NIS 2 Directive Compliance in the Age of DORA

Alessandro Micagni's profile image
Alessandro Micagni
On May 7th, 2025

Navigate the EU's NIS 2 Directive & DORA for the financial sector. This guide details NIS2 compliance, DORA's ICT risk rules, TPRM, incident reporting & testing. Understand their interplay, enforcement, challenges & strategies for robust digital operational resilience and cybersecurity.

NIS 2 Directive Compliance in the Age of DORA




The Evolving Cyber Threat Landscape and the EU's Strategic Response


The European Union's financial sector faces an increasingly sophisticated and perilous digital environment. Cyber threats have surged in frequency, complexity, and potential impact, posing a substantial risk not only to individual financial institutions but also to the systemic stability of the highly interconnected financial system. Statistics highlight this escalating danger: global reported cyberattacks were approximately three times higher in 2021 than in 2015, with a further 45% increase noted between 2021 and 2022.


The financial sector consistently remains a prime target, accounting for nearly one-fifth of all reported cyber incidents over the past two decades and accumulating direct reported losses of almost $12 billion since 2004 ($2.5 billion since 2020). Analysis by the European Union Agency for Cybersecurity (ENISA) between January 2023 and June 2024 identified 488 publicly reported incidents affecting the European finance sector. Credit institutions (banks) were the most frequent targets, involved in 46% of these incidents. Notably, Distributed Denial-of-Service (DDoS) attacks, often linked to geopolitical events, heavily impacted banks (58% of DDoS incidents) and governmental financial services (21%), while data breaches and social engineering campaigns also persist as prominent threats.


Recognising the inadequacies of the previous fragmented regulatory landscape, particularly the original Network and Information Systems Directive (NIS 1 - Directive (EU) 2016/1148), the EU initiated a significant overhaul of its cybersecurity and operational resilience framework. NIS 1, though a foundational measure, was hampered by the wide discretion it granted Member States in implementation, leading to inconsistencies. Furthermore, its distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP) proved insufficient for the evolving digital reality.


In response to these challenges and to bolster cybersecurity across the Union, the EU has introduced pivotal legislation. This includes the revised NIS 2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA). These directives are central to the EU's broader Digital Finance Package, which aims to establish a harmonised, robust, and comprehensive regulatory environment capable of addressing modern digital threats.


The imperative for entities to achieve NIS2 Compliance is underscored by the transposition deadline of October 17, 2024, for Member States to incorporate the NIS 2 Directive into national law. This, along with DORA's application from January 2025, reflects a deliberate and urgent EU strategy. This coordinated timing signals a planned architectural shift, moving beyond traditional capital adequacy requirements to directly tackle operational vulnerabilities. This approach particularly acknowledges the systemic importance and heightened cyber risk exposure of the financial sector, emphasizing the critical need for robust NIS2 Compliance and overall cyber resilience.



Introducing the NIS 2 Directive (Directive (EU) 2022/2555)


The NIS 2 Directive, officially Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, signifies a major enhancement and broadening of the EU's general cybersecurity framework. Its primary objective is to achieve a uniformly high level of cybersecurity throughout the Union. By replacing and strengthening the original NIS 1 Directive, the NIS 2 Directive aims to improve the resilience and incident response capabilities of both public and private entities, thereby enhancing the overall functioning of the internal market and laying the groundwork for comprehensive NIS2 Compliance.


The NIS 2 Directive is structured around three key pillars designed to achieve these goals:


  • Strengthening National Capabilities: This mandates Member States to adopt comprehensive national cybersecurity strategies, designate competent authorities with adequate resources, establish well-equipped Computer Security Incident Response Teams (CSIRTs), and identify essential and important entities within their jurisdictions who must adhere to NIS2 Compliance requirements.
  • Enhancing Cross-Border Cooperation: Formal mechanisms are established to foster collaboration. These include the NIS Cooperation Group for strategic cooperation and information exchange, the CSIRTs Network for operational teamwork, and the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) for the coordinated management of large-scale cybersecurity incidents.
  • Harmonising Security and Reporting Obligations: The NIS 2 Directive imposes stricter, more harmonised cybersecurity risk management measures and incident reporting obligations on a significantly wider range of entities across numerous critical sectors, forming the core of NIS2 Compliance duties.

