Introducing the NIS2 directive and DORA regulation

Cybersecurity is taking centre stage for the EU, with two pieces of legislation coming into place. 

The NIS2 directive and Digital Operational Resilience Act (DORA regulation) both focus on cybersecurity. But the audiences and goals are different.

The NIS2 directive ensures a high cybersecurity standard across all EU member states. It targets organizations in sectors with a high impact on our daily lives – ‘essential entities’ such as energy, transport, and finance, and ‘important entities’ like postal services, manufacturing, and food production.

The DORA regulation has a narrow focus on financial services. It aims to increase resilience and cybersecurity for 21 types of financial entities and ICT third-party service providers. 

If you’ve already put two and two together, you’ll have spotted the overlap between these two pieces of legislation. So, do certain financial services firms need to maintain compliance with both?

In this guide, we provide a top-level overview of NIS2 and DORA, including who they apply to and how they overlap. We also share pointers on maintaining NIS2 and DORA compliance and keeping your business cybersecure.

Key differences between the NIS2 directive and DORA regulation

Cybersecurity is at the centre of both the NIS2 directive and DORA regulation. But there are several differences between the two.

Look deeper into DORA requirements, and you’ll see it focuses on key areas such as ICT and third-party risk management, ICT incidents, digital operational resilience testing, information sharing and third-party provider oversight.  

NIS2 requirements include 10 key elements all companies need to address. These include incident handling, supply chain security, and vulnerability handling and disclosure. 

Resilience testing looks different under both legislations – DORA demands annual resilience testing programs and a threat-led penetration test every three years. NIS2 only requires security audits every two years. 

Directive vs regulation

The biggest difference between NIS2 and DORA is their legal structures. NIS2 is a directive and DORA is a regulation, which means they’re enforced differently.  

Directives give you the direction of travel. But it’s down to member states to translate these into national law before they can be applied. In the case of NIS2, EU member states have 24 months from its publication in December 2022 to introduce national laws, giving a deadline of October 2024. 

This could mean mandated businesses based in two separate EU member states follow different standards for the same directive.

As a regulation, DORA needs to be applied uniformly across all EU states when it comes into force on 17 January 2025.

Where do NIS2 and DORA overlap?

Both the NIS2 directive and DORA regulation demand clear policies, processes and tools for handling cybersecurity risk.

NIS2 or DORA – which legislation applies to me? 

The DORA regulation is ‘lex specialis’ – meaning more specific rules (like those laid out in DORA) take precedence over more general rules (like those in NIS2). If your organisation falls under NIS2 and DORA rules, prioritise DORA.

For 21 types of financial entities – including credit institutions, banks, payment institutions and investment firms – DORA is the primary legislation. Check whether your organisation is one of these 21 types so you know which rules to follow.

Ensure compliance with CloudM Backup

A reliable backup tool can help keep your business running smoothly and buffer the effects of a cybersecurity threat. 

CloudM Backup stores your vital business data reliably and securely. We’re industry leaders for data backups, with secure encryption in transit and at rest, and compliance with ISO 27001. You always get a clear view of important information – with access to a dashboard containing key stats and notifications about your data. 

Choose from broad or granular restoration options that enable you to mass restore an entire dataset, or single folders and items. Flexible, reliable data backups and recovery to fit you.