DORA vs NIS2 — Scope, Requirements, and Overlap Explained

DORA (Regulation 2022/2554) and NIS2 (Directive 2022/2555) both address ICT and cybersecurity resilience in the EU, but they target different sectors with different approaches. DORA is lex specialis for the financial sector — meaning it takes precedence over NIS2 for financial entities. NIS2 applies broadly across essential and important entities in other sectors. If you are a financial entity, DORA is your primary framework. If you are a non-financial critical entity, NIS2 applies. If you are an ICT provider serving both, you may face obligations under both.

The Problem

Both regulations deal with ICT risk management, incident reporting, and third-party risk. Organizations operating across sectors — or ICT providers serving both financial and non-financial clients — need to understand where they overlap, where they differ, and which takes precedence. The answer is not always obvious, especially for cloud providers, managed service providers, and other ICT third parties that sit at the intersection.

Side-by-Side Comparison

| Aspect | DORA | NIS2 | |--------|------|------| | Legal instrument | Regulation (directly applicable) | Directive (requires national transposition) | | CELEX | 32022R2554 | 32022L2555 | | Scope | 21 types of financial entities | Essential and important entities across 18 sectors | | Applicable since | January 17, 2025 | October 17, 2024 (transposition deadline) | | ICT risk management | Detailed framework (Articles 5-16) with RTS | Risk management measures (Article 21) | | Incident reporting | 4h initial / 72h intermediate / 1mo final | 24h early warning / 72h notification / 1mo final | | Penalties | Administrative measures per national financial supervisory law | Up to 10M EUR or 2% of global turnover | | Third-party risk | Detailed contractual requirements (Article 30) + oversight framework for critical providers | Supply chain security measures (Article 21(2)(d)) | | Testing | TLPT for significant entities (Articles 26-27) | No mandatory penetration testing | | Delegated acts | 12 RTS/ITS with detailed technical standards | Implementing acts for reporting and technical measures | | Oversight | ESA oversight of critical ICT third-party providers | National competent authorities |

The Lex Specialis Principle

DORA Article 1(2) and NIS2 Article 4(2) establish that DORA takes precedence for financial entities where both regulations could apply. DORA is the sector-specific rule (lex specialis) that overrides the general rule (NIS2) for the financial sector. In practice this means:

• Financial entities follow DORA for ICT risk management, not NIS2 Article 21
• NIS2 incident reporting requirements do not apply where DORA incident reporting is already followed
• Financial entities do not need to duplicate compliance efforts across both frameworks
• ICT third-party providers serving financial entities may need to meet DORA contractual requirements (Article 30) AND NIS2 obligations independently — these are not duplicative but address different relationships

Key Differences in Incident Reporting

Incident reporting is where the practical difference is most visible.

| Timeline | DORA | NIS2 | |----------|------|------| | First notification | 4 hours (initial notification) | 24 hours (early warning) | | Detailed report | 72 hours (intermediate report) | 72 hours (incident notification) | | Final report | 1 month | 1 month | | Report to | Competent financial authority | National CSIRT or competent authority | | Classification criteria | Defined in RTS 2024/1772 | Defined by implementing acts |

DORA's 4-hour initial timeline is significantly more aggressive than NIS2's 24-hour early warning. Financial entities classified under DORA must be able to detect, classify, and notify within 4 hours of determining an ICT incident is major — a requirement that demands mature detection and escalation processes.

