidates for CTPP under DORA.
- Incident notification: the bank notifies under DORA to the sectoral supervisor (Banco de España); the real estate subsidiary, if it has a significant incident in its own perimeter, would notify the competent CSIRT under NIS2.
Operational conclusion: main DORA framework at the bank; simplified NIS2 framework at the subsidiary; single group ISMS serving both.
Practical case 2: Insurer with critical cloud provider
Context: insurer headquartered in Spain, 800 employees, contracts 100% of its insurance core to a SaaS provider specialised in cloud that operates for 30 European insurers.
Analysis:
- Insurer: insurance entity under DORA article 2 → DORA applies.
- SaaS provider: provides a critical function to the European financial sector → very likely CTPP candidate.
- If designated as CTPP, the ESAs supervise it directly.
- The insurer must have a documented exit strategy for the provider (DORA article 28.2 letter j).
- The contract must include the minimum clauses from article 30 of DORA: data location, audit rights, cooperation plan with authority, subcontracting conditions.
- If the provider suffers an incident affecting the insurer, the insurer must notify under DORA.
Practical case 3: Industrial manufacturer with a banking client
Context: Spanish industrial company, 300 employees, €80M turnover, manufactures electronic components. Its main client is a European bank.
Analysis:
- The industrial company isn't a financial entity → DORA doesn't apply directly.
- It sits in the "Manufacturing" sector of NIS2 Annex II (important entities) if it manufactures medical devices, computers, electrical equipment, vehicles or machinery. If it fits, NIS2 applies.
- Its banking client, under DORA pillar 4, will require DORA article 30 contractual clauses and include it in its information register as an ICT provider.
- In practice, the industrial company complies with NIS2 and simultaneously signs a contractual annex with obligations equivalent to those in DORA article 30 at the client's request.
How to manage both frameworks without duplicating work
- A single ISMS covering the most demanding requirements (DORA if you're financial, NIS2 in the gaps).
- A single risk analysis with common methodology and marking of obligations per rule.
- A single provider policy with contractual annexes including DORA article 30 clauses + NIS2 letter d clauses.
- A single incident procedure with a decision tree about which authorities to notify (CSIRT, DORA sectoral supervisor, AEPD if personal data are involved).
- Integrated audit mapping evidence against both frameworks.
- Single security committee with board representation, reporting joint compliance.
Frequently asked questions
Does a financial entity have to notify incidents under DORA and NIS2?
No. By lex specialis, DORA prevails and notification happens through the DORA channel to the sectoral supervisor (Banco de España, CNMV, DGSFP in Spain). NIS2 doesn't impose any additional obligation.
Is a fintech under MiCA covered by DORA or NIS2?
Under DORA, because crypto-asset service providers (CASP) are in DORA article 2. NIS2 doesn't apply directly because of lex specialis.
If I'm a provider to a bank, am I under DORA?
Not directly. But if you provide a critical or important function to the bank, it will include you in its DORA register and require article 30 contractual clauses, prior evaluation, audit rights and a possible cooperation plan. If the ESAs designate you a CTPP, you do enter direct European oversight.
Does NIS2 apply to small financial entities below the DORA threshold?
DORA has no general threshold but applies proportionality. A very small financial entity remains under DORA with a simplified regime, not under NIS2.
What if NIS2 and DORA require different notification deadlines?
For entities under DORA lex specialis, DORA is the only reference. For NIS2 entities, the 24h/72h/1 month deadlines are the reference. If you have mixed subsidiaries, define a decision tree in the procedure that activates the right channel based on the incident's origin.
Can the audit be joint DORA + NIS2?
Yes, and it's the recommendation when there's a mixed group. The audit is designed from DORA (more demanding) and the few NIS2-specific gaps are mapped (non-financial sectors, specific training).
Align your organisation with DORA and NIS2 at Secra
At Secra we run integrated gap analyses, technical audits aligned with both frameworks, TLPT/TIBER exercises and review of DORA article 30 contractual clauses.
→ Learn about our GRC Consulting
→ Request an initial conversation, no commitment
Related reading
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.