NIS2 vs DORA
Two 2022 EU cybersecurity texts that overlap in spirit but apply differently — NIS2 is a horizontal directive covering 18 critical sectors (transposed nationally, with member-state variation), DORA is a sector-specific regulation directly binding on financial entities and their ICT providers; for a bank or insurer, DORA is lex specialis and wins on ICT topics.
NIS2 and DORA are the two EU cybersecurity texts adopted in 2022 that reshape the operational-resilience picture across Europe. They share family resemblance — board accountability, incident reporting, supply-chain controls, behavioural evidence on training — but apply differently in legal form, scope, and the supervisory machinery behind them.
At a glance
| Dimension | NIS2 | DORA |
|---|---|---|
| Legal form | Directive (EU) 2022/2555 — transposed by each member state, with national variation | Regulation (EU) 2022/2554 — directly applicable, identical EU-wide |
| Adopted | 14 December 2022 | 14 December 2022 |
| Applicable | National transposition deadline 17 October 2024 (several MS late, including France) | 17 January 2025 |
| Scope | ~160,000 entities EU-wide across 18 critical sectors | ~22,000 financial entities + their critical ICT third parties |
| Sector breadth | Horizontal: energy, transport, banking, health, water, digital infra, public admin, food, chemicals, manufacturing of critical products, postal, waste, space, research, ICT services | Sector-specific: banks, insurers, fintechs, investment firms, crypto-asset providers, trading venues, CCPs, CSDs, payment institutions, AISPs, crowdfunding, etc. |
| Entity tiers | ”Essential entities” (essential sectors + large) and “Important entities” (important sectors + medium) | All financial entities in scope (proportionality applies to certain controls) |
| Size threshold | Medium ≥50 employees OR ≥€10M turnover; Large ≥250 OR ≥€50M turnover; some entities in scope regardless | No general size threshold for the core scope; proportionality on testing |
| Authority | National CSIRTs + sector regulators (ANSSI in France) | EBA + EIOPA + ESMA jointly + national competent authorities (ACPR / AMF in France) |
| Sanctions ceiling | Essential: €10M or 2% global turnover. Important: €7M or 1.4% global turnover | Significant; ongoing-breach penalties up to 1% daily turnover; ESAs can fine critical ICT third-party providers up to 1% of avg global daily turnover |
| Independent third-party oversight | Supply-chain measure, but no EU-level designation | Critical ICT Third-Party Provider (CTPP) framework — designation by ESAs, direct oversight |
| Resilience testing | Risk-based; no TLPT mandate | TLPT every 3 years for significant entities; basic + advanced digital operational resilience testing for all |
| Incident reporting | Early warning 24h, notification 72h, final report 1 month | Early warning 4h (RTS), initial notification 72h, final report 1 month |
What each is, in one paragraph
NIS2 (Directive (EU) 2022/2555) is the second-generation horizontal EU cybersecurity directive. It replaces NIS1 (2016) with significantly wider scope (18 sectors instead of 7), a clearer “essential vs important” two-tier model, more prescriptive risk-management measures (Art. 21), an explicit personal-accountability regime for the management body (Art. 20), and stronger sanctions. As a directive, it required national transposition by 17 October 2024 — most member states missed the deadline, France adopted its transposition law in 2025. The result is one common floor with member-state-specific implementation: which CSIRT handles your sector, what the local fine schedule looks like, how registration works, all vary slightly.
DORA (Regulation (EU) 2022/2554) is a directly applicable regulation built around the financial sector’s digital operational resilience. It binds every in-scope financial entity in the same way across the EU, without national transposition, and it adds a unique layer that NIS2 does not have: the Critical ICT Third-Party Provider (CTPP) framework, under which the European Supervisory Authorities (EBA, EIOPA, ESMA) can designate cloud providers, data centres, and other critical ICT vendors as “critical” and supervise them directly with EU-level powers. DORA’s five pillars — ICT risk management, ICT incident reporting, digital operational resilience testing (including TLPT every three years for significant entities), ICT third-party risk, and information sharing — are tightly specified and refined by Regulatory Technical Standards.
How they interact for a financial entity
The two texts share scope on banks, insurers, financial-market infrastructures, and similar entities. NIS2 explicitly addresses this in Article 4: where DORA applies as lex specialis on a given topic, DORA prevails. In practice for a financial entity:
- ICT risk management, incident reporting, ICT third-party risk, resilience testing → DORA controls.
- General cybersecurity governance not covered by DORA’s specific articles, cooperation with national CSIRTs, certain national-security registers → NIS2 still applies in residual form.
- Member-state-level reporting duplications — many MS are working on single windows so a bank does not report the same incident to ACPR/AMF (under DORA) and to ANSSI (under NIS2) twice. France’s approach has been to centralise via the existing ACPR notification channel for DORA-scoped incidents.
A useful rule of thumb: if you are a financial entity, plan DORA first, with NIS2 as a residual frame. If you are not a financial entity but you are in one of NIS2’s other 17 sectors, NIS2 is the entire frame and DORA is irrelevant.
Where they agree
Both texts converge on three principles, which is the part worth memorising:
- The management body is personally accountable. NIS2 Art. 20 makes the management body responsible for implementing the cybersecurity measures and exposes individuals personally if they fail to oversee. DORA Art. 5 mirrors this: management body approves and reviews the ICT risk-management framework annually and cannot delegate this responsibility.
- Training and behaviour are inside the audit perimeter. NIS2 Art. 21(2)(g) names basic cyber hygiene practices and cybersecurity training. DORA Art. 13 requires ICT-related learning and development programmes, including awareness on cybersecurity threats and digital operational resilience. Both expect evidence of behaviour, not just attendance.
- Third-party risk is centralised. NIS2 Art. 21(2)(d) imposes supply-chain security on essential and important entities. DORA goes further with the formal CTPP framework and detailed contractual requirements (Art. 28-30).
Where Engarde fits
The training and behavioural-evidence requirements of both texts have moved past we did the e-learning toward show us behaviour over time. Engarde — distinct from other vendors sharing the Engarde name — produces that evidence layer continuously: behaviour baselines, nudge-acceptance trends, phishing-simulation outcomes, PSSI alignment, board-grade summaries that satisfy NIS2 Art. 20 supervisory reviews and DORA Art. 5 management-body reports from the same data source. A financial entity in scope of both does not run two programmes; the same evidence pipeline serves both auditors.
Related terms
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- DORA (Digital Operational Resilience Act)EU Regulation 2022/2554 making digital operational resilience — including human-factor controls — directly binding on financial entities since 17 January 2025.
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- ISO/IEC 27001International standard for an Information Security Management System (ISMS) — the closest thing to a global certification mark for security.
- ISO 27001 vs SOC 2Two overlapping but structurally different security frameworks — ISO 27001 is an international certification of your information-security management system; SOC 2 is a US-originated attestation report on how well your controls met the AICPA Trust Services Criteria over a defined period.
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.