NIS2 and DORA are separate but overlapping pieces of recent European Union (EU) legislation, both of which seek to further improve cybersecurity and digital resilience across organizations deemed vital to the EU’s economy and society. NIS2 is an EU parliamentary directive with varying country-level instantiations that apply to a broad range of “critical infrastructure” firms, while DORA is an EU-wide regulation specific to financial services.

The two laws complement one another but have different intentions. NIS2 seeks to bolster the EU’s overall cybersecurity, while DORA targets digital resilience across the EU’s financial infrastructure. 

As a US-based entity, how might NIS2 and DORA compliance concern you? Read on to learn how these EU guidelines could impact your operations and considerations for responding to them.

Key takeaways

• NIS2 and DORA are complementary EU regulations. NIS2 has a broad focus on overall critical infrastructure cybersecurity, while DORA covers digital resilience in the financial sector.
• For businesses subject to both NIS2 and DORA, DORA takes precedence where the two overlap.
• US firms subject to NIS2 could include CSPs, SaaS providers, and other vendors serving “important” or “essential” EU markets, as well as US-based organizations with operations in the EU. 
• US firms subject to DORA could include US-based financial entities with EU operations, as well as US-based digital service providers with EU customers. 
• Both NIS2 and DORA can enforce onerous financial and operational sanctions, including personal liability for senior executives in the event of misconduct or negligence leading to a data breach.
• Compliance with trusted, holistic cybersecurity frameworks like ISO 27001, SOC 2, and HITRUST can go a long way towards NIS2/DORA compliance. But even orgs with robust security postures will likely face gaps in specific areas.
• As a vector for increased cybersecurity awareness and scrutiny worldwide, alignment or compliance with NIS2 and/or DORA will likely become important for more and more US organizations going forward. 

What is NIS2?

The Network and Information Security 2 (NIS2) directive from the EU parliament defines requirements to be enacted via laws specific to each EU member state. For example, Germany’s version of NIS2 is the NIS2 Implementation Act (NIS2UmsuCG Referentenentwurf). NIS2 supersedes NIS1, which was adopted in 2016.

National laws realizing the NIS2 requirements have been in effect across the EU on or before October 17, 2024. Companies have up to two years (October 2026) to come into compliance.

NIS2’s objective is to improve the EU’s overall cybersecurity posture by specifying minimum capabilities for “critical infrastructure” verticals. The directive defines two levels of covered organizations:

• “Essential” sectors are critical to the economy, public safety, and infrastructure. These include energy, healthcare, transportation, banking, financial markets, water/wastewater, IT/digital services (MSPs, internet infrastructure), and public administration.
• “Important” sectors are deemed less critical but still significant. These include food infrastructure, postal services, waste management, manufacturing technology, chemicals, research, and certain digital services.

NIS2 includes requirements for risk assessment, incident response and reporting, vendor/supply chain risk management, vulnerability management, and use of essential controls like encryption and multi-factor authentication, among other areas. 

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU Parliament regulation for the financial sector, including banks, insurance companies, investment firms, FinTechs, and their IT service providers. Similar to the General Data Protection Regulation (GDPR), DORA applies uniformly across all EU member states and takes precedence over national laws—including those implementing NIS2—where they intersect.

DORA became law across the EU on January 17, 2023, and has been fully in force since January 17, 2025. Its goal is to ensure that financial entities can survive and recover from cyberattacks and other severe operational disruptions so that critical financial services remain available and trustworthy.

Similar to NIS2, DORA emphasizes vendor risk management, incident response/reporting, and resilience testing (e.g., penetration testing). For financial organizations subject to both NIS2 and DORA, DORA’s requirements take precedence. For example, if a financial firm suffers a data breach, they should report it in accordance with DORA’s incident reporting requirements.

DORA’s Article 2 defines 21 covered entity types. These include:

• ICT third-party service providers
• Insurance and reinsurance firms
• Insurance and reinsurance intermediaries
• Investment firms
• Managers of alternative investment funds
• Management companies
• Institutions for occupational retirement provision
• Credit providers
• Credit rating agencies
• Data reporting service providers
• Administrators of critical benchmarks
• Trading venues
• Trade repositories
• Central securities depositories
• Central counterparties
• Securitization repositories
• Payment institutions
• Electronic money providers
• Account information service providers
• Crypto-asset services providers
• Crowdfunding service providers

How do NIS2 and DORA compare?

NIS2 and DORA share many commonalities but differ most significantly in these areas:

• They have different objectives. DORA focuses on ensuring the availability and integrity of financial infrastructure, while NIS2 focuses on elevating the EU’s overall cybersecurity posture.
• They target different sectors. DORA is specific to financial services while NIS2 applies to “Essential Entities” and “Important Entities,” including many financial services businesses. 
• Within the financial sector, DORA takes precedence over NIS2 where they overlap. Otherwise, NIS2 requirements still apply. 
• NIS2 is a directive, so each member state has enacted its own law to uphold the directive. Therefore, covered US firms may face country-level compliance concerns like additional requirements and different procedural particulars.
• DORA is a regulation like GDPR. It has been applicable identically across all EU nations since January 17, 2025.

