NIS2 vs DORA: what financial entities need to know
If you're a financial entity, you're likely caught by both NIS2 and DORA. Here's how they fit together, and why you shouldn't run two evidence trails.
Two regulations, one estate
NIS2 (Directive EU 2022/2555) is the EU's general cybersecurity law across many sectors. DORA (the Digital Operational Resilience Act, Regulation (EU) 2022/2554) is the financial sector's dedicated ICT-risk regime, applicable from 17 January 2025. Most banks, insurers, investment firms and many FinTechs are in scope for both.
Which one wins? Lex specialis
Where DORA's requirements are at least equivalent to NIS2's, DORA takes precedence for financial entities as the more specific law (lex specialis). In practice that means financial entities follow DORA for ICT risk management and incident reporting, but NIS2 still matters for the broader context and for any group entities outside DORA's perimeter.
Where they rhyme
- Risk management: NIS2 Article 21 measures map closely to DORA's ICT risk-management framework.
- Incident reporting: both require prompt notification of major incidents on tight timelines.
- Governance: both push accountability up to the management body.
- Third-party risk: NIS2 supply-chain security parallels DORA's ICT third-party risk rules.
Where DORA goes further
DORA adds requirements NIS2 doesn't, notably digital operational resilience testing (including threat-led penetration testing for significant entities) and detailed oversight of critical ICT third-party providers. If you're in scope for DORA, treat it as your primary financial-sector framework.
Run one evidence layer, not two
Because the underlying systems are the same, maintaining separate evidence trails for NIS2 and DORA doubles the work and invites contradictions. Alexus captures operational evidence once and maps it to both frameworks: continuous readiness, incident reports in the required formats, and a hash-chained audit trail. This article is general guidance, not legal advice.