§ NIS2 · DORA COMPARISON

NIS2 vs DORA: which one applies to financial entities

DORA is lex specialis. NIS2 Article 4 carves financial entities out of NIS2 cybersecurity controls — but the carve-out is narrower than people think.

Summary

DORA is lex specialis for financial-entity cybersecurity. NIS2 Article 4 explicitly carves financial entities out of the NIS2 substantive cybersecurity and incident-reporting obligations where DORA covers the same ground. But the carve-out is narrower than commonly understood — DORA does not displace NIS2 entirely; it displaces NIS2 only on the matters it actually addresses.

In practice, this means a regulated financial entity follows DORA Article 6 ICT risk management instead of NIS2 Article 21, DORA Article 19 incident reporting instead of NIS2 Article 23, and DORA Article 28 third-party risk instead of NIS2's supply-chain article. But where NIS2 addresses something DORA does not — for example, certain incidents not classified as 'major ICT-related' under DORA — NIS2 may still bite.

The clean-up matters because national NIS2 authorities and financial supervisors are still aligning on which entity reports what to whom. The conservative approach: treat DORA as the primary regime, document the Article 4 lex specialis position, and maintain a watching brief on national-level guidance about edge-case incidents.

Who this applies to

Banks, investment firms, insurers, payment institutions, e-money institutions, CCPs, crypto-asset service providers, ICT third-party providers serving them, EBA, ESMA, EIOPA, national NIS2 authorities.

Compliance deadline

DORA: in force since 17 January 2025. NIS2: transposition deadline 17 October 2024; enforcement live in most Member States.

§ Key articles

What the law says

NIS2 Article 4

Sectoral acts — DORA prevails as lex specialis for financial-entity cybersecurity controls.

DORA Article 1

Subject matter — operational resilience for financial entities.

DORA Article 6

ICT risk-management framework.

DORA Article 19

Major ICT-related incident reporting.

DORA Article 28

ICT third-party risk management.

NIS2 Article 21

Cybersecurity risk-management measures (does not apply to scope-overlapping financial-entity controls).

NIS2 Article 23

Incident reporting — 24h early warning, 72h notification.

§ Detail

In depth

How NIS2 Article 4 actually works

NIS2 Article 4 is the lex specialis clause: where a sector-specific act imposes "at least equivalent" cybersecurity obligations, the sector act prevails. For financial entities, DORA is that sector act. The Commission has confirmed (in the explanatory memoranda and in EBA/ESMA/EIOPA joint guidance) that DORA Article 5–15 framework, Article 19 incident reporting, and Article 28 third-party risk are the equivalent provisions that displace NIS2 Articles 21 and 23.

What does not get displaced:

Identification and registration as an NIS2 essential entity — the financial entity is still on the NIS2 register where applicable, even if its substantive obligations come from DORA.
Cooperation duties with national CSIRTs and CSIRT-related information sharing under NIS2 Articles 13–17.
Coordinated risk assessments at EU level under NIS2 Article 22.
Member-State-level provisions that go beyond DORA's scope.

Side-by-side

Dimension	NIS2	DORA
Substantive controls	Article 21 cybersecurity risk-management measures.	Article 6 ICT risk-management framework + 24–26 testing.
Incident reporting	24h early warning, 72h notification, 1-month final.	4h initial after classification as major, 72h intermediate, 1-month final (per RTS).
Third-party risk	Article 21(2)(d) supply-chain controls.	Article 28 + Article 30 contractual minima + Article 31 CTPP designation.
Maximum fine	EUR 10M / 2% (essential entities); EUR 7M / 1.4% (important).	National administrative penalties + ESA periodic penalty payments for CTPPs.
Lex specialis	Yields to DORA where the same matter is regulated.	Prevails on covered matters per NIS2 Art 4.

What financial entities should report where

Major ICT-related incident under DORA Article 19. Report through DORA channels only; NIS2 Article 23 is displaced for that incident.
Significant cybersecurity event that does not meet the DORA major-incident threshold. Some Member States expect a NIS2 Article 23 report; others treat DORA's broader operational-resilience reporting as sufficient. Ask the national NIS2 authority for written guidance.
Cyber-threat information not tied to an incident. NIS2 Article 17 voluntary information sharing remains available.
Major incident at a CTPP. The CTPP reports under DORA; the financial entity files a DORA Article 19 report; NIS2 may apply to the CTPP itself if it is also an NIS2 entity.

The CTPP and NIS2 question

An ICT third-party provider designated as a CTPP under DORA Article 31 is supervised at EU level by one of the ESAs. If that CTPP is also in scope of NIS2 (most major cloud and AI providers are), it remains an NIS2 entity for everything outside the DORA-covered scope. For example, a cloud provider's own corporate IT may be NIS2-governed while its services to financial entities are DORA-governed.

Practical compliance

Document the lex specialis position: a one-page memo confirming that DORA Article 4 displaces NIS2 Articles 21 and 23 for the entity's covered functions.
Maintain the NIS2 registration even when DORA covers the substantive controls.
Build the incident-reporting matrix: each event type → which regime → which authority → which clock.
Track Member-State-level guidance from national NIS2 authorities; the practical scope of the lex specialis clause varies in transposition.
For ICT third parties: parallel DORA Article 28 register and NIS2 supply-chain documentation.

