With DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive), the European Union has adopted two important pieces of legislation to strengthen digital resilience and cyber security within a short space of time. Both sets of regulations aim to significantly increase information security at companies that are of crucial importance to the economy and society.
Nevertheless, many companies are still unclear about the exact distinction between DORA and NIS2. There is often confusion about which policy applies to which type of company and what specific measures are required. These uncertainties often lead to inadequate implementation of the required security standards.
In this article, we clarify the main differences and misconceptions about the two policies.
Main differences between DORA and NIS2
DORA and NIS2 are two key European Union regulations aimed at strengthening cybersecurity and digital resilience. However, despite their similar objectives, they have significant differences.
Type of legislation
NIS2 and DORA differ fundamentally in that they are two different legal instruments of the European Union.
NIS2
NIS2 is a directive. A directive is a legal act that sets out an objective to be achieved by EU countries. However, it is up to the individual Member States to enact their own legislation to realise this objective. This means that each Member State must embed the necessary measures to achieve the objectives of the Directive into national law, taking into account its own legal and operational framework.
The NIS2 Directive is therefore not directly applicable to the companies concerned, but must first be transposed into national law. In Germany, for example, this is done through the NIS2 Implementation Act (NIS2UmsuCG).
DORA
DORA (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector), on the other hand, is a regulation (as is the EU General Data Protection Regulation – GDPR). Regulations are directly applicable law in all member states of the European Union and do not require national implementation. They have immediate legal effect and apply directly in all Member States from the time they enter into force. They also take precedence over national law.
The immediate application of DORA ensures that companies do not have to wait for transitional periods due to national legislative procedures, but must act in a legally compliant manner as soon as the regulation is applicable.
Implementation deadlines
The type of legislation influences the timeframe for fulfilling the requirements. Although both NIS2 and DORA came into force on 17 January 2023, the implementation deadlines vary due to their different nature.
NIS2
The deadline for the transposition of the NIS2 Directive into national law is 17 October 2024. After the transposition into national law, the companies concerned have up to two years to implement the requirements of the Directive. This means that companies must be fully compliant by October 2026 at the latest.
DORA
In contrast, DORA as an EU regulation does not have to be transposed into national law first and will therefore be fully enforceable on 17 January 2025 – two years after it comes into force. Companies therefore have less time to prepare for the new requirements. While NIS2 offers some leeway due to the longer implementation period, DORA requires faster adaptation.
Sectors affected
Another difference lies in the scope of application, which clearly emphasises the specific focal points of the NIS2 Directive and the DORA Regulation.
NIS2
The NIS2 Directive is aimed specifically at companies and organisations in critical sectors that are essential to the functioning of society and the economy. The scope of NIS2 covers a total of 18 sectors. These include energy, transport, healthcare, water supply and digital infrastructures.
The scope covers those areas that can have a significant impact on public safety, order and economic stability in the event of security incidents. This targeted application is intended to ensure that cyber security is strengthened in the most vulnerable and important sectors.
DORA
In contrast, the DORA Regulation focuses exclusively on the financial sector. It applies to banks, insurance companies, investment firms and other financial service providers. The scope of DORA covers all financial organisations that offer or use digital services. This is intended to ensure operational resilience to digital risks and threats in the financial sector. This specific focus reflects the particular importance of the financial sector for economic stability and protection against systemic risks.
The scope of the DORA includes, with a few exceptions (Art. 2 para. 1 DORA)
- credit institutions;
- payment institutions;
- account information service providers;
- electronic money institutions;
- investment firms;
- crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets and issuers of asset-referenced tokens;
- central securities depositories;
- central counterparties;
- trading venues;
- trade repositories;
- managers of alternative investment funds;
- management companies;
- data reporting service providers;
- insurance and reinsurance undertakings;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- institutions for occupational retirement provision;
- credit rating agencies;
- administrators of critical benchmarks;
- crowdfunding service providers;
- securitisation repositories;
- ICT third-party service providers.
Regulatory and supervisory framework
Another difference between NIS2 and DORA lies in the supervisory structure.
NIS2
Under the NIS2 Directive, monitoring is carried out entirely by national authorities. E.g., in Germany, the Federal Office for Information Security (BSI) and the Federal Network Agency (BNetzA) are responsible for this. BaFin is responsible for the supervision of credit institutions and other financial service providers in accordance with NIS2. There is no direct supervision by EU authorities for the organisations concerned under NIS2. Supervision is therefore exclusively at national level.
DORA
In contrast, under DORA, financial companies are also primarily supervised by national supervisory authorities such as BaFin and the German Bundesbank together with the European Central Bank, but these work closely with the EU authorities. For example, the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) play a central role in monitoring and enforcing the DORA Regulation at European level. These authorities coordinate supervisory activities and support the national authorities in ensuring digital resilience in the financial sector.
ICT providers that are categorised as “critical” by the European Commission are also monitored directly by leading supervisory bodies of the ESAs (European Supervisory Authorities). This provides for centralised EU supervision of these critical service providers. Through this direct EU supervision, DORA integrates an additional level of supervision, while NIS2 as a directive leaves supervision exclusively to the national authorities.