The Critical Role of DORA (Regulation (EU) 2022/2554) for Financial Entities Alongside the NIS 2 Directive


While the NIS 2 Directive establishes a foundational cybersecurity baseline across many critical sectors, the European Union recognized the unique systemic importance, specific digital dependencies, and heightened risk profile of the financial sector. This recognition led to the development of the Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554, which works in concert with the NIS 2 Directive.


DORA's specific purpose is to create uniform requirements for the security of network and information systems that underpin the business processes of financial entities. It explicitly targets Information and Communication Technology (ICT) risks by introducing detailed rules for ICT risk management, comprehensive incident reporting, rigorous operational resilience testing, and the diligent management and oversight of ICT third-party risks. DORA addresses a crucial gap identified in previous financial regulations, which primarily focused on mitigating operational risks by allocating capital.


This traditional approach was deemed insufficient to cover all facets of operational resilience, particularly those concerning ICT. DORA acknowledges that ICT incidents can threaten the stability of the entire financial system, thus necessitating a dedicated and harmonised framework focused on the ability of financial entities to withstand, respond to, and recover from ICT disruptions, complementing the broader cybersecurity enhancements driven by the NIS 2 Directive.



Purpose and Structure of this Report: A Guide to NIS 2 Directive and DORA Compliance for Financial Institutions


This report provides a detailed, regulatory-focused analysis of the NIS 2 Directive's implications for financial institutions operating within the European Union, with a significant focus on achieving NIS2 Compliance. It places particular emphasis on clarifying the crucial interplay between the NIS 2 Directive and the DORA Regulation, outlining the specific obligations applicable to financial entities under this dual framework. The objective is to furnish financial services professionals, particularly those in compliance, risk management, legal, and IT security functions, with a definitive guide to navigating these complex regulations and establishing effective pathways for both NIS2 Compliance and DORA adherence.


The report is structured as follows to facilitate understanding and action:


  1. Section II: Foundational Overview of the NIS 2 Directive: Delves into its objectives, expanded scope, entity classification (essential and important entities), key definitions crucial for NIS2 Compliance, and current implementation status.
  2. Section III: Interplay Between NIS 2 Directive and DORA: Examines the critical relationship, explaining the lex specialis principle and delineating which obligations fall under which regulation for financial entities.
  3. Section IV: Deep Dive into DORA's Core Requirements: Offers a comprehensive look at the mandates by DORA, covering its five key pillars: ICT Risk Management and Governance, Incident Reporting, Resilience Testing, Third-Party Risk Management, and Information Sharing.
  4. Section V: Supervisory and Enforcement Landscape: Details the roles of various EU and national bodies (ESAs, Commission, ENISA, NCAs, CSIRTs) and the penalty regimes under both the NIS 2 Directive and DORA.
  5. Section VI: Financial Sector Compliance Status and Strategies: Analyzes the current state of readiness for the NIS 2 Directive and DORA within the financial sector, highlighting common challenges based on industry reports and surveys, and outlining recommended strategies for achieving and maintaining compliance.
  6. Section VII: Conclusion and Future Outlook: Summarizes the combined impact of the NIS 2 Directive and DORA, underscoring the strategic importance of proactive NIS2 Compliance and DORA adherence, and offering a perspective on the future of digital resilience regulation in the EU financial sector.

The NIS 2 Directive: A Foundational Overview
The NIS 2 Directive: A Foundational Overview

II. The NIS 2 Directive: A Foundational Overview


This section will delve into the core components of the NIS 2 Directive, outlining its objectives, the entities it covers, key definitions essential for understanding its requirements, and its current implementation status. Achieving NIS2 Compliance begins with a thorough understanding of these foundational elements.



A. Core Objectives and Scope of the NIS 2 Directive


Directive (EU) 2022/2555, the NIS 2 Directive, fundamentally aims to establish a high common level of cybersecurity across the European Union, thereby strengthening the functioning of the internal market. It formally repeals and significantly enhances its predecessor, the NIS 1 Directive, by addressing previously identified shortcomings and adapting to the continuously evolving cyber threat landscape. A primary goal is to ensure entities are prepared for and capable of managing cyber risks, a cornerstone of NIS2 Compliance.


