DORA

DORA vs NIS2: Which Applies to Your Company?

4 min readUpdated 24 June 2026

DORA and NIS2 both impose cybersecurity requirements on companies operating in the EU. They overlap significantly in their security requirements but differ in scope, enforcement, and the specific obligations they impose. Many fintech and financial services companies face both.

This article clarifies which applies to your company and what the combined obligations look like.

The Fundamental Difference: Sector vs Horizontal

NIS2 is a horizontal regulation — it applies across multiple sectors (energy, transport, healthcare, banking, digital infrastructure) and is implemented by national competent authorities in each member state.

DORA is a sector-specific regulation — it applies only to financial entities and their ICT service providers. It is enforced by financial regulators (EBA, ESMA, EIOPA, national financial supervisory authorities).

The lex specialis principle: For financial entities in NIS2 scope, DORA takes precedence as the more specific law. Article 4 of NIS2 explicitly states that when sector-specific legislation (like DORA) imposes cybersecurity requirements at least equivalent to NIS2, entities are considered to comply with NIS2 through DORA compliance.

This means most financial entities supervised by financial regulators satisfy NIS2 through DORA compliance — they are not subject to NIS2 on top of DORA.

Which Entities Face DORA Only

Entities supervised by financial regulators under DORA:

  • Credit institutions (banks)
  • Payment institutions
  • E-money institutions
  • Investment firms and fund managers
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers
  • Trading venues, CCPs, and financial market infrastructure
  • Data reporting service providers

These entities comply with NIS2 through DORA. They have a single primary cybersecurity regulatory framework.

Which Entities Face NIS2 Only

Entities in non-financial sectors:

  • Healthcare organisations
  • Energy companies
  • Transport operators
  • General SaaS companies not in financial services
  • Managed service providers not serving financial entities exclusively
  • Data centres not designated as DORA critical ICT providers

Which Entities Face Both

The overlap zone:

  • Managed service providers (MSPs) providing services to financial entities: The MSP is in NIS2 scope as an essential entity (ICT service management sector). When the MSP provides services to a financial entity, the financial entity's DORA third-party obligations apply to the commercial relationship. The MSP itself is not directly DORA-regulated — but DORA requirements flow through to the MSP via customer contracts.

  • Cloud providers serving financial entities: Direct cloud providers are NIS2 essential entities. Their financial entity customers are DORA-regulated. DORA imposes requirements on the commercial relationship; NIS2 imposes requirements on the cloud provider directly.

  • SaaS companies with financial services and non-financial customers: If a SaaS company has both bank and non-bank customers, banks' DORA contractual requirements apply to the relationship; NIS2 may apply directly to the SaaS company.

Comparing the Requirements

RequirementNIS2DORA
Applies toMultiple sectorsFinancial entities only
Enforcement byNational competent authoritiesFinancial supervisory authorities (EBA, ESMA, EIOPA)
ICT risk frameworkYes (Article 21)Yes, more detailed (Articles 5–10)
Incident reporting24h / 72h / 30 days to CSIRT4h / 72h / 1 month to financial authority
Third-party riskSupply chain requirementsFull Register of Information + contractual requirements
Resilience testingYesYes, plus TLPT for significant entities
Management accountabilityYes (Article 20)Yes (Article 5)
Penalties€10M or 2%Sector-specific (can exceed DORA values)

DORA incident reporting is stricter: 4 hours vs NIS2's 24 hours for the first notification.

DORA third-party requirements are more detailed: The Register of Information and Article 30 contract provisions are more prescriptive than NIS2's supply chain provisions.

NIS2 is broader in scope: Covers more sectors and more entities than DORA.

For SaaS Vendors Selling to Banks

You are not a financial entity under DORA — your bank customers are. But DORA reaches into your organisation through your customers' contractual obligations to you:

Your bank customer must:

  • Include you in their Register of Information (if you provide ICT services)
  • Assess whether you are a critical ICT provider
  • Include DORA Article 30 minimum provisions in their contract with you
  • Conduct due diligence on your security practices
  • Potentially exercise audit rights

You should:

  • Be prepared for detailed security questionnaires aligned to DORA
  • Have incident notification commitments that allow bank customers to meet their 4-hour DORA reporting obligation
  • Be ready to accept DORA-compliant contract provisions
  • Maintain SOC 2 Type II or ISO 27001 to demonstrate security maturity

ComplyOne maps your DORA obligations, tracks your readiness across all five pillars, and maintains your audit evidence.

Run your DORA compliance check →

Related guides

DORA Compliance Checklist for Fintechs

DORA — the Digital Operational Resilience Act — has applied to financial entities in the EU since 17 January 2025.

DORA ICT Third-Party Risk Management Explained

ICT third-party risk management is one of the most operationally demanding aspects of DORA.

DORA Incident Reporting Requirements

DORA introduces the strictest incident reporting timelines of any EU regulation — stricter than NIS2 and stricter than GDPR.

View all guides in this module