Sanctions for non-compliance
Non-compliance with the NIS2 Directive and the DORA Regulation can result in significant sanctions. However, the sanction mechanisms of the two policies take different approaches.
NIS2
In the NIS2 Directive, the fines are specifically defined:
Significant entities, such as those in the energy, transport and healthcare sectors, can be fined up to EUR 10 million or 2% of their global annual turnover (whichever is higher).
For important organisations, such as digital service providers and chemical companies, the maximum fine is EUR 7 million or 1.4% of the global annual turnover of the previous financial year.
DORA
In contrast, the DORA Regulation does not set fixed fines for general non-compliance. However, there are specific policies for ICT service providers. DORA allows leading regulatory bodies to levy fines against ICT providers of 1% of the provider’s average daily worldwide turnover in the previous financial year. Providers can be fined daily for up to six months until they comply with the regulations.
However, a common aspect of the sanction mechanisms of both regulations is the personal liability of management. Both NIS2 and DORA provide that members of management can be held liable for gross negligence or wilful misconduct. This means that managers are not only responsible for the implementation of cybersecurity requirements, but can also face personal consequences for non-compliance.
Common misconceptions about DORA and NIS2
In the course of implementing DORA and NIS2, various misunderstandings repeatedly arise that can lead to uncertainties and misinterpretations. The following clarifications aim to support entrepreneurs and compliance officers in correctly complying with the regulations.
Reporting obligations are identical in both policies
Although both policies provide for reporting obligations for security incidents, the specific requirements differ:
DORA requires financial institutions to provide detailed reports on incidents that could affect operational resilience. These reports must be made in a timely manner and contain detailed information on the nature of the incident and the measures taken.
NIS2, on the other hand, provides for stricter deadlines for reporting security incidents, typically within 24 hours, and provides specific reporting formats depending on the sector. The reporting obligations under NIS2 are therefore often more extensive and time-critical.
NIS2 only affects the IT sector
NIS2 is aimed at a variety of sectors that are considered critical to society and the economy. These include not only the IT sector, but also energy, transport, healthcare, water supply and digital services. Companies in these sectors must therefore fulfil the comprehensive security requirements of NIS2, regardless of whether they are directly active in the IT sector or not.
If you are affected by both NIS2 and DORA, it is sufficient to only consider DORA
This is only partially true. DORA provides specific and detailed policies for the financial sector and, as a lex specialis, takes precedence over NIS2, which is a general law. This is also enshrined in the text of DORA:
“Consequently, this Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity framework as currently laid out in Directive (EU) 2022/2555.”
It is therefore a widespread misconception that companies affected by both DORA and NIS2 only have to fulfil the requirements of DORA.
Although DORA sets out specific requirements for the financial sector, the general requirements of NIS2 must not be ignored. In areas not fully covered by DORA, the provisions of NIS2 must still be observed. For example, NIS2 requires cross-sector co-operation and information sharing applicable to all critical infrastructure, including financial institutions. These general requirements remain relevant and must be met in addition to the specific requirements of DORA.
Organisations must therefore ensure that they meet both the specific requirements of DORA and the general requirements of NIS2 to ensure full compliance.
If you are only affected by NIS2, you do not need to consider DORA
It is true that companies that fall exclusively under the NIS2 Directive are not committed to fulfilling the requirements of DORA, as DORA was designed specifically for the financial industry. However, it may still be useful to refer to the detailed and specific requirements of DORA for guidance.
The DORA regulation defines many security and resilience requirements much more precisely than the NIS2 directive. Organisations can benefit from these detailed requirements by using them to evaluate and improve their own security measures. This can be particularly useful in identifying areas where no or insufficient measures have been taken to meet the requirements of NIS2.
Financial institutions only have to comply with DORA
Financial institutions can fall under both DORA and NIS2. While DORA sets specific requirements for the digital operational resilience of financial institutions, NIS2 addresses general security requirements for critical infrastructures. Financial institutions that are categorised as critical infrastructure must therefore comply with both the specific regulations of DORA and the general security requirements of NIS2. This requires a comprehensive compliance strategy that integrates both sets of regulations.
DORA and NIS2 must be considered independently of each other
Despite their different focuses, the requirements of DORA and NIS2 can overlap, especially for financial institutions, which are also considered critical infrastructures. It is therefore essential that organisations develop an integrated compliance strategy that takes both sets of regulations into account. This includes the implementation of security measures that meet both the specific requirements of DORA and the general security standards of NIS2.
Conclusion
Both the DORA Regulation and the NIS2 Directive pursue the same overarching goal: to increase cybersecurity and digital resilience within the EU. Despite this common objective, there are significant differences in their approach, application and enforcement.
Due to these differences, it is essential that companies familiarise themselves intensively with both policies in order to avoid misunderstandings and ensure that all requirements are met. Errors should be recognised and eliminated at an early stage. If there are any unanswered questions or uncertainties, it is advisable to consult the information security officer.