A key transformation introduced by the NIS 2 Directive is its considerably expanded scope. The directive moves beyond the NIS 1 distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP). Instead, it extends its reach to a broader array of sectors, now classified based on their criticality to the EU's economy and society. The NIS 2 Directive principally applies to medium-sized and large entities operating within these designated sectors.


The sectors covered under the NIS 2 Directive are detailed in two Annexes:


  • Annex I (Sectors of High Criticality): This includes:
    • Energy (electricity, oil, gas, hydrogen, district heating/cooling)
    • Transport (air, rail, water, road)
    • Banking
    • Financial market infrastructures (including credit institutions, trading venues, Central Counterparties - CCPs)
    • Health (healthcare providers, pharmaceutical and medical device manufacturers, EU reference laboratories)
    • Drinking water
    • Waste water
    • Digital infrastructure (Internet Exchange Points - IXPs, Domain Name System - DNS services, Top-Level Domain - TLD name registries, cloud computing service providers, data centre service providers, Content Delivery Networks - CDNs, public electronic communications networks and services)  
    • ICT service management (business-to-business)
    • Public administration (central and regional government entities, excluding judiciary, parliaments, and central banks)
    • Space

  • Annex II (Other Critical Sectors): This encompasses:
    • Postal and courier services
    • Waste management
    • Manufacturing, production, and distribution of chemicals
    • Food production, processing, and distribution
    • Manufacturing (medical devices, computers and electronics, machinery and equipment, motor vehicles, other transport equipment)
    • Digital providers (online marketplaces, online search engines, social networking service platforms)
    • Research organizations

Furthermore, the NIS 2 Directive mandates an "all-hazards" approach to risk management. This requires in-scope entities to prepare for, respond to, and mitigate risks arising from a wide spectrum of threats, encompassing not only malicious cyberattacks but also physical disruptions and natural hazards, as part of their NIS2 Compliance efforts.



B. Essential vs. Important Entities under the NIS 2 Directive: Classification Criteria for NIS2 Compliance


The NIS 2 Directive introduces a refined classification system, categorizing in-scope entities as either "essential" or "important." This new framework replaces the former OES/DSP distinction from NIS 1 and is designed to ensure greater consistency in how entities are identified across Member States, which is crucial for coherent NIS2 Compliance. The classification primarily depends on the entity's sector (as listed in Annex I or II) and its size:


  • Essential Entities typically include:
    • Large entities (defined as having 250 or more employees, or an annual turnover exceeding €50 million and an annual balance sheet total exceeding €43 million) operating in the highly critical sectors listed in Annex I of the NIS 2 Directive.
    • Entities designated as critical under the Critical Entities Resilience Directive (CER - Directive (EU) 2022/2557), irrespective of their size.
    • Regardless of size: Qualified trust service providers, top-level domain (TLD) name registries, and DNS service providers (excluding operators of root name servers).
    • Specific public administration entities as designated by individual Member States.

  • Important Entities generally include:
    • Medium-sized entities (50-249 employees and an annual turnover of €10 million to €50 million, or an annual balance sheet total of €10 million to €43 million) operating in Annex I sectors.
    • Both medium-sized and large entities operating in the "other critical sectors" listed in Annex II of the NIS 2 Directive.
    • Any entities operating in sectors covered by Annex I or Annex II that do not meet the criteria to be classified as essential entities.

Member States were tasked with establishing and submitting to the European Commission and the NIS Cooperation Group a list of identified essential and important entities, along with entities providing domain name registration services, by April 17, 2025. With this deadline now passed, these lists are expected to be established and will require review and updates at least every two years thereafter to ensure ongoing accuracy for NIS2 Compliance oversight.


The transition from NIS 1's approach, where Member States had considerable discretion in identifying OES, to the NIS 2 Directive's more prescriptive criteria based on size and sector, aims to achieve greater harmonisation across the EU. However, this introduces complexities, particularly for entities operating across multiple borders or whose services might span various sector definitions. For financial institutions, the application of the lex specialis principle by the DORA Regulation adds another critical layer.


