NIS2 vs DORA: the definitive comparison for European organizations
Both are EU cybersecurity regulations effective 2024-2025. NIS2 applies broadly across 18+ sectors. DORA applies specifically to financial entities. Where they overlap (financial sector), DORA is lex specialis — its rules take precedence. NIS2 covers gaps DORA doesn't address (physical security, broader supply chain, training depth).
Side-by-side
| Dimension | NIS2 | DORA |
|---|---|---|
| Type | Directive (EU) 2022/2555 — transposed into national law | Regulation (EU) 2022/2554 — directly applicable |
| Scope | 18+ sectors: energy, transport, banking, healthcare, digital infra, water, etc. | Financial sector only: banks, insurance, investment firms, crypto, MSPs serving finance |
| Affected entities | ~180k in EU, ~29k in Germany | ~22k financial entities across EU |
| Entity classification | Essential vs Important (by sector + size) | Financial entities + Critical ICT third-party providers (CTPP) |
| Key measures | 10 measures (Art. 21): risk analysis, incident handling, BCM, supply chain, SDLC, effectiveness testing, hygiene + training, crypto, personnel + access, MFA | 5 pillars: ICT risk mgmt, incident mgmt + reporting, resilience testing (incl. TLPT), third-party risk, info sharing |
| Incident reporting | 24h early warning → 72h update → 1 month final report to BSI/national CSIRT | Tiered: initial → intermediate → final to BaFin/national authority |
| Penetration testing | Implicit (effectiveness testing) | Explicit: TLPT (Threat-Led Penetration Testing) for significant entities, Art. 26-27 |
| Supervisory authority | BSI (DE); national CSIRT per MS | BaFin (DE), ECB (significant), EIOPA/ESMA |
| Penalties | Essential: €10M or 2% turnover; Important: €7M or 1.4% | Up to 1% of average daily worldwide turnover per day of infringement |
| In force since | Entered force 18 Oct 2024; DE NIS2UmsuCG pending | Applicable since 17 January 2025 |
| Management accountability | § 38 BSIG-neu: personal liability + training obligation | Art. 5(2): management body explicitly responsible |
When to choose which
NIS2
You're outside the financial sector — manufacturing, healthcare, energy, transport, digital infrastructure. NIS2 is your primary cybersecurity regulation.
DORA
You're a financial entity (bank, insurer, investment firm, crypto service, payment institution). DORA applies directly and takes precedence over NIS2 where they overlap.
Both
You're a financial entity — both apply. DORA is lex specialis for ICT matters. NIS2 still covers areas DORA doesn't (physical security, broader supply chain, training scope). Many banks run parallel programs.
The overlap
ICT risk management, incident handling, supply-chain security, effectiveness testing, board accountability — these appear in both. Roughly 75% of controls are similar. The differences are sector-specific emphases: DORA is deeper on financial-sector third-party management; NIS2 is broader on non-ICT security measures.
Key differences
- NIS2 is a Directive (requires national transposition). DORA is a Regulation (directly applicable).
- NIS2 has size thresholds (generally 50+ FTE or €10M revenue). DORA applies regardless of size to named financial-entity categories.
- DORA explicitly mandates TLPT (Threat-Led Penetration Testing) for significant financial entities. NIS2 leaves testing specifics to effectiveness.
- DORA has a Critical ICT Third-Party Provider (CTPP) designation with separate oversight — no NIS2 equivalent.
- DORA incident reporting flows to financial regulators (BaFin, EBA, ESMA, EIOPA). NIS2 incidents to BSI/national CSIRT.
- NIS2 covers the broadest set of critical entities — 18+ sectors in Annex I + II. DORA is sector-specific.
Frequently asked questions
If my bank is subject to DORA, does NIS2 still apply?+
Yes — both apply, but DORA is lex specialis for ICT risk management and incident reporting. Where DORA has specific rules (5 pillars), DORA wins. NIS2 still applies for areas DORA doesn't cover (physical security, personnel beyond ICT, broader supply-chain scope). Most banks run a unified program that satisfies both via shared controls.
What is lex specialis and how does it work here?+
Lex specialis is the legal principle that a more specific law takes precedence over a more general one. DORA is more specific (financial sector) than NIS2 (cross-sector), so DORA wins where they conflict. Practical effect: for financial entities, DORA's 5 pillars define ICT resilience — NIS2 Art. 21 measures that aren't already covered by DORA still apply.
Can one compliance program satisfy both NIS2 and DORA?+
For financial entities: yes, with careful mapping. ~75% of controls overlap. The approach: build DORA-compliant controls first (required anyway), then map them against NIS2 Art. 21 to identify gaps (supply-chain beyond CTPP, physical security, training scope). Platforms like Matproof automate this cross-mapping so evidence satisfies both in one audit cycle.
Which has stricter penalties?+
DORA penalties are structured as up to 1% of average daily worldwide turnover per day of infringement — potentially unbounded depending on duration. NIS2 has fixed ceilings (€10M or 2% for essential entities, €7M or 1.4% for important). Both include personal accountability for management. For a sustained DORA violation, the financial exposure can exceed NIS2. For a discrete NIS2 violation, the exposure is capped.
Matproof covers all major EU frameworks.
One platform, 11 frameworks, EU-hosted. 30-minute demo tailored to your framework mix.