Comparisons Between DORA and NIS2

DORA and the NIS2 Directive are both part of the EU’s efforts to enhance cybersecurity across critical sectors. However, they differ in scope, focus, and the industries they regulate. Article 1(2) of DORA provides that, in relation to financial entities covered by the NIS 2 Directive and the corresponding rules, DORA shall be considered sector-specific. This statement is mirrored in recital (28) of the preamble to the NIS 2 Directive, which states that DORA should be considered a sector-specific Union legal act in relation to the NIS Directive with regard to financial entities.

In terms of the financial institution, DORA will apply instead of NIS 2 in most of the cases. When dealing with ICT risk management (Article 6), management of ICT related incidents, and major ICT related incident reporting (Article 17), digital resilience testing (Article 24), information sharing (Article 25), and ICT third-party risk (Article 28), DORA provisions shall apply instead of those provided by the NIS 2 Directive for financial entities. Understanding how DORA and NIS 2 compare is an important step towards compliance.

Here is a comparison of the two.

First, what is the difference between a Directive and a Regulation?

Directives, such as the NIS 2, are legislative acts that set out a goal that EU countries must achieve.. Implementation of those standards are left to the member states, whether by law, regulation or other initiative. The EU merely sets the deadlines for implementation.

Regulations, such as DORA, are binding legislative acts. These must be applied in their entirety across the EU. as if they were a local law. Member states may pass their own laws for implementation, but the regulation will apply regardless.

Scope

DORA: Focus is exclusively on the financial sector.

NIS2: Focus is broader, covering essential and important entities in multiple sectors beyond just financial services (energy, transport, healthcare, and more).

Focus and Purpose

DORA: Specific focus within the financial sector is on managing ICT risks, such as cyberattacks, IT system failures, and third-party dependencies. DORA ensures that financial entities have frameworks in place to prevent, respond, and recover from disruptions. Specific reporting requirements for ICT related incidents are defined. Stress testing and third party risk management are also included.

NIS2: Specific focus is on enhancing cybersecurity and network information systems security across all critical sectors in the EU. NIS2 strives to improve the overall resilience of essential services, making sectors less vulnerable to cybersecurity threats, improving cybersecurity and cross border collaboration between member states. NIS2 also establishes reporting obligations for entities with significant cybersecurity incidents that affect confidentiality, integrity, or availability of networks and systems.

Third-Party Risk Management

DORA: Introduces requirements for financial entities to manage risks arising from their third-party ICT service providers (cloud computing, software vendors)

NIS2: Similar requirements for third-party providers to meet security standards, but on a broader scale, aimed at protecting entities in a variety of critical sectors, not just financial services.

Supervision and Enforcement

DORA: Financial entities and their ICT providers will be supervised by both national financial authorities and European Supervisory Authorities (ESAs), which are ​​European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA). Financial regulators will monitor compliance and impose sanctions on entities that fail to meet the operational resilience standards within DORA.

NIS2: Supervision and enforcement are conducted by national authorities in each EU member state, who are responsible for monitoring compliance across sectors. NIS2 penalties and sanctions for non-compliance are more stringent.

Summary of Key Differences

DORA is tailored to the financial industry's unique needs. The NIS2 Directive is a more general framework applicable across multiple critical sectors, strengthening the role of the EU Agency for Cybersecurity (ENISA). DORA while specific to the financial sector emphasises operational resilience, ICT risk management, and third-party dependencies within financial services. NIS2 is much broader, focuses on a range of critical industries, and an emphasis on network and information security. Both strengthen resilience to cyber threats.