This means that while the NIS 2 Directive's 'essential' or 'important' classification provides a baseline, it becomes less determinant for their core cybersecurity and reporting duties (which primarily fall under DORA). Nevertheless, the NIS 2 classification may retain relevance for aspects like inclusion in national cybersecurity strategies or interactions with national CSIRTs.



C. Key Definitions under the NIS 2 Directive for Effective NIS2 Compliance


A clear understanding of key terminology is paramount for correctly interpreting the obligations set forth by the NIS 2 Directive and for achieving effective NIS2 Compliance. Article 6 of the Directive provides several pertinent definitions that shape its application:


  • Network and information system: Broadly defined to encompass (a) an electronic communications network within the meaning of Directive (EU) 2018/1972; (b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of digital data; or (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance.  
  • Security of network and information systems: The ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or the related services offered by, or accessible via, those network and information systems.  
  • Cybersecurity: Defined by referencing Regulation (EU) 2019/881 (the Cybersecurity Act) as the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats.
  • Incident: Any event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.
  • Significant Incident: An incident which causes, or is capable of causing, severe operational disruption of the services or financial loss for the entity concerned; or has affected, or is capable of affecting, other natural or legal persons by causing considerable material or non-material damage. This definition is critical as it triggers specific reporting obligations under the NIS 2 Directive.
  • Cyber Threat: As defined in Regulation (EU) 2019/881, means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons.
  • Significant Cyber Threat: A cyber threat which, based on its technical characteristics, can be assumed to have the potential to severely impact network and information systems, the users of such systems or other persons, by causing considerable material or non-material damage.
  • Essential Entity: An entity falling within the scope of Article 2(1) of the NIS 2 Directive that meets the criteria of being in a sector listed in Annex I, meets specific size thresholds, or is explicitly named (e.g., qualified trust providers, TLD registries, DNS providers, certain public administration bodies), or is designated under the CER Directive.
  • Important Entity: An entity operating in a sector listed in Annex I or Annex II of the NIS 2 Directive that does not qualify as an essential entity.

The NIS 2 Directive also specifically defines various types of digital infrastructure providers (e.g., cloud computing services, data centre services, CDNs) and ICT service management providers (e.g., managed service providers, managed security service providers) that fall squarely within its scope, underscoring the breadth of entities needing to consider NIS2 Compliance.



D. NIS 2 Directive: Transposition Status and Timeline for Compliance (as of May 2025)


The NIS 2 Directive officially entered into force on January 16, 2023. European Union Member States were mandated to adopt and publish the national measures necessary to transpose the NIS 2 Directive into their respective legal systems by October 17, 2024. Consequently, the rules stipulated by the Directive became applicable from October 18, 2024, the same date on which the original NIS 1 Directive was formally repealed.


To support the implementation of the NIS 2 Directive, on October 17, 2024, the European Commission adopted Implementing Regulation (EU) 2024/2690. This regulation lays down specific technical and methodological requirements for cybersecurity risk-management measures applicable to certain entities in the digital infrastructure sector, ICT service management (B2B), and digital provider sectors (specifically DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, and managed security service providers).  


However, the transposition of the NIS 2 Directive into national law has encountered significant delays across many Member States. By the October 17, 2024 deadline, a substantial number of countries had not completed this process. In late 2024, the European Commission initiated infringement procedures against 23 Member States for their failure to fully transpose the NIS 2 Directive.


As of May 2025, while some Member States (such as Belgium, Croatia, Italy, and Lithuania) reportedly met or were close to the original deadline, many others, including major economies like Germany and the Netherlands, had projected their implementation timelines to extend well into 2025. The situation remains dynamic, with ongoing efforts in several countries to finalize their national legislation. This widespread delay in transposition continues to create a period of legal ambiguity and a fragmented compliance landscape for achieving full NIS2 Compliance.


Although the provisions of the NIS 2 Directive are technically applicable since October 18, 2024, the practical enforcement relies heavily on national laws and designated authorities. The principle of direct effect (which, under certain conditions, might allow some directive provisions to apply even without full national transposition if they are clear, precise, unconditional, and grant rights to individuals) is likely to have limited scope for the complex set of obligations outlined in the NIS 2 Directive.


