DORA – what it’s about & how it relates to NIS2

The DORA regulation and the NIS2 Directive are both important parts of the EU’s cyber security strategy. They complement each other: DORA aims to ensure the functioning of the financial system, even in the event of a cyberattack, while NIS2 aims to strengthen the overall level of cyber security in the EU. DORA entered into force 16 January 2023 and applies from 17 January 2025. 

The main objective of DORA 

DORA’s main objective is to ensure that the financial sector remains intact when facing cyber disruptions. It requires financial institutions, and the critical ICT service providers they rely on, to implement robust risk management frameworks, quickly detect and report incidents, and regularly test their operational resilience. This comprehensive approach is designed to maintain continuous service and protect the overall stability of the financial system even during cyberattacks or ICT failures. 

Financial sector organizations that must comply 

DORA covers a broad range of financial entities regulated under EU financial law. They include:

• Banks and credit institutions 
  This includes traditional banks and other institutions offering deposit and lending services. 
• Payment and electronic money institutions 
  Organizations handling payment services and digital money operations. 
• Investment firms and crypto-asset service providers 
  Firms that manage investments and, where applicable, providers of crypto-asset services under relevant EU regulations. 
• Insurance and reinsurance undertakings 
  Companies offering insurance products, along with their intermediaries. 
• Financial market infrastructures 
  This covers entities such as central securities depositories, central counterparties, trading venues, and trade repositories. 
• Asset and fund managers 
  Managers of alternative investment funds and their management companies. 
• Other financial service providers 
  This can include credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitization repositories, and other entities within the financial sector.

Additionally, DORA extends to Information and Communication Technology (ICT) third‐party service providers that are critical for the operation of these financial institutions. 

What is ICT under DORA? 

Under DORA, ICT encompasses all the digital systems and services that financial institutions use to support their operations, such as hardware, software, networks, data centers, and cloud services. DORA requires these organizations to manage the risks associated with their ICT environment, ensuring that both internal systems and third-party ICT services are resilient against cyber threats and disruptions. 

What is required under DORA? 

All affected financial institutions and ICT service providers are required to: 

• Resilient ICT systems  
  Set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk. 
• Proactively identify risks 
  Identify all sources of ICT risks to set up protection and take proactive measures. 
• Detect anomalous activities  
  Promptly detect irregular activities.  
• Business continuity policies  
  Set in place dedicated and comprehensive business continuity policies and disaster and recovery plans, ensuring prompt recovery after an ICT-related incident. 
• Learn and evolve  
  Establish mechanisms to learn and evolve, both from external events as well as the entity’s own ICT incidents. 

What’s the difference between DORA & NIS2? 

Both frameworks aim to strengthen cyber defense and resilience. DORA’s stringent, sector-specific rules target the financial industry’s unique needs, whereas NIS2 provides a broader cyber security baseline for many critical sectors across the EU. 

Legal nature 

DORA is an EU regulation that applies uniformly and directly across all member states without needing ratification on the national level. 

NIS2 is an EU directive and each member state must implement its provisions into national law, which can lead to some variations in application across member states. Read more about the NIS2 Directive.

Scope & target sectors 

DORA is tailored specifically to the financial sector and the ICT service providers supporting them. It sets out detailed requirements for ICT risk management, incident reporting, resilience testing (including threat-led tests), and oversight of critical third-party providers. 

NIS2 has a broader scope, establishing general risk management, incident notification, and supply chain security measures to protect vital networks and information systems across multiple industries. NIS2 applies to a wide range of essential and important entities across sectors such as energy, healthcare, transport, and more, including suppliers serving those entities. Read more about the NIS2 sectors.

Implementation timelines 

DORA has a fixed implementation date (fully applicable from 17 January 2025) due to its nature as a regulation. 

NIS2 must be transposed into national law, with deadlines that can vary among member states, potentially providing a longer lead time for compliance. 

Supervisory framework & enforcement 

DORA is supervised by both national financial authorities and EU-level bodies (such as the European Banking Authority, ESMA, and EIOPA) and includes strict measures — sometimes even holding management personally liable. 

NIS2 is enforced by national (member state) cyber security authorities, which impose fines (up to several million euros or a percentage of annual turnover) for non-compliance, though its enforcement tends to be less centralized than DORA. 

How Holm Security supports DORA compliance 

DORA requires relevant institutions to carry out continuous and proactive risk assessments. Holm Security provides a market-leading platform for a proactive cyber defense. We have helped hundreds of organization comply with DORA and NIS2. Reach out to learn more.