NIS2 vs DORA: which EU cybersecurity regime applies to you?
DORA: the financial-sector regime
The Digital Operational Resilience Act applies to some 22,000 financial entities and, distinctively, reaches their ICT suppliers: critical third-party providers can be designated for direct EU-level oversight, and every financial entity must maintain a register of ICT contracts with mandatory contractual clauses.
Core obligations: an ICT risk-management framework owned by the management body, major-incident reporting on fixed clocks, digital operational resilience testing (threat-led penetration testing for the largest entities), and third-party risk management. If your customers are EU banks or insurers, DORA arrives in your contracts even though the law never names you.
NIS2: everything else critical
NIS2 divides covered organisations into essential and important entities across 18 sectors, generally catching companies from 50 employees or €10M turnover upward. Obligations are risk-based: governance accountability (management can be personally liable), security measures across supply chain and incident handling, and a 24-hour early-warning / 72-hour notification / one-month final-report incident cadence.
Because it is a directive, your actual obligations live in national transposition laws — Germany's, France's, and others' implementations differ in registration duties and enforcement details, and several member states transposed late, so the compliance date in a given country is that country's law, not October 2024. Penalties reach €10M or 2% of worldwide turnover for essential entities.
Deciding, and what to do first
The decision tree is short: financial entity → DORA. Critical-sector non-financial entity at qualifying size → NIS2 in each member state of operation. ICT vendor → check both exposure paths: direct NIS2 coverage as a digital provider, and contractual DORA flow-down from financial clients.
Either way the first deliverables look similar: an incident-response process that can hit the notification clocks, a supplier register, and management-level ownership of cyber risk. Our /api/comply/cyber endpoint ($0.12) maps the mandates for any jurisdiction and sector; /api/comply/scan ($1.50) places NIS2 and DORA alongside everything else that binds your specific profile, with deadlines and sources.
GET https://compliancepulse.theaslangroupllc.com/api/comply/cyber — x402 pay-per-query, no API key. See llms.txt.FAQ
Can both NIS2 and DORA apply to the same company?
Yes — most commonly to ICT vendors: NIS2 directly as a digital/cloud provider, DORA indirectly through mandatory contract clauses from financial-entity clients. For financial entities themselves, DORA takes precedence as lex specialis.
Is DORA already enforceable?
Yes — it has applied in full since January 17, 2025, including incident reporting and the ICT third-party register.
Does NIS2 apply directly like a regulation?
No — it is a directive, effective through national transposition laws, which arrived unevenly through 2025-2026. Check the specific member state's implementation.
What size company does NIS2 catch?
Generally medium-sized and up (50+ employees or €10M+ turnover) in covered sectors, with some entities covered regardless of size (e.g. sole providers of critical services).