NIS 2 vs DORA: which EU regime binds you
Broad cross-sector cybersecurity directive versus financial-sector lex specialis.
NIS 2 vs DORA at a glance
| Feature | NIS 2 | DORA |
|---|---|---|
| Instrument | EU Directive (transposed into national law by each member state) | EU Regulation (directly applicable, harmonised across the EU) |
| Scope | Essential and important entities across many sectors (energy, transport, health, digital infrastructure, public administration and more) | Financial entities (banks, insurers, investment firms, payment institutions) and their critical ICT third-party providers |
| Precedence | General regime; yields to sector-specific EU acts | Lex specialis — prevails over NIS 2 for financial entities on the matters it covers |
| Core risk-management duty | Cybersecurity risk-management measures and reporting under the directive's Article 21-style obligations | ICT risk-management framework under DORA Article 6 |
| Governance accountability | Management bodies must approve and oversee cybersecurity measures and can be held liable | Management body holds ultimate responsibility for ICT risk management under DORA Article 5 |
| Incident reporting | Early warning and notification to the national CSIRT / competent authority | Harmonised major ICT-related incident classification and reporting to the relevant financial supervisor |
| Third-party / supply chain | Supply-chain security as part of risk-management measures | Detailed ICT third-party risk rules, including oversight of critical ICT providers |
If you are a fintech: which one actually binds you
If you are a financial entity in scope of DORA, DORA is lex specialis and prevails over NIS 2 for the ICT risk-management, incident-reporting and third-party matters it covers — you build to DORA, not NIS 2, on those topics. NIS 2 may still be relevant if part of your group sits in a non-financial in-scope sector, or for matters DORA does not address. The practical test is entity classification, not product type: confirm whether you meet the definition of a financial entity under DORA and whether your ICT providers are designated critical. Document that determination. Article 6 (ICT risk-management framework) and Article 5 (management-body responsibility) are the anchor obligations to design against; treat NIS 2 as the fallback regime, not a parallel one.
DORA implementation guidance →How ISMS Copilot helps with both
- Runs a scope assessment to determine whether DORA, NIS 2, or both apply
- Drafts a DORA Article 6 ICT risk-management framework and incident classification
- Cross-maps shared controls to ISO 27001 so you implement once
Use the free checkers as a first-pass before legal review
Since the answer to "which binds you" is a scoping question first, the free NIS 2 Applicability Checker walks the Article 2/3 essential-versus-important test (with national-transposition data) as a structured first pass — a starting point for the lex specialis reasoning above, not a definitive legal determination. A scope conclusion that drives controls and registration should still be confirmed with legal review of edge cases (group structure, sectoral coverage, national transposition specifics).
Open the free NIS 2 Applicability Checker →And the matching free DORA scope test
The DORA Applicability Checker walks the Regulation 2022/2554 scope test (financial-entity categories — banks, insurers, investment firms, payment institutions and more; no transposition layer — DORA applied EU-wide from 17 January 2025) — again a structured first pass, not a final legal determination. Where both first-pass results indicate scope, the lex specialis effect on ICT risk-management, incident reporting and third-party rules is the practical consequence, but the conclusion still needs to be signed off by counsel.
Open the free DORA Applicability Checker →Frequently Asked Questions
Does DORA replace NIS 2 for banks?
For financial entities, DORA acts as lex specialis and prevails over NIS 2 on the ICT risk-management, incident-reporting and third-party matters it governs. NIS 2 can still apply to non-financial parts of a group or topics DORA does not cover.
Is NIS 2 a regulation or a directive?
NIS 2 is a directive, so each EU member state transposes it into national law with some variation. DORA is a regulation and applies directly and uniformly across the EU.
We are a payment provider — which framework do we design to?
Confirm whether you are a financial entity under DORA. If so, design your ICT risk-management framework to DORA Article 6 and management-body responsibility to Article 5; DORA takes precedence over NIS 2 for those obligations.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.