Kymatio Isotype
Why Kymatio
Partners
Book a demo
Book a demo
EN
Kymatio Isotype
Why Kymatio
Partners
Book a demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

I acceptSettings
Cookie settings
Kymatio uses cookies to make your experience better. Check our Privacy Policy to learn more.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings
Close
articles
NIS2 vs. DORA comparison — what applies to your organization
Cyberattacks
Cybersecurity Glossary

NIS2 vs. DORA comparison — what applies to your organization

by
Kymatio
|
August 1, 2025

Compare NIS2 and DORA scopes, sectors, and reporting rules. Learn which applies to your organization, how lex specialis avoids overlap, and why both demand human risk management.

IN THIS article
Text Link
Book a demo

If the acronyms NIS2 and DORA are increasingly resonating in your meetings, you're not alone. Cybersecurity has transcended the technical field. Today it is a critical regulatory obligation, which directly impacts business continuity and demands legal responsibility from senior management.

In this new scenario, two regulations stand as the axes of the new European cybersecurity strategy. However, its arrival raises a key question in management committees and security teams: which one applies to my organization? Overlap? Where do we start?

Understanding the NIS2 vs. DORA comparison is critical to designing an effective compliance roadmap, a process you can begin to structure with our NIS2, DORA, and ISO 27001 Compliance Manual. Throughout this article, we'll clearly break down their differences in scope, sectors, and reporting obligations. And most importantly: we will show you how both, in their own way, focus on a common point that you cannot ignore: the proactive management of digital human risk as the axis of real resilience.

What is the NIS2 Directive? An Extended Shield for EU Critical Sectors

Think of the NIS2 Directive (Directive (EU) 2022/2555) not as an entirely new regulation, but as a necessary evolution of its predecessor, NIS1.

Its objective, a key point in the NIS2 vs. DORA comparison, is clear: to raise and harmonize the level of cybersecurity throughout the European Union, correcting the ambiguities of the first version and strengthening overall organizational resilience. 

Sectors and entities covered

The directive stops talking about "operators of essential services" and goes on to classify organizations into two main categories, the main difference of which is the level of supervision and the sanctions regime:

  • Essential Entities (Annex I): Includes organizations in highly critical sectors such as energy, transport, banking, financial market infrastructures, health, drinking water and public administration, among others.
  • Important Entities (Annex II): Covers other critical sectors such as postal services, waste management, manufacturing of key products (e.g. pharmaceuticals or chemicals) and digital suppliers such as online marketplaces, search engines or social media platforms.

Main obligations for management

This is where NIS2 is a game-changer. The directive goes beyond technical teams and puts the responsibility directly on senior management. The items you should know are:

  • Article 20 (Management Responsibility): This is the most far-reaching point. It obliges management bodies not only to approve and supervise cybersecurity measures, but also to receive specific training to be able to assess risks.
    Ignorance is no longer a valid defense and the law may hold management legally liable in the event of non-compliance. 
  • Article 21 (Risk Management): Requires implementing a minimum set of proactive measures. This includes access control policies, supply chain security, and crucially, ongoing training of all staff to reduce human risk. 
  • Article 23 (Incident Reporting): Establishes very strict deadlines for reporting significant incidents, with mandatory early warning within the first 24 hours to the national CSIRT.

What is the DORA Regulation? The Strength for Financial Sector Operational Resilience

If in the NIS2 vs. DORA comparison, the former is the EU's great horizontal shield, the DORA Regulation (Regulation (EU) 2022/2554) is the specific armor of the financial sector.

Its purpose does not cover cybersecurity in a general way, but focuses on a specific aspect: ensuring digital operational resilience. Its purpose is to ensure that the financial system can resist, respond and recover from any type of disturbance or threat related to Information and Communication Technologies (ICT).

Scope: Financial institutions and their critical suppliers

DORA applies to virtually the entire European financial sector, including banks, insurers, investment firms, fund managers, and crypto-asset service providers.