The table below compares NIS2 and DORA in summary form across key parameters.

What US entities may be subject to NIS2 and/or DORA?

Being EU legislation, US businesses are not automatically subject to NIS2 or DORA guidelines or enforcement. However, a US company may need to comply or align with either or both frameworks if they have covered operations, customers, or partners within the EU.

How might US firms be impacted by NIS2 and/or DORA? Here are some key considerations:

• US financial entities operating in the EU or providing services to EU financial entities could be subject to DORA (e.g., SaaS providers supporting banks or investment firms).
• NIS2 could be relevant to US-based critical infrastructure organizations that operate in the EU or provide third-party services to “essential” or “important” sectors in the EU market. 
• Cloud service providers (CSPs) with EU customers in financial services could be subject to both NIS2 and DORA, as both emphasize vendor risk management. At a minimum, many US firms operating in the EU will likely need to ensure that their cybersecurity programs align with NIS2 and/or DORA requirements to address their clients’ compliance concerns.
• Growing global scrutiny around cybersecurity and digital resilience will increasingly influence stakeholder expectations, effectively calling for NIS2/DORA alignment if not outright compliance for a wide range of US-based organizations. 

How are NIS2 and DORA enforced on US companies?

DORA is enforced by European Supervisory Authorities (ESAs) and other EU financial authorities, while various national cybersecurity authorities within EU member states enforce NIS2. Either statute could potentially pose the risk of significant noncompliance sanctions, including fines, against covered US organizations.  

NIS2 defines specific sanctions, as follows:

• Covered “essential” companies can be fined up to €10 million or 2% of their total annual income, whichever is higher. 
• Covered “important” entities can be fined up to €7 million or 1.4% of their total annual income from the prior financial year, whichever is higher. 

DORA does not define specific noncompliance sanctions except for IT service providers. These firms could face fines of up to 1% of their daily average worldwide income over the previous financial year. Service providers can be fined on a daily basis for up to six months until they demonstrate compliance.

In addition to the above, both DORA and NIS2 make provisions for senior leaders (CEOs, CIOs, CISOs, board members, etc.) to be held personally liable for data breaches deemed to have resulted from deliberate misconduct or gross negligence. For example, DORA allows for fines against individuals of up to €1 million.

NIS2 and DORA both also outline management responsibilities for approving cybersecurity controls and ensuring their implementation and overall compliance, as well as effective management of digital risk. 

How do NIS2 and DORA compare with voluntary cyber frameworks like ISO 27001?

How do NIS2 and DORA requirements compare with comprehensive cybersecurity frameworks like ISO 27001, SOC 2, or HITRUST?

Achieving “provable security and compliance” through an ISO 27001 certification, a HITRUST i1 or r2 certification, or a strong SOC 2 report positions any business for successful NIS2 and/or DORA compliance. There is significant overlap across these holistic requirements sets, reflecting recognized best practices in core areas like access control, configuration management, cybersecurity governance, risk assessment, user training, etc. 

However, NIS2 and DORA both include highly specific requirements in areas like incident reporting, operational resilience, and vendor risk management that most businesses will need to explicitly address through gap assessment and remediation.

US entities that are concerned about NIS2 and/or DORA compliance may benefit from a third-party compliance assessment to bolster client trust and stakeholder confidence. 

How should US businesses prepare for NIS2 and/or DORA?

As with other new regulations, businesses concerned about NIS2 and/or DORA compliance need to take basic steps like:

• Accurately assessing their current cybersecurity posture and cyber risks
• Identifying compliance gaps and vulnerabilities and prioritizing remediation steps
• Developing a roadmap for remediating gaps and making changes
• Ensuring your incident response process addresses key new requirements
• Informing and gaining buy-in from senior leaders
• Creating or enhancing a comprehensive governance framework to ensure ongoing compliance
• Training employees

Challenges may include:

• Interpreting and applying these new requirements within your unique situation
• Integrating new controls into your current cybersecurity program/model (e.g., ISO 27001 certification)
• Allocating the necessary resources to attain compliance
• In the case of NIS2, dealing with variations from the directive within national laws

Financial services companies subject to both DORA and NIS2 should consider them independently for compliance purposes, while developing a unified strategy to optimize control coverage for their overlapping areas. 

What’s next?

To speak with a cybersecurity compliance expert about your organization’s response to NIS2 and DORA requirements, including assessing your current compliance scenario, contact CBIZ Pivot Point Security.