Consequently, financial institutions and other multi-national entities face significant challenges. The specific national rules, the operational status of designated competent authorities, and the practical enforcement mechanisms may still not be fully established or harmonised in many jurisdictions. This situation poses practical hurdles for businesses striving to achieve and demonstrate consistent NIS2 Compliance across their EU operations until national transposition is uniformly completed and clarified. Entities are advised to monitor the transposition status in each Member State where they operate closely.


III. The Interplay Between the NIS 2 Directive and DORA in the Financial Sector: Navigating Compliance
III. The Interplay Between the NIS 2 Directive and DORA in the Financial Sector: Navigating Compliance

III. The Interplay Between the NIS 2 Directive and DORA in the Financial Sector: Navigating Compliance


Navigating the intricate regulatory landscape for cybersecurity and operational resilience necessitates that financial institutions clearly understand the precise relationship between the general framework established by the NIS 2 Directive and the sector-specific rules mandated by the Digital Operational Resilience Act (DORA). Achieving robust NIS2 Compliance and DORA adherence hinges on this clarity.


A. Financial Entities Under the NIS 2 Directive's Initial Scope


The NIS 2 Directive explicitly incorporates key segments of the financial sector within its scope, categorizing them under Annex I as "sectors of high criticality." Specifically, Article 2 of the NIS 2 Directive brings the following into its purview:


  • Banking: Defined as 'credit institutions' according to Article 4, point (1), of Regulation (EU) No 575/2013 (Capital Requirements Regulation - CRR).
  • Financial Market Infrastructures (FMIs): This category encompasses:
    • Operators of 'trading venues' as defined in Article 4, point (24), of Directive 2014/65/EU (Markets in Financial Instruments Directive II - MiFID II).
    • 'Central counterparties' (CCPs) as defined in Article 2, point (1), of Regulation (EU) No 648/2012 (European Market Infrastructure Regulation - EMIR).


B. DORA as Lex Specialis: Determining Applicable Rules for Financial Sector Compliance


A cornerstone principle of EU law, lex specialis derogat legi generali, dictates that a specific law (lex specialis) takes precedence over a general law (lex generalis) when both pertain to the same subject matter. In the context of digital operational resilience and core cybersecurity requirements for the EU financial sector, the Digital Operational Resilience Act (DORA - Regulation (EU) 2022/2554) is explicitly designated as the lex specialis relative to the NIS 2 Directive. This hierarchical relationship is affirmed in both the NIS 2 Directive itself (Recital 28, Article 4) and the DORA Regulation (Article 1(2)).


The critical consequence for financial entities covered by DORA is that DORA's specific and more detailed provisions concerning key operational resilience aspects replace the corresponding general obligations found within the NIS 2 Directive. Member States are explicitly instructed not to apply the NIS 2 Directive's provisions in these specific areas to DORA-covered entities, as DORA provides a more tailored compliance framework. The areas where DORA takes precedence over the NIS 2 Directive include:


  • ICT Risk Management (equivalent to the requirements in Article 21 of the NIS 2 Directive)
  • ICT-related Incident Management and Reporting (equivalent to the requirements in Article 23 of the NIS 2 Directive)
  • Digital Operational Resilience Testing
  • Information-Sharing Arrangements (within the specific scope defined by DORA)
  • ICT Third-Party Risk Management
  • Supervision and Enforcement activities pertaining to the above obligations.

The European Commission further elucidated this relationship in its Communication (2023/C 328/02), "Guidelines on the application of Article 4(1) and (2) of Directive (EU) 2022/2555 (NIS 2 Directive) concerning the relationship between that Directive and Regulation (EU) 2022/2554 (DORA Regulation) and between that Directive and other sector-specific Union legal acts," published in September 2023.


These guidelines confirm that sector-specific Union legal acts imposing cybersecurity risk management and incident reporting obligations that are "at least equivalent in effect" to those in the NIS 2 Directive take precedence. Crucially, the Commission concluded that, currently, DORA is the only sector-specific Union legal act considered to meet this equivalence standard for the specified cybersecurity risk management and incident reporting obligations. The guidance also helpfully notes that where NIS 2 Directive risk management and reporting obligations do not apply due to DORA's precedence, other linked obligations, such as certain registration requirements that might otherwise arise under the NIS 2 Directive, should also not apply to those financial entities for those specific aspects.


