Introduction
The European Union has introduced two key legislative instruments to strengthen cybersecurity across different sectors: the NIS2 Directive and the Digital Operational Resilience Act (DORA). While both aim to raise resilience against digital threats, they apply in distinct ways, target different entities and establish varied compliance requirements. This article outlines their scope, identifies reasons for DORA’s addition to the regulatory framework, clarifies scenarios where both apply, and presents practical steps for compliance and enforcement.
Scope and Applicability
NIS2 Directive
- Applies to a wide range of critical and important sectors, including energy, public administration, manufacturing, digital services and the financial system.
- Member states must transpose the Directive into national law; entities receive a notification of categorization (“essential” or “important”) and then have one year to meet requirements.
DORA
- Functions as an EU regulation specifically for financial-sector organizations (e.g., banks, stock exchanges, insurance companies, crypto exchanges, payment institutions, pension funds).
- Directly binding across member states from 17 January 2025 without further national adoption.
- Extends to ICT service providers designated as “critical” by EU authorities (ECB, ESMA or EIOPA) based on systemic importance to financial stability.
Why Introduce DORA alongside NIS2?
The EU identified several reasons for adding DORA to the existing NIS2 framework:
- Broader Financial Coverage
DORA incorporates additional financial entities not explicitly named under NIS2 (e.g., insurance firms, electronic money institutions, pension funds). - Clear Entity Definition
Unlike NIS2, where entities await a notification, DORA sets out by name which organizations must comply, eliminating uncertainty. - Supervision of ICT Providers
Establishes oversight for third-party ICT service suppliers deemed “critical.” EU authorities assess their risk management, adopt supervision plans and may impose fines up to 1% of average daily worldwide turnover per day of non-compliance (maximum six months). - Uniform Application
As a regulation, DORA ensures consistent implementation across member states, whereas directives like NIS2 allow for national discretion in transposition. - Stricter Contractual Requirements
Mandates specific clauses in agreements between financial entities and ICT providers, reflecting more rigorous obligations than those under NIS2.
Interplay Between NIS2 and DORA
When an organization falls under both frameworks (for example, a bank):
- DORA governs areas where it imposes stricter or more detailed requirements.
- NIS2 applies to aspects not covered by DORA or where its requirements remain more stringent.
Steps Toward Compliance
For NIS2 Directive
- Await official notification of categorization as “essential” or “important.”
- Align core cybersecurity measures with the implementing national regulations once published.
- Consider leveraging ISO 27001, which covers many NIS2 controls, to accelerate adoption.
For DORA
- Begin mapping current processes, reviewing documentation and conducting a gap analysis well before the 17 January 2025 deadline.
- Monitor draft Regulatory and Implementation Technical Standards (RTS/ITS) and relevant guidelines issued by EU bodies.
- Prioritize DORA’s requirements and related technical standards, especially if also subject to NIS2.
Enforcement and Sanctions
NIS2 Directive Enforcement
- National competent authorities (e.g., cybersecurity agencies, sector regulators) may inspect documentation, interview responsible staff and impose corrective orders or activity suspensions.
- Financial penalties reach up to EUR 10 million or 2% of annual global turnover for essential entities (EUR 7 million or 1.7% for important entities), depending on which is greater.
DORA Enforcement
- National financial regulators carry out supervision, investigations and sanctions under DORA.
- Specific procedures and penalty amounts are to be defined in each member state’s implementing acts.
- For designated “critical” ICT providers, fines may total up to 1% of average daily worldwide turnover per day, capped at six months.
Conclusion
Both the NIS2 Directive and DORA represent vital components of the EU’s cybersecurity and operational resilience architecture. Entities in scope must carefully assess obligations under each framework, prioritizing DORA where it is more prescriptive and ensuring all gaps are addressed through structured gap analyses, process updates and contract reviews. ADVsec advisers recommend early preparation and alignment with ISO 27001 and forthcoming technical standards to meet deadlines and avoid enforcement actions.
