Table of Contents
DORA and NIS2 are two major pieces of European cybersecurity legislation. Find out which one is most important for your organization, and why.
If you’re a CISO, DPO or cybersecurity legal expert, you can’t escape NIS2 and DORA, two major pieces of European Union cybersecurity legislation. But what are the differences between them and, more importantly, which one has priority for your company?
NIS2 is a directive, DORA is a regulation
It’s important to stress that the Network and Information Security 2 is a directive, whereas the Digital Operational Resilience Act is a regulation. You may think that this is trivial legal lingo, but there’s a real difference!
- A directive sets a course, and cannot be applied as it stands in every EU Member State. It must first be transposed into the national law of each country.
- A regulation, on the other hand, applies unchanged in all Member States as soon as it comes into force. It is a binding legislative act, and must be enforced in its entirety.
The same logic applies to our two stars of the hour, NIS2 and DORA.
NIS2: a transposition into Member States’ national law before October 2024
The NIS2 Directive must be transposed into the national law of every EU country; it cannot be applied as such. It was published in the EU’s Official Journal on December 27, 2022, and Member States have 21 months from that date to transpose it into national law – i.e. by October 2024. In France for example, this is the deadline announced by ANSSI, the competent national authority.
However, it should be noted that this is the deadline for transposition into national law for Member States, not the compliance date for entities subject to NIS2. They will most probably have an additional period of time to comply with the directive as soon as it is applied in their respective countries.
If you are affected by NIS2, the transposition of the text into your country’s national law will probably bring its share of nuances. Wait & see then.
DORA: enforceable in all Member States on January 17, 2025
The DORA regulation will be applicable as it stands in all EU countries from its entry into force, scheduled for January 17, 2025 (24 months after its publication in the Official Journal of the EU). This date is clearly stated in Article 64 of DORA.
If you are affected by DORA, don’t expect any major changes in the obligations brought about by the legislation. They will be applied as is. That being said, some application details have yet to be specified. Draft technical standards are expected by January 17, 2024 at the latest, under joint development by the European Supervisory Authorities (ESA) and the European Union Agency for Cybersecurity (ENISA).
DORA: A Complete Guide to Compliance for the Financial Sector
A 50-page guide to walk CISOs, DPOs and legal departments through the EU regulation. No mumbo jumbo, only useful and actionable insights.
NIS2 and DORA: two distinct objectives
It is essential to understand that NIS2 and DORA do not have the same objectives.
The NIS2 Directive harmonizes the global level of cybersecurity across the EU. Its goal is to ensure that the companies and organizations most important to the smooth running of our society achieve a high level of digital security.
The DORA regulation aims to strengthen the digital operational resilience of the financial sector. Its role is to ensure that financial entities are able to withstand and operate even in the event of a cyber attack. The availability and integrity of financial services are at the very core of the regulation.
In practice, the two texts complement rather than compete with each other. NIS2 aims to strengthen the overall level of cybersecurity in the EU, while DORA ensures that the financial system remains functional even in the event of a cyberattack.
Two pieces of legislation with very different contents
Once we understand that the two texts don’t pursue the same objectives, it becomes clear that their content cannot be the same.
For instance, NIS2 emphasizes supply chain security, whereas DORA focuses on third-party risk management. Similarly, financial penalties are heavy and quantified for NIS2 – up to 2% of worldwide annual turnover! – while DORA prefers to leave the assessment of sanctions to Member States and their competent authorities. On the other hand, DORA is far more demanding when it comes to security testing: a resilience testing program at least once a year, and a threat-led penetration test at least every 3 years.
These are just a handful of examples, and the differences are far more numerous. ( To learn more about each topic, links to our compliance guides are at the end of this page). The bottom line is that there’s no point in comparing the contents of DORA and NIS2, as each piece of legislation is unique. After all, if the content were the same, there would only be one law. It’s only logical.
The real question here is: for my organization, which text prevails between NIS2 and DORA?
DORA and NIS2: so, which law has priority?
It’s the question on everyone’s lips: which EU text takes precedence over NIS2 and DORA? The answer is simple: if your organization is targeted by DORA – and only if so – then it prevails over NIS2. That’s the short answer, but it deserves an explanation.
DORA is “lex specialis” of NIS2 for the financial sector
DORA is “lex specialis” of NIS2, a principle which states that a specific law takes precedence over a general one. This is written right there in the official text:
“This Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity framework as currently laid out in Directive (EU) 2022/2555” – DORA, Recital 16
To avoid any ambiguity: Directive (EU) 2022/2555 is the official name of NIS2 – poetic, isn’t it? As for DORA, its official name is Regulation (EU) 2022/2554.
DORA: A Guide to Security Testing for Regulated Entities
A 60-page compliance guide to walk security managers of DORA-regulated entities through the regulation's security testing obligations: the resilience testing program, and Threat-Led Penetration Testing (TLPT).
DORA is the primary legislation for these 21 types of entity:
To put it another way, DORA is primarily relevant to you if your organization is one of the 21 types of entity referred to in its Article 2, i.e. :
- credit institutions;
- payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
- account information service providers;
- electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
- investment firms;
- crypto-asset service providers and issuers of asset-referenced tokens;
- central securities depositories;
- central counterparties;
- trading venues;
- trade repositories;
- managers of alternative investment funds;
- management companies;
- data reporting service providers;
- insurance and reinsurance undertakings;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- institutions for occupational retirement provision;
- credit rating agencies;
- administrators of critical benchmarks;
- crowdfunding service providers;
- securitisation repositories;
- ICT third-party service providers.
If your organization doesn’t fall into any of the above categories, DORA doesn’t apply to you at all. Period.
Entities covered by NIS2
Even if you are not affected by DORA, you may be subject to the obligations of the NIS2 Directive. It applies to:
- Essential Entities (EE), detailed in Annex I of the NIS2 text
- Important Entities (IE), detailed in Annex II of the NIS2 text
If this is the case, we can only recommend a thorough reading of our NIS2 complete guide to compliance.
NIS2 vs. DORA in a nutshell:
- NIS2 and DORA don’t share the same objectives. NIS2 aims to strengthen the global level of cybersecurity within the EU, whereas DORA aims to ensure the integrity and availability of the financial sector.
- As NIS2 is a European directive, it must be transposed into the national law of each Member State before it can be applied. Each country must transpose the directive by October 2024.
- DORA is a European regulation. It will be applicable as it stands in all EU countries from January 17, 2025.
- NIS2 and DORA do not target the same entities. NIS2 concerns Essential Entities (EE) and Important Entities (IE). DORA covers the financial sector, through 21 specific types of entities.
- DORA is “lex specialis” of NIS2 for the financial sector – a principle which holds that a specific law takes precedence over a general law. For entities subject to DORA, this text therefore prevails over NIS2. However, this does not mean that NIS2 obligations are no longer applicable to entities affected by both texts.
If your business is dealing with NIS2 or DORA compliance (or both), we recommend that you read:
- DORA: A Complete Guide to Compliance for the Financial Sector
- DORA: A Guide to Security Testing for Regulated Entities
- NIS2 Directive: Step-by-Step Guide to Compliance
And feel free to contact us directly for any needs related to NIS2 or DORA, such as vulnerability management or security testing.