CompliancePulse / Guides / NIS2 vs DORA: which EU cybersecurity regime applies to you?

NIS2 vs DORA: which EU cybersecurity regime applies to you?

If you are a regulated financial entity in the EU — bank, insurer, investment firm, payment institution, or crypto-asset service provider — DORA is your regime: it has applied in full since January 17, 2025, and as lex specialis it takes precedence over NIS2 for your ICT risk obligations. If you are not a financial entity but operate in one of NIS2's 18 sectors (energy, transport, health, water, digital infrastructure, cloud and managed services, manufacturing of critical products, digital providers, and more) at medium size or above, NIS2 is your regime — via the national law of each member state where you operate, since NIS2 is a directive and transposition landed unevenly through 2025 and 2026. Technology vendors regularly face both: DORA indirectly as a critical ICT third-party provider to financial clients, NIS2 directly as a cloud or managed service provider.

DORA: the financial-sector regime

The Digital Operational Resilience Act applies to some 22,000 financial entities and, distinctively, reaches their ICT suppliers: critical third-party providers can be designated for direct EU-level oversight, and every financial entity must maintain a register of ICT contracts with mandatory contractual clauses.

Core obligations: an ICT risk-management framework owned by the management body, major-incident reporting on fixed clocks, digital operational resilience testing (threat-led penetration testing for the largest entities), and third-party risk management. If your customers are EU banks or insurers, DORA arrives in your contracts even though the law never names you.

NIS2: everything else critical

NIS2 divides covered organisations into essential and important entities across 18 sectors, generally catching companies from 50 employees or €10M turnover upward. Obligations are risk-based: governance accountability (management can be personally liable), security measures across supply chain and incident handling, and a 24-hour early-warning / 72-hour notification / one-month final-report incident cadence.

Because it is a directive, your actual obligations live in national transposition laws — Germany's, France's, and others' implementations differ in registration duties and enforcement details, and several member states transposed late, so the compliance date in a given country is that country's law, not October 2024. Penalties reach €10M or 2% of worldwide turnover for essential entities.

Deciding, and what to do first

The decision tree is short: financial entity → DORA. Critical-sector non-financial entity at qualifying size → NIS2 in each member state of operation. ICT vendor → check both exposure paths: direct NIS2 coverage as a digital provider, and contractual DORA flow-down from financial clients.

Either way the first deliverables look similar: an incident-response process that can hit the notification clocks, a supplier register, and management-level ownership of cyber risk. Our /api/comply/cyber endpoint ($0.12) maps the mandates for any jurisdiction and sector; /api/comply/scan ($1.50) places NIS2 and DORA alongside everything else that binds your specific profile, with deadlines and sources.

🤖 AI agents can pull this data live: GET https://compliancepulse.theaslangroupllc.com/api/comply/cyber — x402 pay-per-query, no API key. See llms.txt.

FAQ

Can both NIS2 and DORA apply to the same company?

Yes — most commonly to ICT vendors: NIS2 directly as a digital/cloud provider, DORA indirectly through mandatory contract clauses from financial-entity clients. For financial entities themselves, DORA takes precedence as lex specialis.

Is DORA already enforceable?

Yes — it has applied in full since January 17, 2025, including incident reporting and the ICT third-party register.

Does NIS2 apply directly like a regulation?

No — it is a directive, effective through national transposition laws, which arrived unevenly through 2025-2026. Check the specific member state's implementation.

What size company does NIS2 catch?

Generally medium-sized and up (50+ employees or €10M+ turnover) in covered sectors, with some entities covered regardless of size (e.g. sole providers of critical services).

Sources

Related guides

EU AI Act deadline: does August 2, 2026 still apply?Which privacy laws apply to my company in 2026?