Cross-regulatory data update

Auto-merged from the Fontvera archetype dataset on 2026-05-12. The sections below are extracted verbatim from the `obligations` and `obligation_crossrefs` tables; the page itself was last reviewed manually before this update.

Summary statistics

Overlaps: 6 · Conflicts: 2 · Gaps: 2

10 article-level crossrefs catalogued between DORA and NIS2 Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.

All crossrefs between these regulations

Article (A)	Article (B)	Type	Severity	Description
DORA Art 10	NIS2 Directive Art 21	overlap	high	[entity affected: Financial entities / Essential and important entities] Both regulations require entities to implement mechanisms for detecting anomalous activities, cyber threats, and ICT-related in
DORA Art 17	NIS2 Directive Art 23	overlap	high	[entity affected: Financial entities / Essential and important entities] Both regulations mandate the establishment of incident management processes, including recording, categorizing, and classifying
DORA Art 11	NIS2 Directive Art 21	overlap	high	[entity affected: Financial entities / Essential and important entities] Both regulations require the implementation of business continuity plans, disaster recovery procedures, and regular testing of
DORA Art 13	NIS2 Directive Art 21	overlap	medium	[entity affected: Financial entities / Essential and important entities] Both regulations require entities to conduct post-incident reviews, incorporate lessons learned, and maintain awareness of the
DORA Art 13	NIS2 Directive Art 20	overlap	medium	[entity affected: Financial entities / Essential and important entities] Both regulations mandate cybersecurity training for staff and require management bodies to have sufficient knowledge to oversee
DORA Art 14	NIS2 Directive Art 23	overlap	medium	[entity affected: Financial entities / Essential and important entities] Both regulations require entities to have communication plans and policies for notifying stakeholders and authorities during si
DORA Art 19	NIS2 Directive Art 23	conflict	high	[entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to defi
DORA Art 18	NIS2 Directive Art 23	conflict	high	[entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying 'major' ICT incidents, whereas NIS2 relies on Member State definitions for 'signi
DORA Art ?	NIS2 Directive Art ?	gap	medium	[entity affected: ICT Third-Party Service Providers] While DORA regulates financial entities' oversight of third parties and NIS2 covers essential/important entities, there is a gap in direct regulato
DORA Art ?	NIS2 Directive Art ?	gap	low	[entity affected: Micro-enterprises in financial sector] DORA explicitly exempts micro-enterprises from several testing and reporting requirements, while NIS2 may still apply depending on national tra

Conflicts explained

The 2 article-level conflicts between DORA and NIS2 Directive mean a control that satisfies one can pull the wrong way on the other:

DORA Art 19 vs NIS2 Directive Art 23 — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
DORA Art 18 vs NIS2 Directive Art 23 — [entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying 'major' ICT incidents, whereas NIS2 relies on Member State definitions for 'significant' incidents, leading to potential discrepancies in what triggers reporting obligations.

Which regulation takes precedence

EU law does not lay down a universal precedence rule between DORA and NIS2 Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.

§ Action items

Practical steps

Document the NIS2 Article 4 lex specialis position in writing for the entity's covered functions.

Maintain NIS2 registration even where DORA displaces the substantive controls.

Build an incident-classification matrix: event → regime → authority → clock.

Track national NIS2 authority guidance — the practical scope of the lex specialis differs in Member-State transposition.

Run parallel DORA Article 28 register and NIS2 supply-chain documentation for ICT third parties.

§ What Fontvera found

Documents in our corpus

ai_office EU Fetched 2026-06

AI Act: General-Purpose AI (GPAI) models — obligations for providers

ai_office EU Fetched 2026-06

AI Act: Requirements for high-risk AI systems (Articles 8-15)

ai_office EU Fetched 2026-06

AI Act | Shaping Europe’s digital future

enisa EU Fetched 2026-06

ENISA: EU Cybersecurity Act — ENISA Mandate and EU Cybersecurity Framework

enisa EU Fetched 2026-06

ENISA: Critical Infrastructure Protection — EU Cybersecurity for Essential Services

enisa EU Fetched 2026-06

ENISA: Healthcare Cybersecurity — Protecting Hospitals and Health Data

enisa EU Fetched 2026-06

ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems

enisa EU Fetched 2026-06

ENISA: Cloud Security — Guidelines and EU Cloud Certification

§ Cross-references

Related Fontvera intelligence

Need a cross-border briefing on this?

Search Fontvera ↵ Run the AI Act diagnostic

AI Act Article 50 transparency

50 days

until 2026-08-02, when Article 50 transparency obligations apply (unchanged). Annex III high-risk obligations move provisionally to 2 December 2027 under the Digital Omnibus agreement of 7 May 2026, pending formal adoption.

Preparing for 2 August 2026? Read the EU AI Act August 2026 deadline requirements checklist.