How NIS2 Article 4 actually works
NIS2 Article 4 is the lex specialis clause: where a sector-specific act imposes "at least equivalent" cybersecurity obligations, the sector act prevails. For financial entities, DORA is that sector act. The Commission has confirmed (in the explanatory memoranda and in EBA/ESMA/EIOPA joint guidance) that DORA Article 5–15 framework, Article 19 incident reporting, and Article 28 third-party risk are the equivalent provisions that displace NIS2 Articles 21 and 23.
What does not get displaced:
- Identification and registration as an NIS2 essential entity — the financial entity is still on the NIS2 register where applicable, even if its substantive obligations come from DORA.
- Cooperation duties with national CSIRTs and CSIRT-related information sharing under NIS2 Articles 13–17.
- Coordinated risk assessments at EU level under NIS2 Article 22.
- Member-State-level provisions that go beyond DORA's scope.
Side-by-side
| Dimension | NIS2 | DORA |
|---|---|---|
| Substantive controls | Article 21 cybersecurity risk-management measures. | Article 6 ICT risk-management framework + 24–26 testing. |
| Incident reporting | 24h early warning, 72h notification, 1-month final. | 4h initial after classification as major, 72h intermediate, 1-month final (per RTS). |
| Third-party risk | Article 21(2)(d) supply-chain controls. | Article 28 + Article 30 contractual minima + Article 31 CTPP designation. |
| Maximum fine | EUR 10M / 2% (essential entities); EUR 7M / 1.4% (important). | National administrative penalties + ESA periodic penalty payments for CTPPs. |
| Lex specialis | Yields to DORA where the same matter is regulated. | Prevails on covered matters per NIS2 Art 4. |
What financial entities should report where
- Major ICT-related incident under DORA Article 19. Report through DORA channels only; NIS2 Article 23 is displaced for that incident.
- Significant cybersecurity event that does not meet the DORA major-incident threshold. Some Member States expect a NIS2 Article 23 report; others treat DORA's broader operational-resilience reporting as sufficient. Ask the national NIS2 authority for written guidance.
- Cyber-threat information not tied to an incident. NIS2 Article 17 voluntary information sharing remains available.
- Major incident at a CTPP. The CTPP reports under DORA; the financial entity files a DORA Article 19 report; NIS2 may apply to the CTPP itself if it is also an NIS2 entity.
The CTPP and NIS2 question
An ICT third-party provider designated as a CTPP under DORA Article 31 is supervised at EU level by one of the ESAs. If that CTPP is also in scope of NIS2 (most major cloud and AI providers are), it remains an NIS2 entity for everything outside the DORA-covered scope. For example, a cloud provider's own corporate IT may be NIS2-governed while its services to financial entities are DORA-governed.
Practical compliance
- Document the lex specialis position: a one-page memo confirming that DORA Article 4 displaces NIS2 Articles 21 and 23 for the entity's covered functions.
- Maintain the NIS2 registration even when DORA covers the substantive controls.
- Build the incident-reporting matrix: each event type → which regime → which authority → which clock.
- Track Member-State-level guidance from national NIS2 authorities; the practical scope of the lex specialis clause varies in transposition.
- For ICT third parties: parallel DORA Article 28 register and NIS2 supply-chain documentation.