NIS2 vs DORA: what differences and which legislation prevails?

DORA and NIS2 are two major pieces of European cybersecurity legislation. Find out which one is most important for your organization, and why.

If you’re a CISO, DPO or cybersecurity legal expert, you can’t escape NIS2 and DORA, two major pieces of European Union cybersecurity legislation. But what are the differences between them and, more importantly, which one has priority for your company?

Read also: DORA: Understanding the Digital Operational Resilience Act

NIS2 is a directive, DORA is a regulation

It’s important to stress that the Network and Information Security 2 is a directive, whereas the Digital Operational Resilience Act is a regulation. You may think that this is trivial legal lingo, but there’s a real difference!

• A directive sets a course, and cannot be applied as it stands in every EU Member State. It must first be transposed into the national law of each country.
• A regulation, on the other hand, applies unchanged in all Member States as soon as it comes into force. It is a binding legislative act, and must be enforced in its entirety.

The same logic applies to our two stars of the hour, NIS2 and DORA.

NIS2: a transposition into Member States’ national law before October 2024

The NIS2 Directive must be transposed into the national law of every EU country; it cannot be applied as such. It was published in the EU’s Official Journal on December 27, 2022, and Member States have 21 months from that date to transpose it into national law – i.e. by October 2024. In France for example, this is the deadline announced by ANSSI, the competent national authority.

However, it should be noted that this is the deadline for transposition into national law for Member States, not the compliance date for entities subject to NIS2. They will most probably have an additional period of time to comply with the directive as soon as it is applied in their respective countries.

If you are affected by NIS2, the transposition of the text into your country’s national law will probably bring its share of nuances. Wait & see then.

DORA: enforceable in all Member States on January 17, 2025

The DORA regulation will be applicable as it stands in all EU countries from its entry into force, scheduled for January 17, 2025 (24 months after its publication in the Official Journal of the EU). This date is clearly stated in Article 64 of DORA.

If you are affected by DORA, don’t expect any major changes in the obligations brought about by the legislation. They will be applied as is. That being said, some application details have yet to be specified. Draft technical standards are expected by January 17, 2024 at the latest, under joint development by the European Supervisory Authorities (ESA) and the European Union Agency for Cybersecurity (ENISA).

DORA is the primary legislation for these 21 types of entity:

To put it another way, DORA is primarily relevant to you if your organization is one of the 21 types of entity referred to in its Article 2, i.e. :

• credit institutions;
• payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
• account information service providers;
• electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
• investment firms;
• crypto-asset service providers and issuers of asset-referenced tokens;
• central securities depositories;
• central counterparties;
• trading venues;
• trade repositories;
• managers of alternative investment funds;
• management companies;
• data reporting service providers;
• insurance and reinsurance undertakings;
• insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
• institutions for occupational retirement provision;
• credit rating agencies;
• administrators of critical benchmarks;
• crowdfunding service providers;
• securitisation repositories;
• ICT third-party service providers.

If your organization doesn’t fall into any of the above categories, DORA doesn’t apply to you at all. Period.

Entities covered by NIS2

Even if you are not affected by DORA, you may be subject to the obligations of the NIS2 Directive. It applies to:

• Essential Entities (EE), detailed in Annex I of the NIS2 text
• Important Entities (IE), detailed in Annex II of the NIS2 text

If this is the case, we can only recommend a thorough reading of our NIS2 complete guide to compliance.

NIS2 vs. DORA in a nutshell:

• NIS2 and DORA don’t share the same objectives. NIS2 aims to strengthen the global level of cybersecurity within the EU, whereas DORA aims to ensure the integrity and availability of the financial sector.
• As NIS2 is a European directive, it must be transposed into the national law of each Member State before it can be applied. Each country must transpose the directive by October 2024.
• DORA is a European regulation. It will be applicable as it stands in all EU countries from January 17, 2025.
• NIS2 and DORA do not target the same entities. NIS2 concerns Essential Entities (EE) and Important Entities (IE). DORA covers the financial sector, through 21 specific types of entities.
• DORA is “lex specialis” of NIS2 for the financial sector – a principle which holds that a specific law takes precedence over a general law. For entities subject to DORA, this text therefore prevails over NIS2. However, this does not mean that NIS2 obligations are no longer applicable to entities affected by both texts.

If your business is dealing with NIS2 or DORA compliance (or both), we recommend that you read:

• DORA: A Complete Guide to Compliance for the Financial Sector
• DORA: A Guide to Security Testing for Regulated Entities
• NIS2 Directive: Step-by-Step Guide to Compliance

And feel free to contact us directly for any needs related to NIS2 or DORA, such as vulnerability management or security testing.