NIS2 vs. DORA: Which obligations apply to your organisation?
Financial entities face two EU regimes simultaneously. The lex-specialis principle, the Register of Information, BaFin vs. BSI supervision, and different reporting deadlines – here is the complete comparison with a decision tree.
Überblick
The NIS 2 Directive (EU) 2022/2555 and the DORA Regulation (EU) 2022/2554 pursue the same goal – digital resilience in Europe – but from different angles. NIS2 is a minimum-harmonisation directive covering 18 critical and important sectors. In Germany it was transposed via the NIS2UmsuCG into the new BSIG (in force from 6 December 2025). DORA is an EU regulation with direct effect, applicable since 17 January 2025, and addresses exclusively financial entities such as banks, insurers, payment institutions and crypto-asset providers.
For financial companies the key question is: am I subject to both? Under Art. 1(2) NIS2 Directive, the lex-specialis principle applies – DORA displaces NIS2 as the more specific law for financial entities. However, the German transposition in the NIS2UmsuCG (new BSIG) does not provide a blanket exemption. For certain BSIG obligations – particularly where critical infrastructure designations overlap – dual compliance may still be required. The key is the specific classification by the competent authority: BaFin for DORA, BSI for NIS2.
SaaS and IT service providers that are not themselves financial entities are not directly subject to DORA, but are indirectly captured through contractual requirements under Art. 28 DORA – their financial customers must embed DORA requirements in the service agreement.
NIS2 vs. DORA im Vergleich
| Kriterium | NIS2 | DORA |
|---|---|---|
| Legal form | Directive (minimum harmonisation) – national law required | Regulation (full harmonisation) – direct effect since 17 Jan 2025 |
| Entry into force (Germany) | 18 Oct 2024 (EU); Germany: 6 Dec 2025 (NIS2UmsuCG / new BSIG) | 17 Jan 2025 (directly applicable EU-wide) |
| Supervisory authority (Germany) | BSI (Federal Office for Information Security) | BaFin (Federal Financial Supervisory Authority); CTPP: ESAs (EU level) |
| Scope | 18 critical and important sectors; 50+ employees or EUR 10m turnover | 20+ types of financial entities (banks, insurers, payment institutions, crypto, etc.) |
| Initial notification (major incidents) | Early warning within 24 hours (§ 32 new BSIG) | Notification 'as soon as possible', practical target 4 hours (Art. 19 DORA) |
| Intermediate report | 72 hours after becoming aware (§ 32 new BSIG) | 72 hours after initial notification (Art. 19 DORA) |
| Final report | 30 days after intermediate report (§ 32 new BSIG) | 1 month after initial notification (Art. 19 DORA) |
| Register of ICT contractual arrangements | No legal obligation | Mandatory under Art. 28(3) DORA, annual submission to BaFin (EIOPA template) |
| Critical third-party oversight | No comparable mechanism | CTPP designation by ESAs (Art. 31 DORA), direct EU oversight, sanctions possible |
| Threat Led Penetration Tests (TLPT) | Not mandatory (voluntary best practice) | Mandatory for systemically relevant financial entities every 3 years (Art. 26 DORA) |
| Governance: management body | § 38 new BSIG: training obligation, personal liability of management | Art. 5 DORA: management body responsible for ICT risk management framework |
| Maximum fines | EUR 10 million or 2% of global annual turnover (§ 65 new BSIG) | Sector-specific under MiFID II / CRD / Solvency II; BaFin may ban activities |
| Lex-specialis relationship | General rule: NIS2 applies as the general law | DORA displaces NIS2 for financial entities (Art. 1(2) NIS2 Directive) – but no blanket BSIG opt-out in Germany |
| Information sharing / ISAC | Art. 29 NIS2 Directive: voluntary information-sharing networks | Art. 45 DORA: mandatory for DORA entities – threat intelligence sharing |
Gemeinsamkeiten
Risk Management
Both frameworks require documented ICT risk management. NIS2 mandates measures under Art. 21 NIS2 Directive (§ 30 new BSIG), DORA a full ICT Risk Management Framework under Arts. 5-15 DORA. A joint risk register covers approximately 70% of both requirements.
Incident Reporting
Both regimes require multi-stage reporting of significant incidents: early warning, intermediate report and final report. The concrete timelines differ – NIS2 sets 24h/72h/30 days, DORA an immediate initial report ('as soon as possible', practical target 4 hours), 72h and 1 month.
Third-Party Risk
Supply chain security is a focus in both frameworks. DORA regulates ICT Third-Party Service Providers (TPSP) in detail under Arts. 28-44, including a register obligation. NIS2 addresses supply chain risks via Art. 21(2)(d) NIS2 Directive and § 30 new BSIG.
Governance and Leadership Accountability
Management and board members bear personal liability for compliance failures. NIS2 addresses this in § 38 new BSIG (training obligation, personal liability), DORA in Art. 5 DORA (tasks of the management body for ICT risk management).
Business Continuity and Resilience
NIS2 (§ 30 new BSIG) and DORA (Art. 11 DORA) both require business continuity planning (BCP) and recovery plans. Joint BCP documentation and failover scenarios can cover both requirements.
Security Testing and Audits
Both frameworks require regular testing. NIS2 mandates security audits and vulnerability scans. DORA goes further for larger financial entities: mandatory Threat Led Penetration Tests (TLPT) under Art. 26 DORA at least every three years.
