The DORA regulation and the NIS2 Directive are both important parts of the EU’s cyber security strategy. They complement each other: DORA aims to ensure the functioning of the financial system, even in the event of a cyberattack, while NIS2 aims to strengthen the overall level of cyber security in the EU. DORA entered into force 16 January 2023 and applies from 17 January 2025.
DORA’s main objective is to ensure that the financial sector remains intact when facing cyber disruptions. It requires financial institutions, and the critical ICT service providers they rely on, to implement robust risk management frameworks, quickly detect and report incidents, and regularly test their operational resilience. This comprehensive approach is designed to maintain continuous service and protect the overall stability of the financial system even during cyberattacks or ICT failures.
DORA covers a broad range of financial entities regulated under EU financial law. They include:
Additionally, DORA extends to Information and Communication Technology (ICT) third‐party service providers that are critical for the operation of these financial institutions.
Under DORA, ICT encompasses all the digital systems and services that financial institutions use to support their operations, such as hardware, software, networks, data centers, and cloud services. DORA requires these organizations to manage the risks associated with their ICT environment, ensuring that both internal systems and third-party ICT services are resilient against cyber threats and disruptions.
All affected financial institutions and ICT service providers are required to:
Both frameworks aim to strengthen cyber defense and resilience. DORA’s stringent, sector-specific rules target the financial industry’s unique needs, whereas NIS2 provides a broader cyber security baseline for many critical sectors across the EU.
DORA is an EU regulation that applies uniformly and directly across all member states without needing ratification on the national level.
NIS2 is an EU directive and each member state must implement its provisions into national law, which can lead to some variations in application across member states. Read more about the NIS2 Directive.
DORA is tailored specifically to the financial sector and the ICT service providers supporting them. It sets out detailed requirements for ICT risk management, incident reporting, resilience testing (including threat-led tests), and oversight of critical third-party providers.
NIS2 has a broader scope, establishing general risk management, incident notification, and supply chain security measures to protect vital networks and information systems across multiple industries. NIS2 applies to a wide range of essential and important entities across sectors such as energy, healthcare, transport, and more, including suppliers serving those entities. Read more about the NIS2 sectors.
DORA has a fixed implementation date (fully applicable from 17 January 2025) due to its nature as a regulation.
NIS2 must be transposed into national law, with deadlines that can vary among member states, potentially providing a longer lead time for compliance.
DORA is supervised by both national financial authorities and EU-level bodies (such as the European Banking Authority, ESMA, and EIOPA) and includes strict measures — sometimes even holding management personally liable.
NIS2 is enforced by national (member state) cyber security authorities, which impose fines (up to several million euros or a percentage of annual turnover) for non-compliance, though its enforcement tends to be less centralized than DORA.
DORA requires relevant institutions to carry out continuous and proactive risk assessments. Holm Security provides a market-leading platform for a proactive cyber defense. We have helped hundreds of organization comply with DORA and NIS2. Reach out to learn more.