This lex specialis status signifies that financial institutions must prioritize a deep understanding and diligent implementation of DORA's detailed requirements for their core digital operational resilience and cybersecurity risk management frameworks. Attempting to achieve compliance by relying solely on the potentially less granular provisions of the NIS 2 Directive for these critical functions would constitute a significant regulatory misstep, as the sector-specific regulation (DORA) holds legal primacy. However, this does not entirely extricate financial institutions from the broader landscape shaped by the NIS 2 Directive, as certain interactions and residual obligations persist.



C. Remaining NIS 2 Directive Obligations and Interactions for Financial Entities


Despite DORA's precedence in core operational and compliance areas, financial entities remain embedded within the broader EU cybersecurity ecosystem significantly shaped by the NIS 2 Directive. Several provisions and mechanisms from the Directive continue to be relevant:


  • Inclusion in National Cybersecurity Strategies: Under the NIS 2 Directive, Member States are obligated to adopt national cybersecurity strategies covering their essential and important entities. Financial entities, being part of a highly critical sector, are expected to be considered within these national strategies, influencing national priorities, potential support measures, and the overall national approach to NIS2 Compliance objectives.
  • Interaction with National CSIRTs: The NIS 2 Directive mandates the establishment or designation of national Computer Security Incident Response Teams (CSIRTs) responsible for incident monitoring, issuing early warnings, facilitating incident response, and coordinating vulnerability disclosure. While DORA dictates that financial entities report major ICT-related incidents to their competent financial authorities, these entities may still receive valuable alerts, warnings, and potentially technical assistance from their national CSIRT. Furthermore, DORA (Article 20(4)) requires competent authorities under DORA to transmit details of major ICT-related incidents received from financial entities to the relevant single point of contact or CSIRT designated under the NIS 2 Directive.
  • Cooperation Mechanisms: Financial authorities operating under DORA (National Competent Authorities - NCAs and European Supervisory Authorities - ESAs) are expected to cooperate and exchange information with the bodies established under the NIS 2 Directive. DORA explicitly allows for the participation of DORA authorities in the NIS Cooperation Group and mandates information exchange with NIS 2 single points of contact, CSIRTs, and competent authorities. A formal Memorandum of Understanding (MoU) exists between the ESAs (EBA, ESMA, EIOPA) and ENISA (the EU Agency for Cybersecurity) to facilitate this cooperation, aiming for a harmonised implementation and understanding of the NIS 2 Directive and DORA provisions, particularly concerning incident reporting taxonomies and timelines.
  • EU-CyCLONe Participation: The European Cyber Crises Liaison Organisation Network (EU-CyCLONe), formally established by the NIS 2 Directive, supports the coordinated management of large-scale cybersecurity incidents and crises across the EU. Financial institutions, or the financial sector as a whole, could be involved in or affected by incidents requiring coordination through this network, making awareness of its functions under the NIS 2 Directive important.
  • General Cybersecurity Obligations & Broader Scope: While DORA provides comprehensive coverage for ICT risk and operational resilience, financial institutions might still need to consider the NIS 2 Directive's baseline security measures (Article 21) in areas not explicitly or exhaustively detailed by DORA, ensuring a comprehensive and holistic security posture. Some analyses suggest that general requirements of the NIS 2 Directive, particularly those related to fostering a culture of cybersecurity, supply chain security aspects beyond ICT third-party risk (if any prove distinct), and broader information sharing applicable to all critical infrastructure, may remain relevant alongside DORA's specific mandates.
  • Non-DORA Covered Group Entities: If a financial group includes entities operating in other sectors covered by the NIS 2 Directive (e.g., an energy trading subsidiary or a tech service company not qualifying as an ICT third-party service provider under DORA's scope) that are not themselves financial entities directly subject to DORA, those specific entities would be directly subject to the full scope of NIS 2 Directive requirements. Their path to NIS2 Compliance would be determined by their own classification as 'essential' or 'important' under the NIS 2 Directive.