Zentrale Unterschiede
Supervisory Authority in Germany
NIS2/BSIG: Primary supervision by BSI (Federal Office for Information Security). DORA: BaFin (Federal Financial Supervisory Authority) is the national competent authority; Critical Third-Party Providers (CTPP) are supervised directly by the ESAs (EBA, ESMA, EIOPA) at EU level.
Initial Reporting Deadline
NIS2 (§ 32 new BSIG): Early warning within 24 hours of becoming aware. DORA (Art. 19 DORA): Initial notification 'as soon as possible' – the practical target communicated by regulators is 4 hours. This is a significant difference for financial entities who must react considerably faster.
Register of Information (DORA-exclusive)
DORA Art. 28(3) requires financial entities to maintain a complete register of all contractual arrangements with ICT third-party providers. This register must be submitted annually to BaFin using the EIOPA/ESA template. NIS2 has no comparable registration requirement.
Critical Third-Party Provider Designation (CTPP)
DORA Art. 31 enables the designation of Critical Third-Party Providers (CTPP) by the ESAs at EU level – with a direct oversight mechanism, investigation powers and sanction authority. NIS2 has no comparable mechanism for suppliers.
Legal Form: Directive vs. Regulation
NIS2 is a minimum-harmonisation directive – it had to be transposed into national law (Germany: NIS2UmsuCG, in force from 6 December 2025), allowing national variations. DORA is an EU regulation with direct effect and full harmonisation – applicable directly since 17 January 2025 in all member states.
Fines and Sanctions
NIS2/BSIG: Up to EUR 10 million or 2% of global annual turnover (essential entities), plus personal liability for management (§ 65 new BSIG). DORA: Sanctions follow sector-specific financial market laws (MiFID II, CRD, Solvency II) – BaFin may impose fines, activity bans and public disclosure.
Scope and Sectors
NIS2 covers 18 critical and important sectors (energy, transport, health, water, digital infrastructure, etc.) and all companies above 50 employees or EUR 10 million turnover in those sectors. DORA addresses more than 20 types of financial entities and is broadly mandatory regardless of company size.
Threat Intelligence and TLPT
NIS2 recommends threat intelligence and information sharing but does not mandate TLPT. DORA Art. 26 requires systemically relevant financial entities to conduct Threat Led Penetration Tests (TLPT) at least every three years, coordinated by BaFin.
Welchen Standard wählen?
The question 'NIS2 or DORA?' can be answered with a straightforward decision tree.
Step 1: Are you a regulated financial entity under the DORA Annex? This includes: banks, credit institutions, insurers, reinsurers, investment firms, trading venues, payment institutions, e-money institutions, crypto-asset service providers, credit rating agencies, fund managers and others. If YES: DORA applies to you. DORA displaces NIS2 under the lex-specialis principle (Art. 1(2) NIS2 Directive) for most core obligations. But check: are you simultaneously designated as a KRITIS operator or essential entity? If so, additional BSIG obligations may still apply.
Step 2: Are you an IT or SaaS provider serving financial companies, but not yourself a financial entity? Then DORA does not apply to you directly. However, your financial customers must contractually require DORA compliance from you under Art. 28 DORA (security standards, exit rights, audit rights, incident notification obligations). Additionally, NIS2/BSIG may apply directly if you operate in one of the 18 NIS2 sectors.
Step 3: Are you neither a financial entity nor a supplier to financial companies? Then DORA is not relevant. NIS2/BSIG applies if your company operates in one of the 18 critical or important sectors and meets the size thresholds (50+ employees or EUR 10m turnover).
Summary: Financial entity = primarily DORA + possible residual BSIG obligations. IT supplier to banks = NIS2 + DORA contractual requirements. All other relevant sectors = NIS2/BSIG only.
Synergien: Beide Standards effizient umsetzen
For companies subject to both regimes or preparing for the transition, a dual-compliance strategy with shared building blocks pays off.
Shared ISMS foundation: ISO 27001 as a technical backbone covers the bulk of both requirements. A unified information security management system significantly reduces duplicated documentation. Risk registers, asset inventories and security policies only need to be created and maintained once.
One risk register for NIS2 and DORA: DORA Art. 6 and NIS2 § 30 new BSIG use similar risk categories. A consolidated ICT risk register – mapped to both frameworks – saves considerable effort. Kopexa's Framework Builder supports this cross-mapping directly in the platform.
Shared incident response plan: A single, well-structured IRP with clearly defined escalation paths can cover both reporting obligations. The key is to account for the different deadlines (4h DORA vs. 24h NIS2) in the alert chain – for example by using a unified 4-hour initial-notification trigger that automatically satisfies the NIS2 24-hour obligation as well.
DORA Register of Information as NIS2 asset inventory: The register of all ICT contractual arrangements required by Art. 28(3) DORA can simultaneously serve as a comprehensive third-party inventory under NIS2.
Häufig gestellte Fragen
Am I affected?
Use our industry-specific calculator to find out in minutes whether NIS2, DORA or both apply to your organisation.
To the NIS2 applicability calculatorInhalt
Multi-Standard Compliance?
Kopexa zeigt dir, wo sich NIS2 und DORA überschneiden — und spart dir doppelte Arbeit.
Demo anfragen