Two forest roads diverging between tall trees — a visual metaphor for the two regulatory paths European companies face under NIS2 and DORA
Photo: Jens Lelie on Unsplash
← All posts NIS2 11 min read

NIS2 vs DORA: Key Differences for European Companies in 2026

A side-by-side comparison of NIS2 and DORA: scope, legal mechanism, risk management, incident reporting, third-party rules, and penalties. Plus: when both apply to you and which one wins.

A fintech compliance lead Googling "do I need to comply with both NIS2 and DORA?" gets a long list of vendor blog posts that pile up but leads to nothing but empty wallets.

This article gives a direct and most importantly free answer.

By the end you'll know which regulation applies to your company, where they overlap, which one takes precedence, and where your compliance work is actually duplicated versus distinct.

If you're new to either regulation, start with the complete NIS2 and DORA compliance guide first.

TL;DR — the comparison at a glance

Dimension NIS2 DORA
Legal instrument Directive (EU) 2022/2555 Regulation (EU) 2022/2554
Mechanism Transposed into national law in each member state Directly applicable, identical text across the EU
In effect since Transposition deadline: 17 October 2024 Application date: 17 January 2025
Sectoral scope 18 sectors, essential and important entities Financial sector + critical ICT third-party providers
Size threshold Medium-sized enterprises and above by default All financial entities, with proportionality for microenterprises
Risk management 10 measures (Article 21) 5 pillars across Articles 5–14 — substantially more prescriptive
Incident reporting 24h early warning → 72h notification → 30-day final report 4h initial notification → intermediate → 30-day final report
Third-party rules One paragraph in Article 21(2)(d) Detailed regime: Articles 28–30 + mandatory Register of Information
Mandatory testing Periodic effectiveness assessment (Article 21(2)(f)) Annual basic + TLPT every 3 years for significant entities
Penalty cap €10M or 2% (essential); €7M or 1.4% (important) National discretion + 1%/day for critical ICT third-party providers
Overlap rule DORA wins for financial entities — Article 4 NIS2 (lex specialis)

If you're a financial entity, DORA dominates and the rest of this article tells you what you still owe under NIS2.

If you're not a financial entity, NIS2 is your reality and DORA is reference reading.

Different legal instruments — why that matters in practice

Directive vs Regulation: a 60-second primer

A regulation is directly applicable in all member states. The text is identical across the Union and no national legislation is required for it to take effect. DORA reads the same in Athens and Amsterdam.

By contrast, a directive sets objectives and leaves member states to write their own laws to achieve them. Each member state has its own NIS2 transposition with substantive differences in penalties, registration mechanics, sector specifics, and even the treatment of management body liability.

What this means for multinational SMEs

A 200-person company operating in Germany, France, and the Netherlands faces one DORA regime but three NIS2 regimes. NIS2 compliance work scales with country count; DORA compliance does not.

A concrete example: incident reporting portals. DORA points to a single ESA-coordinated mechanism for the worst incidents. NIS2 routes you to BSI in Germany, ANSSI in France, and NCSC-NL in the Netherlands — each with its own portal, its own form fields, and its own clarification expectations.

For country-by-country variance see NIS2 Penalties by Country: A Complete 2026 Guide.

Who's in scope — two very different tests

NIS2 scope: sector + size

Bottom line: NIS2 applies if you fall into one of the 18 sectors (Annexes I and II) and meet the size threshold.

The default size threshold is the EU's medium-enterprise definition: 50 or more staff, or annual turnover above €10 million.

Several entity types are in scope regardless of size:

  • Qualified trust service providers
  • Top-level domain name registries
  • DNS service providers
  • Providers of public electronic communications networks or services
  • Public administration entities (member state choice)
  • Sole providers of a critical service in a member state

Detailed treatment of the boundary cases in NIS2 Essential vs Important Entities: Which Are You?.

DORA scope: financial entities + critical ICT third-party providers

DORA applies to roughly 22,000 financial entities under Article 2:

  • Credit institutions
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers (under MiCA)
  • Central counterparties
  • Central securities depositories
  • Trade repositories
  • Alternative investment fund managers
  • UCITS management companies
  • Insurance and reinsurance undertakings
  • Insurance intermediaries
  • Institutions for occupational retirement provision
  • Credit rating agencies
  • Securitisation repositories
  • Administrators of critical benchmarks
  • Crowdfunding service providers.

There is no size floor under DORA — even microenterprise financial entities are in scope. Proportionality scales the depth of obligations rather than excluding entities entirely.

