NIS2 vs DORA
With the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2), the European Union has adopted two important sets of regulations that require companies and organisations to improve their cybersecurity and digital resilience. While both sets of regulations pursue the same goal, there are significant differences in their applicability, the sectors affected and the respective implementation requirements. Nevertheless, many companies are uncertain about which regulation is relevant to them and which specific measures need to be implemented.
In der Vergangenheit haben wir bereits zwei Blog-Beiträge zur NIS-2-Richtlinie veröffentlicht. Diese sind hier zu finden:
The following section highlights the key differences between NIS2 and DORA, explains their scope of application and clarifies common misconceptions.
Type of legislation
A key difference between NIS–2 and DORA lies in the legal nature of the two sets of regulations.
NIS-2: The NIS-2 Directive is a legal framework that must be transposed into national law. Each EU Member State is obliged to enact its own laws to implement the objectives of the Directive. This may lead to slight differences in implementation. So far, Germany and Austria have only published draft laws on the NIS 2 Directive. In other countries, such as Belgium and Italy, the law has already come into force.
DORA: In contrast, DORA is an EU regulation. This means that it applies directly and uniformly in all EU Member States without the need for national implementation. Companies must therefore comply immediately after it comes into force.
implementation deadlines
As NIS2 and DORA are structured differently, there are also differences in the deadlines for implementation:
- NIS-2: The directive came into force on 17 January 2023 and should have been transposed into national law by 17 October 2024. Companies then have until October 2026 at the latest to comply with the requirements.
- DORA: The regulation is directly applicable and binding as of 17 January 2025. This gives companies a significantly shorter period of time to implement it.
Scope and sectors covered
NIS2: Critical sectors
NIS-2 covers a total of 18 sectors that are critical to the economy and society. In Germany, some of these sectors are already fully regulated by existing laws:
- Energy
- Transport
- Banks
- Financial markets
- Healthcare
- Water
- Wastewater
- Digital infrastructure
- Waste management
- Food
- Research
These sectors were already partially regulated:
- aerospace
- Postal and courier services
- Chemical industries
- Production and industries
- Digital services
New sectors:
- ICT service management
- Public administration
In addition, Member States may include smaller facilities with a high security profile within the scope of the Directive.
DORA: Financial sector
The scope of DORA is precisely defined in Article 2 of the Regulation. The following companies and organisations are covered by the regulation:
- Credit institutions
- Payment institutions (including those exempted under Directive (EU) 2015/2366)
- account information service provider
- Electronic money institutions (including those exempted under Directive 2009/110/EC)
- Investment firms
- Providers of crypto services and issuers of value-referenced tokens
- central securities depository
- Central counterparties
- Trading venues
- transaction register
- Alternative investment fund manager
- management companies
- Providers of data reporting services
- Insurance and reinsurance companies
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Company pension schemes
- rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- securitisation register
- third-party ICT service providers
Priority rule: NIS2 or DORA?
An interesting question arises for companies in the financial sector that could potentially fall under both sets of regulations: Which set of regulations takes precedence?
The answer is clear: DORA takes precedence. This is because DORA is considered a ‘lex specialis’ for the financial sector and therefore takes precedence over the more general NIS 2 Directive as a special regulation. This is explicitly stated in DORA:
This Regulation constitutes a lex specialis to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong link between the financial sector and the Union’s horizontal cybersecurity framework as set out in Directive (EU) 2022/2555.
(Directive (EU) 2022/2555 is the official name for NIS-2.)
Supervisory structure
While NIS2 relies on national supervisory authorities, DORA introduces direct EU supervision for critical ICT service providers:
- NIS2: Supervision is carried out exclusively by national authorities such as the Federal Office for Information Security (BSI) or the Federal Network Agency (BNetzA).
- DORA: While financial supervisory authorities such as BaFin or the European Central Bank (ECB) are responsible for financial institutions, critical ICT service providers are subject to EU-wide supervision by the European Supervisory Authorities (ESA).
Penalties for violations
Failure to comply with NIS2 or DORA can have serious consequences:
NIS2:
- Up to €10 million or 2% of global annual turnover for significant facilities
- Up to €7 million or 1.4% of turnover for important institutions
DORA:
- No fixed fines for financial companies, but national sanctions are possible
- ICT service providers may be subject to penalties of up to 1% of their global daily turnover.
Frequently asked questions about NIS2 and DORA
Do both sets of regulations have identical reporting requirements?
There are indeed significant differences between the reporting requirements. Companies that have already submitted a report in accordance with DORA are often exempt from NIS. –2-Reporting obligation exempted. This is expressly regulated in the German NIS2 Implementation Act.
Can NIS2 be disregarded if one falls under DORA?
Although DORA takes precedence for financial companies as lex specialis, there are areas that DORA does not fully cover. Companies should therefore check whether additional security measures are required in accordance with NIS-2.
Are NIS2 and DORA completely independent of each other?
Although they address different sectors, there is some overlap. Financial institutions, which are also considered critical infrastructure, must pursue a holistic strategy to comply with both regulations.
Summary
While NIS-2 addresses a broader target group with a focus on critical infrastructures, DORA focuses on strengthening digital resilience in the financial sector. Companies should address the question of whether they are affected by NIS-2 or DORA at an early stage in order to familiarise themselves with the respective requirements in good time and avoid fines and liability risks. A well-defined compliance strategy can strengthen cybersecurity and resilience to cyber threats in the long term.