But its great novelty is that  it extends its reach to technology providers that are critical for these entities. We are talking about providers of cloud services, software, data centres or analysis platforms that, for the first time, will be under a framework of direct supervision at European level.

The 5 pillars of DORA

To achieve this resilience, and as a central point in the NIS2 vs. DORA comparison, the latter is articulated in five lines of action that every affected organization must implement:

  1. ICT Risk Management. It requires a robust governance and control framework to identify, protect, detect, respond to, and recover from all technology-related risks.
  2. Incident Notification. It establishes a harmonised process for classifying and reporting serious ICT-related incidents to competent authorities.
  3. Digital Resilience Testing. It requires a comprehensive testing program, including advanced threat-led penetration testing (TLPT) for the most critical entities. 
  4. Third-Party Risk Management. It imposes very strict contractual and supervisory requirements on ICT service providers, one of the most demanding areas of regulation.
  5. Information Exchange. It encourages entities to share information and cyber intelligence on threats and vulnerabilities with each other to strengthen the ecosystem.

NIS2 vs. DORA: The Ultimate Roadmap Comparison

Now that we know the two regulations separately, let's delve into their key differences: the NIS2 vs. DORA comparison. Although both seek to strengthen cybersecurity in Europe, their approaches, scope and demands are very different. To leave you in no doubt, we discuss the four key differences you need to master in your compliance strategy.

1: Horizontal Reach vs. Horizontal Vertical

The main difference between NIS2 and DORA is their playing field. If you visualize the regulatory landscape, the distinction is very clear:

  • NIS2: It has a horizontal scope, as it covers a wide range of sectors considered critical or important for the economy and society (energy, health, transport, digital suppliers, etc.). It aims to raise the baseline level of cybersecurity across the EU.
  • DORA: It has a vertical reach, focusing exclusively on the financial sector and the critical ICT providers that serve it. Its objective is the specific and armored resilience of this sector.

2: Legal Nature (Directive vs. Regulation)

Its legal application is not the same, and this directly affects the way it is complied with.

  • NIS2 (Directive): Each member country had to transpose this directive into its national legislation by 18 October 2024. This means that you must already operate under the national law that implements it, which may introduce slight variations between countries, although the objectives are common.
  • DORA (Regulation): It is directly and uniformly applicable throughout the EU from 17 January 2025. It did not require national laws to enter into force; its rules are the same for all financial institutions in the Union, without exception.

3: Depth in Risk Management

Both require managing risks, but the level of detail is very different.

  • NIS2: Establishes a general cybersecurity risk management framework. It forces management to approve and oversee measures, including supply chain security and staff training, but is less prescriptive on the technical "how."
  • DORA: It is extremely prescriptive in ICT risk management. It details what the governance framework and asset management should look like and, above all, requires the implementation of awareness programs and advanced resilience testing, such as Threat-Led Penetration Testing (TLPT), for the most significant institutions.

4: Incident Reporting

The manner and timelines for reporting an incident also vary significantly.

  • NIS2: Requires an early warning to the national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. Subsequently, a more detailed report should be submitted.
  • It establishes its own system for classifying and reporting major ICT-related incidents to the designated competent authority. It is a key point: this authority is the usual financial supervisor of the entity (e.g. ECB, Bank of Spain, CNMV), not a cybersecurity agency as in NIS2. The regulation itself defines in a very specific way the deadlines and the content of these reports.

For an expert view on the convergence of the different European regulatory frameworks, you can consult the reports of the European Union Agency for Cybersecurity (ENISA).

Overlap or Coexistence? How to Act if Both Regulations Affect You

We come to the central question for the financial sector: if my company is an essential entity under NIS2 and is also subject to DORA, do I have to comply with everything in duplicate?

The answer is a resounding no, and the key lies in a legal principle called lex specialis derogat legi generali.

This principle, key in the NIS2 vs. DORA comparison, simply means that the special law (DORA) prevails over the general law (NIS2). DORA's own text confirms this to avoid any doubt. In practice, this means that for a financial institution, all DORA requirements on ICT risk management, resilience testing and incident reporting replace the equivalent requirements of the NIS2 Directive. The goal is efficiency and avoiding a double regulatory burden.

