NIS2 Guide · 8 min
NIS2 vs DORA: how they differ, where they overlap, and which one applies to you
NIS2 and DORA are the two EU cybersecurity regimes most likely to land on the same desk in 2026 — and they are routinely confused. They share a goal (operational and cyber resilience) and many of the same controls, but they target different organisations and one takes precedence over the other for the financial sector. This guide explains the difference, the overlap, and how to tell which applies to you — with a clear answer for supply-chain and third-party teams who serve customers under either.
What each one is
Both came out of the same 2022 EU resilience package, but they are different instruments aimed at different populations.
NIS2 — broad, cross-sector
A directive (transposed into national law, deadline 17 Oct 2024) covering essential and important entities across energy, transport, health, water, digital infrastructure, public administration, manufacturing and more. Sets baseline risk-management measures (Art. 21) and incident reporting (Art. 23).
DORA — financial sector, ICT-focused
A regulation (directly applicable, applies from 17 January 2025) for the EU financial sector — banks, insurers, investment firms, crypto-asset providers and more — plus oversight of their critical ICT third-party providers. Sets detailed ICT risk-management, resilience-testing and third-party rules.
Where they overlap
If you have implemented one well, much of the other will feel familiar. Both require:
- Management accountability — leadership must own and oversee cyber/ICT risk, and can be held responsible.
- Risk-management measures — documented, proportionate controls across the security lifecycle.
- Incident reporting — structured notification to authorities on defined timelines.
- Third-party and supply-chain risk — you are responsible for the cyber risk your providers introduce.
- Testing and continuous improvement — resilience is assessed over time, not certified once.
The key rule: DORA is lex specialis for financial entities
The two regimes are designed not to double-regulate. For financial entities, DORA is lex specialis — the more specific law that takes precedence. Where DORA and NIS2 would both cover the same ICT risk-management or incident-reporting ground for a financial entity, DORA's requirements apply and the equivalent NIS2 provisions do not stack on top.
In practice that means a bank does not run two parallel cyber programmes. It follows DORA for ICT risk, testing, incident reporting and third-party oversight. NIS2 still matters to the wider ecosystem around it — including many of its suppliers — but the financial entity itself is governed by DORA on the overlapping topics.
Lex specialis applies where the sector-specific act imposes requirements at least equivalent to NIS2. The boundary can be nuanced for mixed groups; confirm your status with your competent authority.
Which applies to you?
A quick decision aid. The honest answer for many organisations is 'one directly, the other through your customers.'
A financial entity (bank, insurer, investment firm, crypto-asset provider…)
DORA applies as lex specialis for your ICT risk; NIS2's equivalent provisions do not apply on top.
A critical-sector entity outside finance (energy, health, transport, water, digital infrastructure, public administration…)
NIS2 applies. Check the Annex I/II sectors and the size thresholds to confirm your tier.
An ICT provider to financial entities
You face DORA's third-party regime through your clients' contracts; the largest providers can be designated critical and overseen directly by the ESAs. If you are also an Annex I ICT/managed-service provider, you may be in NIS2 scope too.
A supplier to a NIS2 entity
NIS2's supply-chain duty (Art. 21(2)(d)) reaches you via your customers' due diligence — questionnaires, evidence requests and continuous monitoring — even if you are not directly designated.
The bottom line for supply-chain teams
Whether your customer is governed by DORA or NIS2, the demand on you converges: both regimes make organisations responsible for the cyber risk of their providers, and both treat resilience as something assessed continuously rather than attested once a year. So the question for a supplier is rarely 'NIS2 or DORA?' — it is 'can I demonstrate, on demand, that my security holds up?'
That is why third-party assurance is becoming continuous on both sides of the line. A bank's DORA third-party register and a manufacturer's NIS2 supplier programme are asking suppliers for the same thing: current, evidence-backed proof of security posture, not a stale spreadsheet.
Sources: Regulation (EU) 2022/2554 (DORA) and Directive (EU) 2022/2555 (NIS2). Confirm the overlap boundary with your national competent authority and the relevant ESA guidance.
How norppa.io helps
norppa.io gives you continuous, evidence-backed assurance over your suppliers and ICT providers — the thing both NIS2 and DORA now expect. Every monitored domain is checked across 100+ control points daily, critical events every six hours, with findings available for export to your DORA register of information or your NIS2 supplier file.
Self-assessment questionnaires (SAQ) capture process and contractual controls, and each answer is cross-validated against the live technical profile — so whether your customer's auditor cites DORA or NIS2, you can show current, corroborated evidence rather than assertions.