Directive vs. Regulation
One of the main differences is their legal format.
- NIS2, being a directive, outlines goals that EU countries must implement through national laws. This means that the directive allows for flexibility in application across member states.
- DORA, being a regulation, brings a stricter approach that encompasses all EU member states and does not allow local adaptations. Also, it is immediately enforceable across all EU member states.
Implementation Timelines
- NIS2: Published in December 2022, EU countries had to incorporate it into national law by October 2024. However, organizations received additional time to meet compliance obligations after local laws were published.
- DORA: This regulation took effect January 17, 2025, uniformly across the EU. While it's fully binding, technical specifications are still being finalized by the European Supervisory Authorities (ESA) and ENISA.
Different Objectives
- NIS2 encompasses a wide range of sectors, classified as either Essential or Important entities. The goal is toimprove the resilience of critical infrastructures and services.
- DORA focuses specifically on the financial sector. The main objective is that financial institutions withstand cyberattacks and digital disruptions, all while continuing operations.
The two laws are in fact complementary rather than being in conflict – NIS2 covers broader cybersecurity issues through various sectors, while DORA highlights the importance of cybersecurity resilience within the financial sector.
Content Differences
These laws differ not just in purpose but in content:
- NIS2 emphasizes supply chain security and sets heavy penalties (up to 2% of global turnover).
- DORA places stricter emphasis on third-party risk management and security testing—requiring annual resilience assessments and threat-based penetration testing every three years. Sanctions under DORA are determined by national authorities.
Which Law Takes Priority?
In case your organization falls under both NIS2 and DORA – DORA prevails. This is due to the lex specialis principle – in case multiple legislations are applicable, the most specfic one applies. In simpler terms, specific legislation holds more power over general legislation. DORA regulation specifically mentions that it overrides NIS2 for relevant financial institutions.
Entities Under DORA
DORA applies to 21 categories of financial and ICT-related organizations, including:
- Banks and credit institutions
- Payment and electronic money services
- Crypto-asset providers
- Investment firms and insurance companies
- Trading platforms, benchmark administrators, and ICT service providers
A complete list of entities falling under the DORA scope is available in Article 2 of the regulation.
Entities Under NIS2
Organizations not listed under DORA may still fall under NIS2 if they qualify as:
- Essential Entities (EE) – digital infrastructure, water supply, space, health, public administration, finance, transport, and energy.
- Important Entities (IE) – digital providers, manufacturing, food, research, chemicals, waste management, postal services.
Detailed explanations are available in Article 3 of the NIS2 Directive.
NIS2 vs. DORA Summary
- Goals: NIS2 strengthens EU-wide cybersecurity; DORA ensures the financial sector’s operational resilience.
- Legal Form: NIS2 is a directive (requires national adoption); DORA is a regulation (applies automatically).
- Scope: NIS2 applies to a wide range of critical sectors; DORA is focused on finance and ICT providers.
- Priority: For financial institutions, DORA takes precedence over NIS2 (lex specialis).
Download NIS2 Checklist
Feeling lost about where to start when it comes to the NIS2 Directive? That is why we decided to equip you with actionable steps on how to kick off your compliance journey and reach full compliance with ASEE.
Don’t wait for a breach or a compliance deadline. Start today. Contact us for solution-specific support.
