Two frameworks — one sector
The financial sector finds itself in a unique position: it is covered by DORA (Digital Operational Resilience Act), an EU regulation specific to financial services. At the same time, there is NIS2 which addresses critical infrastructure more broadly.
How do these connect? And what must financial organisations do?
Short version: Financial entities are primarily covered by DORA, not NIS2. But ICT suppliers to the financial sector may be covered by both.
DORA in brief
What is DORA? Digital Operational Resilience Act — EU regulation for digital resilience in the financial sector. Applies from 17 January 2025.
Who is covered?
- Banks and credit institutions
- Payment institutions
- Insurance and reinsurance companies
- Securities firms
- Investment firms
- Critical ICT third-party suppliers
Five pillars:
- ICT risk management
- Incident reporting
- Digital resilience testing
- ICT third-party risk
- Information sharing
DORA vs NIS2 — Comparison
| Aspect | DORA | NIS2 |
|---|---|---|
| Type | Regulation (directly applicable) | Directive (requires national law) |
| Sector | Financial sector | 18 critical sectors |
| Focus | Digital operational resilience | Cybersecurity broadly |
| Incident reporting | 4h-24h-72h-1mth | 24h-72h-1mth |
| Testing | Explicit, including TLPT | Implicit |
| Third-party risk | Very detailed | Requirements exist |
| Sanctions | Via financial supervision | Up to €10M or 2% |
NIS2 Article 4 — The exemption
NIS2 exempts financial entities from the directive:
“This Regulation shall be without prejudice to the application of [DORA] to financial entities covered by that Regulation.”
In practice:
- Banks, insurance companies etc. follow DORA
- NIS2 does not apply in parallel to the same entity
- ICT suppliers to finance may be covered by NIS2 (and DORA’s third-party requirements)
Overlapping requirements
Both require systematic ICT/cybersecurity risk management. DORA is more detailed with requirements for risk appetite and frameworks.
Both require reporting. DORA: 4 hours initial. NIS2: 24 hours. DORA has more specific classification criteria.
Both require continuity plans. DORA has explicit requirements for recovery time and testing.
Both address supplier risk. DORA is significantly more detailed with requirements for concentration risk and exit strategies.
Where DORA goes further
Testing
DORA’s testing requirements:
- Basic tests: Vulnerability assessments, network security, gap analyses, physical security, source code reviews
- Advanced tests (TLPT): Threat-Led Penetration Testing for critical functions, every three years for larger financial institutions
- Third-party tests: ICT suppliers must be included in test programmes
NIS2 has no equivalent explicit testing requirements.
ICT third-party risk
| DORA requirement | Description |
|---|---|
| Concentration risk | Avoid excessive dependence on individual supplier |
| Exit strategy | Plan for changing critical suppliers |
| Supervision of critical | Critical ICT suppliers are under EU supervision |
| Contract content | Specific requirements for what contracts must contain |
| Register | Updated register of all ICT suppliers |
Incident reporting
| Step | DORA | NIS2 |
|---|---|---|
| Initial | 4 hours | 24 hours |
| Interim report | 72 hours | 72 hours |
| Final report | 1 month | 1 month |
| To whom | Financial supervisory authority | CSIRT/sectoral authority |
Strategic approach
- Clarify which frameworks apply Financial entity? DORA primarily. ICT supplier to finance? Potentially both. Other critical sector? NIS2.
- Build on ISO 27001 ISO 27001 provides structure supporting both DORA and NIS2. Add specific requirements on top.
- Strengthen testing (DORA) DORA requires more rigorous testing. Plan for regular tests and TLPT if applicable.
- Develop third-party management DORA's requirements are detailed. Create robust process for supplier assessment, contract management and exit planning.
- Integrate reporting One incident process covering both frameworks' time requirements. Start with shortest requirement (DORA 4h).
Practical tips
For financial institutions
- Focus on DORA — it’s your primary framework
- Include NIS2 requirements in supplier contracts (your suppliers may be covered)
- Collaborate with ICT suppliers on joint compliance
For ICT suppliers to finance
- You may be covered by both DORA (third-party requirements) and NIS2
- Prepare for DORA’s contractual and audit requirements
- Critical suppliers are under EU supervision
ICT supplier? Check if you are covered by NIS2 and read more about NIS2’s specific requirements.
How Securapilot can help
Securapilot supports compliance for both DORA and NIS2:
- Risk management — ICT risk management according to both frameworks
- Incident management — Reporting meeting shortest time requirements
- Supplier management — DORA’s requirements for ICT third-party risk
- Test tracking — Document tests and results
- Compliance dashboard — Overview of status
Book a demo and see how we can support your financial sector compliance.
Frequently asked questions
Do both DORA and NIS2 apply to banks?
No, NIS2 exempts financial entities covered by DORA (Article 4). Banks, insurance companies and other financial institutions primarily follow DORA. However, NIS2 may apply to ICT suppliers to the financial sector.
What is the difference between DORA and NIS2?
DORA is sector-specific for finance and more detailed, with explicit requirements for testing and third-party management. NIS2 is broader and applies to many sectors. DORA has higher requirements in certain areas.
What sanctions apply for DORA violations?
Financial supervisory authorities can impose sanctions according to national implementation. Critical ICT third-party suppliers may face fines up to 1% of average daily global turnover.
Can ISO 27001 be used as a basis for both?
Yes, ISO 27001 provides a good foundation covering large parts of both DORA and NIS2. Both require specific additions though — DORA is more detailed on testing and third-party management.
