With cyber risk always increasing, it makes sense to focus on overall business resilience versus strictly cybersecurity. In the EU, economic and political interdependence among diverse member nations heightens the need to make cybersecurity, risk management, and resilience practices more uniformly mature—especially for companies delivering essential services in the economic, health, safety, environmental, and legal sectors.

The Network and Information Systems 2 directive (NIS2) and the Digital Operational Resilience Act (DORA) both provide guidance to critical EU businesses aimed at reducing the potential fallout from cybercrime-related service outages. The two laws cover areas like business continuity, risk management, incident reporting, supply chain security, internal testing/evaluation, peer data sharing, and more.

How do NIS2 and DORA relate and how are they relevant to your business? This article compares the two pieces of legislation with a focus on new requirements and considerations for companies globally.

Key takeaways

• NIS2 covers essential, critical, and important entities in many areas, while DORA is specific to financial services. A business may be subject to either or both.
• As an EU-wide regulation, DORA is much more prescriptive and specific than NIS2, which is a directive implemented and enforced through national laws.
• NIS2 and DORA are EU legislation but have a range of potential impacts for companies worldwide—especially for service providers working with EU-based entities that are covered by NIS2 and/or DORA.
• Both frameworks can levy stiff noncompliance penalties along with associated reputational and legal consequences.

What are DORA and NIS2 in a nutshell?

NIS2 seeks to fortify the cybersecurity postures of “essential” and “important” organizations that operate in vital sectors within the EU, including banking, financial infrastructure, energy/utilities, healthcare, transportation, telecommunications, and IT infrastructure. NIS2 replaces its predecessor NIS1, which went into effect in May 2018 but proved difficult to enforce and ultimately had little impact.

NIS2 adds new and elevated responsibilities for covered entities, including stronger cybersecurity, expanded managerial oversight, and strict reporting obligations for “incidents” and “cyber threats.”

While NIS2 is a directive that is implemented through country-specific laws, DORA is a regulation that is enforced across the EU by overarching EU supervisory authorities.

DORA focuses on ensuring that financial services firms (banks, insurers, payment providers, brokerages, fintechs) operating in the EU can weather cybersecurity attacks. With its comprehensive emphasis on digital resilience, DORA has become the new global standard for how financial businesses and their regulators can most effectively combat current, emerging, and unforeseen cybercrime threats to business continuity.

How do NIS2 and DORA compare?

The table below compares DORA and NIS2 in key areas:

The sections that follow add comparative details for DORA and NIS2 in several important areas.

DORA is much more detailed and prescriptive than NIS2

According to Dejan Kosutic, CEO at Advisera, DORA is far and away the most detailed cybersecurity regulation out there, in terms of specific guidance on controls. It is more prescriptive than ISO 27001, SOC 2, NIST 800-171, NIST 800-53, or even HITRUST.

“Nothing compares to it, really,” Dejan emphasizes.

NIS2 is likewise more detailed and comprehensive than its predecessor, NIS1. But its focus is on clearly defining how it is to be established and enforced at the national level. Its implementation guidance is more general because NIS2 applies to 18 different verticals, while DORA only covers financial services.

“NIS2 precisely defines the roles of government bodies that are in charge of enforcing it,” explains Dejan. “NIS1 was not very enforceable because it was not very precise.”

DORA takes precedence over NIS2 in financial services

Two of the sectors NIS2 covers—banking and financial intermediaries—are also covered by DORA. However, NIS2 states that sector-specific regulations like DORA take precedence in terms of enforcement wherever requirements overlap.

What about DORA versus the EU’s Payment Services Directive (PSD2) regulation? PSD2 is much more narrowly focused on the electronic payments industry and payment security versus overall resilience for the financial services sector. Many financial businesses will be subject to both DORA and PSD2.

DORA emphasizes resilience, NIS2 concentrates on cybersecurity

NIS2 and DORA both concern cybersecurity, but their emphasis is different:

• NIS2 seeks to elevate the general cybersecurity posture of critical infrastructure companies against external cyber threats.
• DORA addresses operational resilience, seeking to ensure that financial services businesses can continue to function even when critical systems are disrupted by a cyber attack.

For example, DORA mandates penetration testing, simulations, and other forms of resilience testing. NIS2 does not specifically call for cybersecurity testing but does require various risk management and associated governance practices.

DORA mandates vendor risk management

As a comprehensive EU-wide statue for financial services, DORA acknowledges the central importance of service providers and the digital risks they present. DORA mandates that contracts and service level agreements (SLAs) with vendors and other third parties should directly address resilience and spell out cyber risk related responsibilities.