Who Needs What

| Entity type | Primary framework | Notes | |------------|------------------|-------| | Banks, insurers, investment firms | DORA | Lex specialis applies | | Payment institutions, e-money institutions | DORA | Including account information and payment initiation service providers | | Crypto-asset service providers | DORA | Covered under DORA Article 2(1) | | ICT providers to financial sector | DORA (contractual) + potentially NIS2 | Dual obligations possible if designated essential/important under NIS2 | | Energy, transport, health entities | NIS2 | DORA does not apply | | Cloud and managed service providers | NIS2 + DORA contractual clauses | If serving financial clients, must meet Article 30 contractual requirements | | Digital infrastructure (DNS, TLDs, data centers) | NIS2 | Essential entities under NIS2 Annex I | | Public administration | NIS2 | Essential entities under NIS2 |

The ICT Provider Overlap

The most complex scenario is ICT third-party service providers. A cloud provider that is designated as an essential entity under NIS2 and also serves banks subject to DORA faces two distinct sets of obligations:

1. NIS2 obligations as an essential entity: Article 21 risk management measures, Article 23 incident reporting to their national CSIRT, and potential penalties under Article 34.

2. DORA contractual obligations from financial clients: Article 30 requires financial entities to include specific clauses in ICT contracts covering service levels, audit rights, exit strategies, and incident notification. The ICT provider must accept these clauses to serve financial clients.

Additionally, if an ICT provider is designated as a critical ICT third-party service provider under DORA Article 31, it falls under direct ESA oversight (Articles 31-44) — a separate supervisory regime from NIS2's national authority oversight.

Check DORA Requirements With Gibs

import gibs

client = gibs.Client(api_key="sk-gibs-...")

result = client.check(
    question="What contractual clauses must a financial entity include in ICT provider agreements under DORA?",
    regulations=["dora"]
)

print(result.answer)
# Returns Article 30 requirements with specific clause references
# and citations to RTS 2024/1773 on contractual arrangements

print(result.sources)
# ["Article 30(2)", "Article 30(3)", "RTS 2024/1773 Article 2", ...]

Gibs currently covers DORA with full article and delegated act coverage — 64 articles and 12 RTS/ITS, totaling 641 indexed chunks at 90% accuracy on an expert-curated evaluation dataset. NIS2 is on the roadmap for indexing. Check the docs for the latest regulation coverage.

Try It Now

Free tier: 50 requests per month, no credit card required.

curl -X POST https://api.gibs.dev/v1/check \
  -H "Authorization: Bearer sk-gibs-..." \
  -H "Content-Type: application/json" \
  -d '{"question": "How does the lex specialis principle apply between DORA and NIS2?", "regulations": ["dora"]}'

Get your API key | Read the docs | Try the MCP server

FAQ

Does DORA replace NIS2 for financial entities?

Yes, for ICT-related matters. DORA is lex specialis — it takes precedence over NIS2 for financial entities where both regulations address the same subject matter. This is established in DORA Article 1(2) and NIS2 Article 4(2). Financial entities follow DORA for ICT risk management and incident reporting, not NIS2.

Can an organization be subject to both DORA and NIS2?

Yes. An ICT third-party service provider designated as an essential entity under NIS2 that also serves financial clients must comply with NIS2 obligations to its national competent authority AND meet DORA contractual requirements imposed by its financial entity clients under Article 30. These address different relationships and are not duplicative.

Which has stricter incident reporting?

DORA has a faster initial timeline: 4 hours for the first notification versus NIS2's 24-hour early warning. Both require detailed reports within 72 hours and final reports within one month. DORA also has specific classification criteria defined in delegated acts (RTS 2024/1772) that determine when an ICT incident qualifies as major and triggers reporting.

Is NIS2 already applicable?

NIS2's transposition deadline was October 17, 2024. Implementation varies by EU member state — some have transposed it into national law, others are still in progress. Check your national competent authority for local implementation status and specific requirements.

Does Gibs cover NIS2?

Not yet. NIS2 is on the Gibs roadmap for indexing. Currently, Gibs covers DORA (64 articles + 12 delegated acts), the EU AI Act (113 articles + annexes), and GDPR (99 articles). Follow docs.gibs.dev for updates on NIS2 coverage.

What is the difference between a regulation and a directive?

DORA is a regulation — it applies directly and uniformly across all EU member states without requiring national transposition. NIS2 is a directive — it sets objectives that member states must achieve but allows each country to implement through its own national legislation. This means NIS2 requirements may vary slightly between member states, while DORA requirements are identical everywhere.