In the last few years the EU has raised the bar on cyber resilience with two heavyweight pieces of legislation: the NIS2 Directive and the Digital Operational Resilience Act (DORA). Both are designed to reduce the impact of cyber incidents and technology failures, but they do so in different ways, and with differing sectors in mind.
For security and risk leaders, understanding where these compliance requirements overlap, and where they diverge, is essential for planning investment, building critical governance structures, and avoiding regulatory blind spots.
What is NIS2? A Quick Refresher
NIS2 replaces the original NIS directive and aims to create a “high common level of cybersecurity” across the European Union.
EU Member States were required to transpose NIS2 into national law by 17th October 2024. From that point onwards, thousands of organisations across numerous “essential” and “important” sectors including energy, transport, banking, health, manufacturing, and digital infrastructure fell within its scope.
NIS2 focuses on wide-ranging cyber risk management and governance. It sets expectations around areas such as:
- Policies for risk analysis and information system security
- Incident handling and reporting
- Business continuity and crisis management
- Supply chain security
- Encryption, access control, and vulnerability handling
Crucially, NIS2 also introduces tougher enforcement. Essential entities can face penalties of up to €10 million or 2% of global annual turnover (whichever is higher), and important entities up to €7 million or 1.4%. Senior management can also be held personally liable for serious failures.
The Basics of DORA
DORA is a directly applicable EU regulation rather than a directive. It came into force in January 2023 and has been applied in full across the EU financial sector since 17th January 2025.
Where NIS2 is cross-sector, DORA is deliberately narrow and deep. It targets financial entities such as banks, insurers, and investment firms, as well as certain critical ICT services providers that support them.
DORA’s aim is to ensure these organisations can withstand, respond to, and recover from ICT-related incidents, whether caused by cyber attack, system failure, or third-party disruption. It does this through a tightly defined framework built around ICT risk management, incident reporting, resilience testing, and ICT third-party risk and information sharing.
What Are The Similarities Between NIS2 and DORA?
Although they operate in different spaces, NIS2 and DORA do overlap in key areas.
1. A focus on resilience, not just prevention
Both frameworks recognise that cyber incidents are inevitable. They place as much emphasis on response and recovery as stopping attacks in the first place. NIS2 expects continuity planning, crisis management, and demonstrable learnings from incidents, while DORA sets detailed requirements for continuity, back-up, and post-incident reviews in the financial sector.
2. Stronger governance and board accountability
Under NIS2, management bodies must approve cyber risk management measures and can be held liable for failings. DORA similarly requires boards of financial entities to take responsibility for ICT risk and to integrate digital operational resilience into overall risk governance.
In both cases, cyber resilience is explicitly positioned as a board-level concern, not something entirely delegated to IT teams.
3. Formalised incident reporting
Both frameworks tighten the rules on reporting incidents to the relevant authorities. NIS2 shortens timelines and introduces staged notifications for “significant” incidents, while DORA standardises how financial entities classify and report ICT-related incidents across Member States. This is intended to give regulators better situational awareness and enable more coordinated responses.
The Crucial Differences Between DORA and NIS2
Despite their shared direction of travel towards greater cyber resilience, there are important distinctions between DORA and NIS2 that organisations should understand.
1. Legal form and enforcement
NIS2 is a directive. It sets common goals but leaves Member States to transpose the detail into national law. That means there can be variations in supervision, guidance, and penalties between countries, even though the high-level framework is harmonised.
DORA on the other hand, is a regulation. Its requirements apply directly and uniformly across the EU financial sector, supported by EU-level oversight from the European Banking Authority, ESMA and EIOPA, particularly for critical ICT third-party providers. This makes DORA more prescriptive by design.
2. Sectoral scope
NIS2 casts a wide net across essential and important sectors that underpin the economy and society more generally, from power grids and hospitals to cloud providers and public administrations.
DORA is firmly rooted in financial services. Its requirements apply to a substantial list of regulated financial entities and, in some cases, the IT providers they rely on, but it does not extend beyond that ecosystem.
3. Level of technical prescription
NIS2 defines outcome-based obligations around cyber risk management but leaves more room for national interpretation and sector-specific guidance.
Whereas DORA goes further into the mechanics of ICT risk, incident classification, testing (including threat-led penetration tests) and third-party insight. It sets detailed expectations that financial entities must build into their frameworks and contracts.
What This Means in Practice for Security Leaders
For most organisations, the question isn’t NIS2 or DORA? But rather, which of these applies, and where is the crossover with everything else we already must comply with? In practice, organisations should keep in mind:
- If you are in a non-financial critical sector, NIS2 will be your primary EU cyber regime. You will need to build a risk-based security programme that meets NIS2’s governance, technical, and reporting expectations, and is defensible to national regulators.
- If you are in a financial entity or a critical ICT provider to that sector, DORA is your dominant framework. You may also sit under NIS2 in some respects, but regulators are likely to look first at whether your ICT risk and resilience framework meets DORA’s detailed requirements.
- If you are in the supply chain, including technology or cloud providers, expect more demanding security and resilience clauses in contracts, even if you are not directly regulated. Both NIS2 and DORA push larger organisations to scrutinise third-party risk much more closely.
Whichever of the above groups aligns most closely with your organisation, it makes sense to treat NIS2 and DORA not as tick-box exercises, but as catalysts to modernise security operations with continuous monitoring, stronger identity and access controls, tested incident response, and mature, evidenced governance.
Where Threatscape Fits In
Threatscape has been working with organisations across NIS2-impacted sectors to map their obligations, prioritise minimum measures and build 24/7 monitoring and response through managed security services. The same principles are just as relevant for DORA’s requirements.
Whether your organisation sits squarely under NIS2, falls into the scope of DORA, or needs to navigate both, the foundations are the same: know your assets, understand your risks, and ensure security is embedded into operations, contracts, and board-level decision making.
![[M365 AI] Copilot & AI Agents: Tips You Must Know](https://www.threatscape.com/wp-content/uploads/2025/07/COPILOT-PODCAST-3-300x169.jpg)
