NIS2 compliance for banks without duplicating your DORA program.
Banks are essential entities under NIS2. But DORA is lex specialis for financial-sector ICT risk. Matproof maps the overlap so a single control investment satisfies both — with a clean division for areas NIS2 covers but DORA doesn't.
Why this matters now
NIS2 enforcement in Germany is now directly linked to BaFin supervision for financial entities. Institutions that invested only in DORA are finding gaps in NIS2-specific obligations (lieferkette, physical security, public-sector incident notifications).
- DORA and NIS2 have ~70% control overlap but also 30% distinct requirements — teams without mapping duplicate effort
- Board-level accountability structures differ under each regulation
- Incident-notification flows to BaFin (DORA) vs BSI (NIS2) create dual reporting
- Supply chain obligations under NIS2 Art. 21(2)(d) are stricter than DORA Art. 28 in some dimensions
How Matproof covers NIS2 for Banking
Dual mapping of DORA Art. 5–27 and NIS2 Art. 21
Matproof's control library tags each evidence item with both DORA article and NIS2 measure. One control produces evidence for both audits.
Dual incident reporting
Single incident record auto-populates both BaFin (DORA Art. 17–19) and BSI (NIS2 Art. 23) notification forms with the right timelines (DORA tiered, NIS2 24h/72h/1 month).
Supply chain differentiation
NIS2 lieferkette obligations extend to entities outside the DORA critical-ICT-third-party register. Matproof flags which vendors are DORA-critical, NIS2-relevant, or both.
Executive-accountability register
NIS2 § 38 BSIG-neu and DORA Art. 5(2) both impose personal liability on management bodies. Matproof maintains training records, approval trails, and escalation logs per regulator's expectations.
In scope
- Credit institutions under EU CRR Art. 4(1)(1)
- Banks with >250 FTE or >EUR 50M revenue: essential entity under NIS2
- BaFin-supervised institutions subject to DORA since Jan 2025
- Branches of third-country banks operating in the EU
Frequently asked questions
Do banks need both DORA and NIS2 compliance?+
Yes. DORA is lex specialis for financial-sector ICT risk management, meaning DORA rules supersede NIS2 where they overlap. But NIS2 covers areas DORA doesn't — physical security, broader supply chain, training obligations extending beyond ICT. Both apply. BaFin and BSI will each supervise their respective scopes.
Which incident do I report to whom?+
Major ICT-related incidents under DORA Art. 17-19 → BaFin (for significant institutions, also ECB). Significant cybersecurity incidents under NIS2 Art. 23 → BSI. Many incidents trigger both. Matproof auto-populates both forms from one incident record and tracks both timelines in parallel.
What's the practical overlap between DORA Art. 28 and NIS2 Art. 21(2)(d)?+
DORA Art. 28 focuses on ICT third parties providing critical services to financial entities — with a register, due diligence, contractual clauses, exit strategies. NIS2 Art. 21(2)(d) is broader: any supplier whose security posture could impact the entity. For banks, practical answer: do DORA-level management for the DORA register, NIS2-level screening for the broader vendor base.
How does NIS2 affect banks outside the DORA threshold?+
Small banks below DORA thresholds (under micro-enterprise exemption) still fall under NIS2 as essential entities if they meet the general NIS2 size criteria (>250 FTE or >EUR 50M). In practice, most banks are in both. For the rare few, NIS2 applies without DORA overlay.
Ready to start with NIS2?
30-minute demo tailored to Banking. We show you exactly how Matproof covers NIS2 for your sector.