Separately, DORA creates a regime of direct EU-level supervision over critical ICT third-party providers (CTPPs). The first list of designated CTPPs was published in November 2025 and includes 19 providers, among them AWS, Microsoft, Google Cloud, IBM, and Bloomberg. CTPPs face Lead Overseer supervision from the European Supervisory Authorities — the first time non-financial firms face direct EU-level supervision.

Edge cases worth flagging

  • Crypto-asset service providers — in scope of DORA, may also be in NIS2 depending on activity profile
  • Cloud and SaaS providers serving banks — indirect scope via DORA's third-party regime, plus likely direct scope under NIS2 as digital infrastructure
  • Insurance brokers — DORA applies; NIS2 generally does not, unless designated as a sole provider of a critical service

Risk management — same goal, different specificity

NIS2 Article 21 — the 10 measures

Article 21 NIS2 sets out ten high-level requirements:

  • Risk policies
  • Incident handling
  • Business continuity
  • Supply chain security
  • Secure development and vulnerability management
  • Effectiveness assessment
  • Cyber hygiene and training
  • Cryptography,
  • HR security
  • Access control
  • Multifactor Authentication
  • Secured communications.

The directive deliberately avoids prescribing technical detail — it leaves implementation flexibility to entities and member states.

Each measure is broken down in NIS2 Article 21: All 10 Risk Management Measures Explained.

DORA Pillar 1 — the ICT risk management framework

DORA is significantly more prescriptive.

Articles 5–14 require a complete ICT risk management framework approved by the management body, with specified components:

  • Governance arrangements
  • An explicit framework structure
  • Identified functions covering identification
  • Protection and prevention
  • Detection, response and recovery
  • Learning and evolving.

ICT business continuity policy and recovery plans are mandatory.

Where NIS2 says "policies for risk analysis," DORA specifies the lifecycle, governance roles, review frequency, and management body sign-off.

The practical compliance overlap

A solid ISO 27001 ISMS plus the controls in Annex A covers most of NIS2 Article 21 and a substantial portion of DORA Pillar 1.

Where DORA goes beyond ISO 27001:

  • Governance specifics
  • Mandatory ICT-related incident classification
  • Prescribed business continuity testing.

Where NIS2 goes beyond ISO 27001:

  • Supply chain due diligence specifically targeting direct suppliers and service providers
  • Management body training under Article 20.

Incident reporting — two timelines, two authorities

NIS2 timeline (24/72/30)

Article 23 NIS2 sets a three-stage timeline for significant incidents:

  1. Within 24 hours of awareness — early warning to the national CSIRT
  2. Within 72 hours of awareness — incident notification with initial impact assessment
  3. Within one month — final report covering root cause and mitigation

National CSIRTs differ — CFCS in Denmark, BSI in Germany, ANSSI in France, NCSC-NL in the Netherlands. Cross-border incidents trigger CSIRT cooperation duties.

For further information see our article NIS2 Incident Reporting: The 24-72-30 Day Timeline.

DORA timeline (4-hour initial / intermediate / final)

DORA reporting triggers when an ICT-related incident is classified as major using the criteria in the Commission Delegated Regulation on incident classification (significant client impact, data losses, geographic spread, reputational damage, and others).

  1. Initial notification within four hours of classification as a major incident
  2. Intermediate report when status changes or new information becomes available
  3. Final report within one month of incident handling completion

Reports go to the national competent authority for the financial entity, which routes onward to the European Supervisory Authorities.

Significant cyber threats may also be reported voluntarily under Article 19(2) DORA.

When both regimes apply to one incident

A bank suffering a cyber-attack on its payment infrastructure may face DORA reporting because it is a major ICT-related incident — and may also have NIS2 obligations if it operates in another in-scope sector (rare but possible).

The practical advice: build one incident response runbook calibrated to the stricter timeline. Meeting DORA's four-hour initial notification will, by definition, satisfy NIS2's 24-hour early warning.

Third-party and supply chain rules

NIS2's lighter regime

NIS2 article 21(2)(d) requires entities to address security in their relationships with direct suppliers and service providers.

Member states may issue sector-specific guidance.

There is no mandatory register, no enumerated contractual provisions, and no centralised oversight of suppliers — flexibility, but also less guidance for SMEs trying to do this well.