A case study: a large bank

Imagine a large bank. As a credit institution, it is an essential entity under NIS2. But as a financial institution, it is fully under the umbrella of DORA.

  • For everything related to the security of its systems, the management of its technology providers and penetration testing, the bank must follow DORA's prescriptive rules, which require specific awareness and resilience programs.
  • However, this doesn't mean that you can ignore NIS2 entirely. Those provisions of NIS2 that DORA do not cover (e.g. aspects not directly related to ICT) may still be applicable according to national transposition.

Therefore, the conclusion of the NIS2 vs. DORA comparison is not an overlap, but a perfectly regulated coexistence where DORA is the reference standard for digital risk in the financial sector. To deepen the analysis of this interaction, you can consult articles by experts such as the one offered by Telefónica's blog on DORA and NIS2.

Drive Your Compliance: The Human Factor at the Center in NIS2 and DORA

Beyond the obvious differences in the NIS2 vs. DORA comparison, both regulations share a crucial diagnosis: human risk is a central axis of cybersecurity. With reports that place the origin of between 70% and 90% of incidents on people, both regulations require action. NIS2 does so in its Article 21 with continuous training and DORA in its Article 13 with awareness programs. 

But complying is not about teaching an annual course. To satisfy the regulator and effectively protect the business, you need to move from generic awareness to actual risk management. This implies a continuous improvement approach that allows measuring and quantifying human risk (Probability x Impact) to focus resources where the danger is truly strategic. 

This is where a Human Risk Management (HRM) strategy becomes an indispensable tool. It allows you to create a centralized system that not only responds to these regulations, but also helps you unify your regulatory compliance from human risk to other standards such as ENS or ISO 27001. 

FAQ

What is the main difference between NIS2 and DORA? 

The main difference is the scope. NIS2 is a horizontal directive that applies to multiple critical sectors to elevate overall cybersecurity, while DORA is a vertical regulation focused exclusively on the digital operational resilience of the financial sector.

If my bank is DORA compliant, should I ignore NIS2? 

No. DORA prevails over NIS2 in terms of ICT risk due to the principle of lex specialis. However, provisions of NIS2 that DORA does not specifically cover (e.g., in non-technology areas) may still apply to your organization.

When did NIS2 and DORA come into force?

The DORA Regulation has been directly applicable since January 17, 2025. Each member country had to transpose the NIS2 Directive into its national law by 18 October 2024, so its obligations are already in force through local laws.

Do both regulations impose liability on senior management?

Yes, and in a very serious way. Both require management involvement, but Article 20 of NIS2 is particularly disruptive: it makes managers directly responsible for non-compliance, even requiring them to undergo training.

related articles

Explore more articles

Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
Cyberattacks
Cybersecurity Prevention
Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
by
Kymatio
|
August 19, 2025
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
Cyberattacks
Cybersecurity Prevention
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
by
Kymatio
|
July 29, 2025
Human Cyber-Risk Management: the ROI your company needs
Cyberattacks
Cybersecurity Glossary
Human Cyber-Risk Management: the ROI your company needs
by
Kymatio
|
July 25, 2025
ACTIVATE YOUR HUMAN FIREWALLS

Ready to uncover the real risk within your organization

Book a demo
Know the real risk
4.8 in Capterra

Join the Kymatio® newsletter and get the latest insights, research, and practical tips on cybersecurity awareness prevention straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Services
HRMAssessment  & AwarenessAttack SimulationsBreach ScanDigital Wellbeing
Use cases
Public SectorFinancial SectorHealthcare SectorLarge enterprises
About us
Why KymatioKnow KymatioOur valuesSuccess Stories
Resources
BlogWebinarsWhitepapersNews
Get in touch
ContactLinkedInXFacebookYoutube
© 2025 Kymatio. All Rights reserved.
Privacy policy
·
Compliance
·
Cookies Policy
·
Legal Notice
·
AI Policy