DORA’s specific requirements around vendor risk include:

• Defining a process to securely recover and return data to the customer if the service provider goes out of business or is replaced by a competitor.
• Defining how a service provider delivers availability, security, integrity, accessibility, and data protection in accordance with their services.
• Specifying how a vendor will assist a customer should a cyber incident occur that involves their services or cybersecurity processes.
• Creating and regularly reviewing a vendor risk strategy for “critical or important” third-party services, such as cloud services.

NIS2 does not directly address third-party or supply chain risk. But these risks have a major impact on a critical infrastructure company’s cybersecurity posture so they may be covered in country-specific legislation.

DORA and NIS2 add new but different audit requirements

NIS2 and DORA both define new audit requirements for many covered entities, but the objectives are completely different:

• NIS2 requires essential and important entities to undergo regular, targeted, and ad hoc audits conducted by an independent body or competent authority. The results must be shared with the applicable competent authority.
• DORA explicitly empowers covered financial entities and competent authorities to audit third-party service providers. This underscores DORA’s emphasis on supply chain risk management and overall financial sector resilience. Microenterprises may be exempt from DORA’s internal audit requirements.

Besides addressing audit-related compliance requirements within the respective laws, some organizations might choose to pursue independent NIS2 and/or DORA compliance attestations. This could be a compelling way to demonstrate compliance to customers, partners, boards, and other stakeholders.

Is my business subject to DORA and/or NIS2?

DORA is EU legislation, but its impact is worldwide. Financial markets are globally connected, which means that many financial services, fintechs, and various IT service providers outside the EU will need to comply with DORA if they have customers in the EU.

For example:

• If a US-based financial services company has business units in Germany and France, those business units would be subject to DORA.
• If a US-based SaaS provider offers IT services to EU financial services firms, they will likely need to comply with DORA to fulfill customer contractual obligations and/or to support their customers’ DORA compliance.

DORA focuses on driving resilience within critical operational functions that allow EU financial services entities to deliver core services. Does your business directly support critical operation functions for EU financial firms? If so, you may well need to uphold a level of resilience and cybersecurity that aligns with DORA even if you are not directly subject to DORA compliance audits. Otherwise, you could threaten your EU customers’ DORA compliance.

Many critical infrastructure companies outside the EU will likewise be subject to NIS2 if they have a business unit, subsidiary, and/or customers in the EU. NIS2’s global importance stems from its goal of “raising the bar” for cybersecurity not just for vital EU businesses but for their suppliers and supply chain partners wherever they are located. This makes NIS2 compliance a strategic necessity for thousands of businesses all over the world.

How might NIS2 and/or DORA compliance impact my business?

Especially because it reaches beyond cybersecurity to address operational resilience best practices, DORA compliance may require significant technology investments and process changes. This could increase operational costs for businesses in the financial services supply chain.

Increasing compliance demands will also require organizations to find “win-win” approaches that support compliance without hindering digital innovation. Agility remains hyper critical as the pace of change relentlessly accelerates across the financial services digital landscape.

NIS2 and DORA also up the ante for senior leadership in terms of accountability. C-suites and boards now face censure if they fail to demonstrably take charge of their organization’s resilience and cybersecurity.

What are common NIS2 and DORA “gotchas” to avoid?

Misconceptions can lead to missteps with DORA or NIS2 alignment, implementation, or compliance. Here are some common “gotchas” and inaccurate beliefs to avoid:

• NIS2 is not just for IT service providers. It applies to a wide range of verticals that are considered critical for society and the economy.
• For covered financial firms, parts of both statutes are relevant. It is true that DORA takes precedence over NIS2 for “critical/important” financial services firms anywhere the two statutes overlap. But the overarching NIS2 requirements still apply. For example, NIS2 mandates cooperative information sharing on threats and attacks that are outside DORA’s scope but still apply to financial firms.
• The two laws have different reporting obligations. Both DORA and NIS2 have strict requirements for reporting cybersecurity incidents, but the specifics differ. NIS2 reporting guidelines are more detailed and time-sensitive (e.g., reporting relevant incidents within 24 hours) while DORA requirements home in on operational resilience threats, impacts, and responses.
• NIS2 and DORA should be approached holistically. While their aims differ, NIS2 and DORA overlap significantly. Covered financial firms need a holistic compliance strategy that covers both regulations.
• Businesses outside financial services can still benefit from DORA. It is true that non-financial entities are not directly subject to DORA. But as perhaps the most detailed cybersecurity guidance on the planet, DORA can be useful as a reference standard to evaluate and advance a leading organization’s cybersecurity and resiliency postures.

What’s next?

For more guidance on this topic, listen to Episode 154 of The Virtual CISO Podcast with guest Dejan Kosutic, CEO at Advisera.