Skip to main content
NIS2 Manager LogoNIS2 Manager
Back to blog
Industry

NIS2 vs DORA: what applies to the financial sector

For financial institutions, the regulatory picture is complex: NIS2 and DORA (Digital Operational Resilience Act) partially overlap. Understanding the differences is essential for compliance.

Adrian Voicu
Advisory Services at BetterQA
7 min read

Introduction

For organizations in the financial sector, the regulatory picture is becoming complex: NIS2 and DORA (Digital Operational Resilience Act) partially overlap, and understanding the differences is essential for compliance.

What is DORA?

DORA (EU Regulation 2022/2554) is the European framework for digital operational resilience in the financial sector. Unlike NIS2 (which is a directive), DORA is a regulation - it applies directly, without national transposition.

Entities covered by DORA:

  • Credit institutions (banks)
  • Payment institutions
  • Electronic money institutions
  • Investment firms
  • Central securities depositories
  • Central counterparties
  • Trading platforms
  • Alternative investment fund managers
  • Management companies
  • Providers of reporting services
  • Credit rating agencies
  • Crowdfunding service providers
  • Critical ICT service providers for the financial sector

How do NIS2 and DORA interact?

The "lex specialis" principle

DORA is considered special legislation for the financial sector. According to the principle "lex specialis derogat legi generali":

  • For financial entities, DORA takes priority over NIS2
  • However, certain NIS2 provisions still apply

What applies from NIS2 for financial entities?

According to Romanian OUG 155/2024, entities regulated by DORA must respect from NIS2:

  1. Registration obligation with DNSC (Romanian National Cybersecurity Directorate)
  2. Provisions on cooperation between authorities
  3. Risk identification at national level
  4. Information sharing about threats

What does NOT apply from NIS2?

  • Requirements for risk management measures (Chapter IV NIS2)
  • Incident reporting obligations (DORA provisions apply)
  • Supervision and enforcement (DORA provisions apply)

Practical comparison: NIS2 vs DORA

AspectNIS2DORA
TypeDirectiveRegulation
Sector18 sectorsFinancial only
Incident reporting24h/72h/30 daysSimilar, with sector-specific details
Critical ICT providersGeneral requirementsRegistry and direct EU supervision
TestingGeneral requirementsMandatory advanced testing (TLPT)
Competent authorityDNSCASF / BNR (Romanian financial supervisors)

DORA-specific requirements

1. ICT risk management

  • Comprehensive risk management framework
  • Documented policies and procedures
  • Allocation of responsibilities at management level
  • Audit of ICT risk function

2. ICT incidents and reporting

  • Classification of incidents according to specific criteria
  • Reporting to the competent financial authority
  • Similar deadlines to NIS2 but with sector-specific details

3. Digital operational resilience testing

  • Vulnerability and penetration testing
  • Advanced threat-led penetration testing (TLPT) for large entities
  • Defined frequency and methodology

4. Third-party ICT provider risk

  • ICT provider registry
  • Risk assessment before contracting
  • Mandatory contractual provisions
  • Exit strategy

5. Information sharing

  • Participation in information sharing mechanisms
  • Notification of authorities about threats

What must financial entities do?

In relation to DNSC (NIS2):

  1. Mandatory registration - Even if you're regulated by DORA
  2. Provide information for the national risk map
  3. Cooperate in case of incidents with cross-sectoral impact

In relation to ASF/BNR (DORA):

  1. Implement complete DORA requirements
  2. Report incidents to the financial authority
  3. Resilience testing according to DORA methodology
  4. Provider management according to DORA registry

Critical ICT providers - EU supervision

A unique aspect of DORA: critical ICT service providers for the financial sector will be supervised directly at European level.

Who is considered a critical provider:

  • Providers designated by European Supervisory Authorities
  • Those providing services to a large number of financial entities
  • Those for which no viable alternatives exist

Implications:

  • Audits and inspections from EU level
  • Direct sanctions for non-compliance
  • Specific reporting requirements

Recommendations for financial entities

1. Don't completely ignore NIS2

Even though DORA is the main framework, registration with DNSC remains mandatory. Use NIS2 Manager to understand your classification.

2. Coordinate compliance efforts

  • Many requirements overlap (e.g., incident management)
  • Use the same processes and documentation where possible
  • Avoid duplication of efforts

3. Watch for DORA deadlines

  • DORA applies from January 17, 2025
  • Some requirements have transition periods
  • TLPT testing has specific gradual implementation requirements

4. Manage providers proactively

  • If you're an ICT provider for financial entities, prepare
  • The DORA registry will increase transparency
  • Contractual requirements will be stricter

Conclusion

For the financial sector, DORA is the main compliance framework for cybersecurity, but NIS2 remains relevant for registration and cooperation. An integrated approach covering both frameworks will ensure complete compliance and optimize resources.

Financial entities should work with legal and compliance teams to understand exactly which obligations apply in their specific situation.

Check your NIS2 classification

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.

Tags:
DORAfinancial sectorbanksASFBNR
Share this article:
LinkedIn
Adrian Voicu
Advisory Services at BetterQA

GRC specialist helping organizations build robust cybersecurity governance frameworks aligned with NIS2.

Want to know if your company falls under NIS2?

Use our free calculator to check eligibility in just 3 minutes.

Check eligibility for free
160K+
organizations affected by NIS2 across the EU (ENISA, 2024)
EUR 10M
maximum penalty for NIS2 non-compliance or 2% of global turnover
24h
incident reporting deadline under NIS2 directive
18
critical sectors covered by NIS2 compliance requirements

The NIS2 Directive (EU 2022/2555) entered into force on January 16, 2023, with member states required to transpose it by October 17, 2024. According to ENISA's 2024 Threat Landscape report, ransomware attacks increased 73% year-over-year, while supply chain attacks grew by 85%. The European Commission estimates NIS2 compliance costs average EUR 120,000 per organization, but non-compliance penalties can reach EUR 10 million or 2% of global annual turnover. Only 34% of affected organizations reported full NIS2 readiness by the October 2024 deadline (EY Global Cybersecurity Survey, 2024). Romania's DNSC reported a 156% increase in cybersecurity incidents in 2024, making compliance tools essential for the 8,000+ Romanian organizations affected by the directive.

BetterQA
ISO 27001 & NATO certified security company
50+ Engineers
Cybersecurity & compliance specialists across 24 countries
Since 2018
Independent security testing & compliance expertise
NIS2 Ready
Full compliance lifecycle from assessment to certification