DORA's prescriptive third-party regime

DORA's third-party regime is in a different league. Three components stand out:

  • Article 28 — pre-contractual phase requirements including risk assessment, due diligence, and concentration risk analysis
  • Article 28(3) — mandatory Register of Information documenting every contract with an ICT third-party provider, structured per the template prescribed by Commission Implementing Regulation (EU) 2024/2956
  • Article 30 — mandatory contractual provisions covering service descriptions, data location, security incident notification, audit rights, and exit strategies
  • Article 31 — designation of critical ICT third-party providers (CTPPs) subject to direct EU-level oversight

For implementation detail, see our article DORA Third-Party Oversight and DORA Register of Information: Template and Requirements.

Penalties

NIS2 penalty caps

Article 34 NIS2 sets the maxima:

  • Essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher
  • Important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher

Member states may set higher national caps; several have. Non-monetary sanctions include compliance orders, public reprimands, and in some transpositions, temporary management body certification suspensions.

DORA penalty mechanics

Articles 50–52 DORA leave administrative penalty levels to member state discretion under the directive's "effective, proportionate, dissuasive" standard.

National variance is significant — Germany, for example, has set fines under FinmadiG up to €5 million as an administrative offence and up to €1 million for senior management personally.

Article 35 DORA introduces a uniquely aggressive EU-level mechanism for CTPPs: periodic penalty payments of up to 1% of average daily worldwide turnover, per day, for up to six months. No other EU regulation applies a comparable daily-accrual mechanism to non-financial firms.

Practical note: as of mid-2026, public NIS2 enforcement actions remain rare — early-cycle regulatory behaviour favours remediation over fines. Commercial pressure from in-scope customers is the bigger near-term cost driver.

When you're subject to both — the lex specialis rule

Article 4 NIS2 — the displacement clause

NIS2 article 4 contains the displacement clause that resolves the dual-coverage question. Where sector-specific Union legal acts impose at least equivalent cybersecurity risk management or incident notification requirements, those acts apply instead of NIS2's corresponding provisions for the entities they cover.

DORA is the canonical sector-specific act for financial entities. Recital 28 of DORA confirms the position explicitly, stating that DORA constitutes lex specialis with regard to NIS2 for the financial sector.

The result: a financial entity in DORA scope should not run two parallel regimes. It runs one DORA-compliant programme. DORA wins on the dimensions DORA covers.

But not everything is displaced

The lex specialis rule only displaces equivalent provisions — not the entirety of NIS2. A financial entity can still face NIS2 obligations for:

  1. Activities in non-financial sectors (a bank that also provides critical infrastructure services)
  2. Areas where DORA is silent and NIS2 is not (some cross-sector cooperation duties, certain registration requirements)
  3. Specific national-level NIS2 obligations not covered by DORA

Germany's NIS2UmsuCG addresses this nuance directly in Section 28(6) BSIG-E: the lex specialis carve-out covers ICT risk management and incident reporting only — not all NIS2 obligations.

Frequently asked questions

If I'm a fintech, do I need to comply with both NIS2 and DORA? Primarily DORA. NIS2 may still apply for activities not covered by DORA, but DORA's substantive ICT risk management and incident reporting obligations displace the equivalent NIS2 provisions for entities in DORA scope.

Does DORA apply to my company if we have only 5 employees? Yes if you're a financial entity within Article 2 DORA. There is no scope exemption based on size, but proportionality (Article 4 DORA) reduces the burden for microenterprises in specific areas.

Which incident reporting timeline applies if both could apply? Build to the stricter timeline — DORA's four-hour initial notification beats NIS2's 24-hour early warning. Meeting DORA satisfies NIS2 by definition.

Is ISO 27001 enough for either NIS2 or DORA? No, but it gets you most of the way. Main difference is in supply chain due diligence (NIS2 Article 21(2)(d)), management body training (NIS2 Article 20), the prescribed Register of Information (DORA Article 28(3)), and TLPT (DORA Article 26).

Can I use the same Register of Information for both regulations? DORA mandates a specific template per Commission Implementing Regulation (EU) 2024/2956. You can extend it to cover NIS2 supply chain documentation, but the DORA structure is non-negotiable.

Are there any exemptions for SMEs? Under NIS2, yes — primarily via the size threshold. Under DORA, no scope exemption, but proportionality in obligations.

The bottom line for European companies

Three takeaways:

  1. Different mechanism, different geography. DORA is one law across the EU; NIS2 is 27 national laws.
  2. Where they overlap, DORA wins. But not entirely, and not on every dimension. The Article 4 NIS2 displacement is real but bounded.
  3. Build one programme, two evidence packs. Most controls satisfy both regimes. The documentation is what differs.

If you're working out which regime applies and where to start, the complete NIS2 and DORA compliance guide for SMEs walks through the 10-step roadmap.


Sources & further reading

#nis2#dora#comparison#guide