Cybersecurity is taking centre stage for the EU, with two pieces of legislation coming into place. 

The NIS2 directive and Digital Operational Resilience Act (DORA regulation) both focus on cybersecurity. But the audiences and goals are different.

The NIS2 directive ensures a high cybersecurity standard across all EU member states. It targets organizations in sectors with a high impact on our daily lives – ‘essential entities’ such as energy, transport, and finance, and ‘important entities’ like postal services, manufacturing, and food production.

The DORA regulation has a narrow focus on financial services. It aims to increase resilience and cybersecurity for 21 types of financial entities and ICT third-party service providers. 

If you’ve already put two and two together, you’ll have spotted the overlap between these two pieces of legislation. So, do certain financial services firms need to maintain compliance with both?

In this guide, we provide a top-level overview of NIS2 and DORA, including who they apply to and how they overlap. We also share pointers on maintaining NIS2 and DORA compliance and keeping your business cybersecure.

Key differences between the NIS2 directive and DORA regulation

Cybersecurity is at the centre of both the NIS2 directive and DORA regulation. But there are several differences between the two.

Look deeper into DORA requirements, and you’ll see it focuses on key areas such as ICT and third-party risk management, ICT incidents, digital operational resilience testing, information sharing and third-party provider oversight.  

NIS2 requirements include 10 key elements all companies need to address. These include incident handling, supply chain security, and vulnerability handling and disclosure. 

Resilience testing looks different under both legislations – DORA demands annual resilience testing programs and a threat-led penetration test every three years. NIS2 only requires security audits every two years. 

Directive vs regulation

The biggest difference between NIS2 and DORA is their legal structures. NIS2 is a directive and DORA is a regulation, which means they’re enforced differently.  

Directives give you the direction of travel. But it’s down to member states to translate these into national law before they can be applied. In the case of NIS2, EU member states have 24 months from its publication in December 2022 to introduce national laws, giving a deadline of October 2024. 

This could mean mandated businesses based in two separate EU member states follow different standards for the same directive.

As a regulation, DORA needs to be applied uniformly across all EU states when it comes into force on 17 January 2025.

Where do NIS2 and DORA overlap?

Both the NIS2 directive and DORA regulation demand clear policies, processes and tools for handling cybersecurity risk.

Financial penalties

Fines are heavy for NIS2 and DORA non-compliance – up to 2% of total annual turnover.

Incident reporting

Reporting requirements for NIS2 and DORA are the same – Initial incident reports are due within 24 hours, detailed reports within 72 hours and final reports within one month for both. Business continuity, disaster recovery and backup requirements are also included in both.

Data backup and business continuity

Finding secure ways to back up and manage your business data will help you maintain DORA and NIS2 compliance.

Leadership and risk management

Both pieces of legislation require strong leadership. Start by assigning someone to lead on compliance, enforcing policies, procedures and behaviours, and reviewing cybersecurity gaps in your operations.


Get Started

CloudM empowers IT teams to migrate, archive and backup data
through frictionless, secure and automated solutions. 

  • Over 10M+ Migrations
  • 24/7 Dedicated Support
  • Google & Microsoft Certified
partner logo
partner logo
partner logo
partner logo
partner logo
partner logo
partner logo
partner logo
partner logo
partner logo

Fill out the form and one of our team will contact you.

partner logo partner logo


NIS2 or DORA – which legislation applies to me? 

The DORA regulation is ‘lex specialis’ – meaning more specific rules (like those laid out in DORA) take precedence over more general rules (like those in NIS2). If your organisation falls under NIS2 and DORA rules, prioritise DORA.

For 21 types of financial entities – including credit institutions, banks, payment institutions and investment firms – DORA is the primary legislation. Check whether your organisation is one of these 21 types so you know which rules to follow.

Ensure compliance with CloudM Backup

A reliable backup tool can help keep your business running smoothly and buffer the effects of a cybersecurity threat. 

CloudM Backup stores your vital business data reliably and securely. We’re industry leaders for data backups, with secure encryption in transit and at rest, and compliance with ISO 27001. You always get a clear view of important information – with access to a dashboard containing key stats and notifications about your data. 

Choose from broad or granular restoration options that enable you to mass restore an entire dataset, or single folders and items. Flexible, reliable data backups and recovery to fit you.

Become NIS2 compliant today

Speak to one of our experts today and ensure your business is NIS2 compliant

Latest resources

Blog

Secure your data in 5 steps: A quick guide to CloudM Backup

December 10, 2024

Find out more
Blog

Delta-first or traditional? Choosing a migration approach

December 5, 2024

Find out more
Blog

Choosing a software solution: Eight things to consider for the NIS2 directive

November 15, 2024

Find out more
  • Secure your data in 5 steps: A quick guide to CloudM Backup

    December 10, 2024

  • How to choose the migration approach that's right for you

    Delta-first or traditional? Choosing a migration approach

    December 5, 2024

  • Choosing a software solution: Eight things to consider for the NIS2 directive

    November 15, 2024

Back to Resources