DORA vs NIS2: Practical Guide for Banks, Insurers and Fintechs (2026)

Monday morning, 9 a.m. The CISO of a European bank receives two letters. The first, from the national financial regulator, reminds her that DORA (Regulation (EU) 2022/2554) has applied in full since 17 January 2025. The second, from the cybersecurity authority, notes that NIS2 transposition now covers her activities. A simple question with a complex answer: do both texts apply, or does one prevail?

This confusion is widespread. According to joint guidance from ENISA and the three European Supervisory Authorities (EBA, EIOPA, ESMA), the answer hinges on a precise legal principle: *lex specialis*. Here is how to navigate both regimes concretely for a bank, insurer or fintech operating in Europe.

DORA and NIS2: two texts, two philosophies

DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) is an EU regulation — directly applicable in every Member State without national transposition. Adopted in December 2022 and in force since 17 January 2025, it specifically targets the financial sector: banks, insurers, asset managers, payment service providers, crypto-asset platforms, central counterparties and more than 20 categories of financial entities.

NIS2 (Directive 2022/2555) is a directive — it requires transposition by each Member State. Its scope covers 18 highly critical and critical sectors, including banking and financial market infrastructure. Transposition was due by 17 October 2024; as of May 2026, several countries are still behind.

The angle of attack differs: DORA addresses end-to-end digital operational resilience (ICT risk management, testing, incidents, third-party providers, information sharing). NIS2 sets a general cybersecurity framework applicable to all critical sectors.

Lex specialis: DORA prevails over NIS2 for financial entities

Recital 28 and Article 4 of DORA, combined with Article 4 of Directive 2022/2555, are explicit: for financial entities within DORA's scope, DORA's obligations on ICT risk management, incident reporting and third-party oversight apply — not those of NIS2.

In practice, a bank covered by DORA does not need to duplicate its processes to comply with NIS2 on these topics. The financial regulator is the competent authority on these matters; the cybersecurity authority steps back.

But beware: NIS2 remains relevant for ancillary activities not covered by DORA. An insurer that runs a shared data centre serving non-financial entities, or a bank that publishes commercial software for third parties, retains NIS2 obligations on those specific perimeters.

The 6 key differences to know

1. Entities covered

DORA explicitly targets 21 categories of financial entities, from credit institutions to alternative investment fund managers, central counterparties and critical benchmark administrators. Microenterprises are in principle excluded, but no other quantitative threshold limits coverage.

NIS2 covers 18 sectors with size thresholds (50 employees, €10M turnover). "Essential" entities are large organisations in highly critical sectors; "important" entities cover the rest.

2. Incident reporting: 4 hours vs 24 hours

This is the most striking operational difference.

Under DORA (Article 19), a major ICT incident must be notified to the competent authority within as little as 4 hours after classification as major — with an absolute cap of 24 hours from detection. The intermediate report is due within 72 hours, the final report within 1 month.

Under NIS2 (Article 23, Directive 2022/2555), the initial alert is required within 24 hours, the full report within 72 hours and the final report within 1 month.

DORA is therefore significantly stricter on the initial deadline. For operational details on the NIS2 circuit, see our [72-hour incident notification practical guide](/en/blog/nis2-incident-notification-72h-practical-guide).

3. Third-party ICT oversight

DORA introduces a regime with no equivalent: a mandatory information register of all ICT third-party contracts (Article 28). "Critical" third-party providers — typically cloud hyperscalers and major outsourcers — will be directly supervised by European authorities through the Oversight Framework. EBA, EIOPA and ESMA share this role.

NIS2 (Article 21(2)(d)) imposes supplier risk assessment and contractual clauses, but without a centralised register or direct European supervision. For NIS2 contractual best practices, see our [supply chain article](/en/blog/nis2-supply-chain-supplier-requirements).

4. TLPT penetration testing

DORA requires TLPT (Threat-Led Penetration Testing) every 3 years for financial entities of significant importance — primarily large banks and market infrastructures. These tests, framed by the ECB's TIBER-EU framework, simulate real attacks with access to production systems.

NIS2 mentions security testing in the technical measures of Article 21 but without prescribing depth or frequency.

5. Information sharing (threat intelligence)

DORA formally encourages cyber-threat information sharing between financial entities (Article 45) through sectoral arrangements like FS-ISAC or national financial CERTs. NIS2 also provides for voluntary sharing arrangements (Article 29) but without a dedicated financial-sector framework.

6. Sanctions

DORA does not harmonise sanctions at EU level; each Member State sets the fines. National financial regulators can typically impose sanctions reaching 10% of annual turnover for serious breaches.

NIS2 (Article 34) caps fines at €10 million or 2% of worldwide turnover for essential entities, €7 million or 1.4% for important entities. For details on sanctions and personal director liability, see our [NIS2 sanctions analysis](/en/blog/nis2-sanctions-director-liability).

How to operate both regimes in practice

For a bank or insurer within DORA's scope, the pragmatic approach is to build a unified compliance programme, with DORA as the main backbone and NIS2 handled as exception on residual perimeters.

*Step 1 — Map activities.* Core financial activities (lending, asset management, payments, trading) fall under DORA. Ancillary activities (commercial software publishing, cloud services to non-financial third parties, internal telecoms infrastructure) may remain under NIS2.

*Step 2 — Align deadlines on the strictest.* If DORA requires 4 hours and NIS2 requires 24 hours, your response capability must operate at 4 hours. The NIS2 final report (1 month) coincides with DORA's, so no conflict there.

*Step 3 — A single third-party register.* Create an ICT third-party register that meets DORA requirements (Article 28) — that level of detail comfortably covers what NIS2 demands.

*Step 4 — Shared governance.* Board responsibilities are nearly identical in both texts. See our [Article 20 NIS2 analysis](/en/blog/nis2-article-20-board-responsibilities-directors) — these obligations also apply under DORA via the EBA guidelines on ICT risk governance.

*Step 5 — Testing and resilience.* Set up a testing programme that satisfies DORA's TLPT (the strictest) — it will mechanically cover NIS2 requirements.

2026 calendar and non-compliance risks

DORA has been applicable since 17 January 2025. There is no longer a transitional period. European authorities started their first inspections in Q1 2025; major incident reports are required in real time.

For NIS2, several Member States remain behind on transposition. The European Commission launched infringement proceedings in 2025 against 23 Member States — regulatory pressure is increasing.

The most underestimated risk for the financial sector is not the fine itself. It is the incident reported late, becoming an additional signal to the supervisor, or the third-party failure that exposes the absence of a continuity plan. The first DORA sanctions cases, expected by late 2026, will likely turn on these aspects.

To start an internal audit, our [free NIS2 checklist](/en/checklist) covers the fundamentals. For DORA-specific obligations — third-party register, TLPT, incident taxonomy — refer to the joint guidance from ENISA + EBA + EIOPA + ESMA.

*This article is for informational purposes only and does not constitute legal advice. For situation-specific advice, consult a lawyer specialised in European financial regulation.*