DORA and NIS2 are the two most significant EU cybersecurity regulations of the decade — and both are now in force. NIS2 became enforceable in October 2024. DORA has applied since January 2025. If your organisation operates in the financial sector or manages critical infrastructure in Europe, you may be subject to one or both. This guide breaks down the differences, the overlaps, and how to build a compliance strategy that covers both efficiently.

DORA in 60 seconds

The Digital Operational Resilience Act (EU 2022/2554) is a sector-specific regulation targeting financial entities. It mandates ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. DORA applies to banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party providers.

Key characteristic: DORA applies by sector, not by size. A two-person fintech is in scope just as a large bank.

NIS2 in 60 seconds

The Network and Information Security Directive 2 (EU 2022/2555) is a cross-sector directive covering essential and important entities across 18 sectors. It requires risk management measures, incident reporting, supply chain security, and management accountability. NIS2 applies based on sector AND size: typically 50+ employees or €10M+ revenue in a covered sector.

Key characteristic: NIS2 is a directive — member states must transpose it into national law. Implementation varies by country. DORA is a regulation — it applies directly and uniformly across all EU member states.

Scope: who is affected?

DORA scope

Credit institutions (banks)
Payment institutions and e-money institutions
Investment firms and fund managers
Insurance and reinsurance undertakings
Credit rating agencies
Crypto-asset service providers (CASPs)
Central securities depositories
Trade repositories
Critical ICT third-party service providers (designated by ESAs)

No size threshold. Sector membership determines applicability.

NIS2 scope

Essential entities (large): Energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space
Important entities (medium): Postal services, waste management, chemicals, food, manufacturing, digital providers, research

Size thresholds apply: generally 50+ employees or €10M+ revenue for important entities; 250+ employees or €50M+ revenue for essential entities. Member states can extend scope to smaller entities in critical areas.

The overlap zone

Financial entities (banks, insurers, payment providers) fall under both DORA and NIS2. Article 4 of NIS2 explicitly addresses this: where sector-specific EU law (like DORA) imposes cybersecurity requirements at least equivalent to NIS2, DORA takes precedence. In practice, this means financial entities should focus primarily on DORA compliance — it is more specific and more demanding than NIS2 in most areas.

Requirements comparison

Risk management

DORA (Art. 5–16): Comprehensive ICT risk management framework. Requires identification of all ICT assets, data classification, protection measures (encryption, access control, network security), detection capabilities, response and recovery plans, and learning processes. Specific technical requirements for each domain.
NIS2 (Art. 21): Risk-based approach to cybersecurity. 10 minimum measures including risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cryptography, access control, MFA, and cyber hygiene. Less prescriptive than DORA on implementation details.

Incident reporting

DORA: Three-stage reporting for major ICT incidents: initial notification within 4 hours of classification (or 24h of awareness), intermediate report within 72 hours, final report within 1 month. Specific classification criteria for "major" incidents defined in regulatory technical standards.
NIS2: Two-stage reporting: early warning within 24 hours of becoming aware of a significant incident, full incident notification within 72 hours. Final report within 1 month. Classification of "significant" incidents is broader than DORA's "major" classification.

Third-party / supply chain risk

DORA (Art. 28–44): Extensive requirements. Written contracts with all ICT providers. Register of third-party dependencies. Exit strategies for critical providers. Annual concentration risk assessment. Critical ICT providers subject to direct EU oversight framework.
NIS2 (Art. 21(2)(d)): Supply chain security is one of the 10 minimum measures, but requirements are far less detailed than DORA. No equivalent to DORA's third-party oversight framework.

Testing

DORA (Art. 24–27): Mandates annual ICT testing programme. Significant financial entities must conduct Threat-Led Penetration Testing (TLPT) at least every 3 years, following the TIBER-EU framework.
NIS2: Requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures" (Art. 21(2)(f)) but does not mandate specific testing methodologies like TLPT.

Governance and accountability

DORA (Art. 5): Management body must approve and oversee the ICT risk management framework. Members must maintain sufficient knowledge of ICT risks. Regular training required.
NIS2 (Art. 20): Management bodies must approve cybersecurity measures and oversee implementation. Members can be held personally liable. Must undergo cybersecurity training.

Penalties comparison

DORA: Up to 1% of average daily worldwide turnover per day of non-compliance. Periodic penalty payments for up to 6 months. Public naming. For critical ICT providers: up to €5M or 1% of global turnover.
NIS2: Essential entities: up to €10M or 2% of global turnover. Important entities: up to €7M or 1.4% of global turnover. Personal liability for management. Temporary management bans possible.

Infrastructure controls overlap: ~40%

At the technical infrastructure level, DORA and NIS2 share approximately 40% of their controls. Both require:

Encryption at rest and in transit for sensitive data
MFA and least-privilege access controls
Comprehensive logging and monitoring (CloudTrail, GuardDuty, etc.)
Backup and recovery capabilities with tested procedures
Network security and segmentation
Vulnerability management and patching
Incident detection and response capabilities

This means fixing these common controls satisfies requirements in both regulations simultaneously. A single infrastructure scan can identify gaps affecting both DORA and NIS2.

How to be compliant with both: a practical strategy

Start with infrastructure controls: Run a cross-framework scan against your AWS or Azure environment. Fix encryption, IAM, logging, and network issues — these satisfy both DORA and NIS2.
Layer DORA-specific requirements: If you are in financial services, add the DORA-specific items: ICT asset register, third-party contracts review, incident classification process (4h timeline), and TLPT programme.
Address NIS2 governance: Ensure management board training, supply chain risk assessments, and reporting procedures are in place.
Automate evidence collection: Both regulations require continuous monitoring, not point-in-time audits. Scheduled scanning provides the evidence trail for both.

Cross-framework scanning with ConformScan

ConformScan runs DORA, NIS2, BSI C5, GDPR, and ISO 27001 checks in a single scan. For every finding, you see which regulations are affected — so you can prioritize fixes that satisfy the most requirements at once. One scan, multiple frameworks, unified remediation.

Start your cross-framework scan →

Ready to check your infrastructure?

1 free scan/month · No credit card · Results in under 2 minutes · Hosted in Germany

Start free scan →

DORA vs NIS2: Which EU Directive Applies to You? The Complete 2026 Guide