Therefore, financial institutions must adopt a dual awareness for their compliance strategies. DORA dictates their primary and detailed path for digital operational resilience, ICT risk management, incident reporting, resilience testing, and ICT third-party risk management (TPRM). Simultaneously, the NIS 2 Directive defines the broader national and EU cybersecurity environment, influencing national strategies, support structures like CSIRTs, cross-sector cooperation frameworks, and large-scale incident management mechanisms like EU-CyCLONe, all of which remain pertinent to the financial sector's overall security ecosystem and resilience.


Table 1: High-Level Overview of NIS 2 Directive vs. DORA Applicability for Financial Entities


Obligation Area Primarily Governed By Notes on NIS 2 Directive Relevance for Financial Entities
ICT Risk Management DORA (Article 6-16) NIS 2 (Art. 21) provisions are superseded by DORA's more specific requirements.
ICT-Related Incident Management & Reporting DORA (Article 17-23) NIS 2 (Art. 23) provisions are superseded. However, DORA authorities report to NIS 2 CSIRTs/SPOCs.
Digital Operational Resilience Testing DORA (Article 24-27) DORA provides a detailed testing framework, including TLPT for significant entities.
ICT Third-Party Risk Management (TPRM) DORA (Article 28-44) DORA establishes a comprehensive framework, including oversight of Critical ICT Third-Party Providers. NIS 2 addresses supply chain security more generally for other sectors.
Information-Sharing Arrangements DORA (Article 45) DORA encourages information sharing among financial entities. NIS 2 (Art. 22) also has provisions but DORA's are specific to the financial sector.
Supervision & Penalties (for above areas) DORA (Article 46-56) Financial supervisors (NCAs, ESAs) enforce DORA.
National Cybersecurity Strategies NIS 2 Directive (Article 7) Financial sector considered within these strategies; influences national priorities.
Role of National CSIRTs NIS 2 Directive (Article 11-12) Financial entities may receive alerts/support from CSIRTs; DORA authorities share incident info with them.
Cooperation Mechanisms (Cooperation Group etc.) NIS 2 Directive (Article 14-16) & DORA (Art. 47) DORA authorities participate in NIS Cooperation Group; MoU between ESAs and ENISA.
EU-CyCLONe (Large-scale incident mgt.) NIS 2 Directive (Article 16) Relevant for coordination during major cross-border incidents affecting the financial sector.
Governance & Organisational Requirements Primarily DORA (Article 5) DORA has specific rules for management body responsibility in financial entities. NIS 2 (Art. 20) has general governance rules for other sectors.
Identification & Registration (as essential/important) Primarily NIS 2 Directive (Article 3, 2(2)(e)-(g)) & Member State lists Less directly impactful for core DORA obligations due to lex specialis, but relevant for inclusion in national CSIRT lists and national strategies. Commission guidelines suggest some NIS 2 registration aspects may not apply if DORA covers the equivalent.

IV. DORA Deep Dive: Core Requirements for Financial Institutions
IV. DORA Deep Dive: Core Requirements for Financial Institutions

IV. DORA Deep Dive: Core Requirements for Financial Institutions


The Digital Operational Resilience Act (DORA) is the primary EU regulation for the digital operational resilience and core cybersecurity obligations of financial institutions. Achieving DORA compliance means adhering to the Regulation and its detailed Regulatory/Implementing Technical Standards (RTS/ITS) from the European Supervisory Authorities (ESAs). This section outlines DORA's five main pillars.


A. Pillar 1: ICT Risk Management and Governance (DORA Articles 5-16)

This pillar mandates robust governance and a comprehensive ICT risk management framework.


  • Management Body Responsibility (Art. 5): The institution's management body (e.g., Board) is ultimately responsible for ICT risk. This includes approving the digital operational resilience strategy, ICT risk tolerance, relevant policies (data security, business continuity, third-party risk), allocating budget (including for awareness and training), and ensuring they possess sufficient ICT risk knowledge through regular training.
  • ICT Risk Management Framework (Art. 6): Entities must establish, document, and regularly review a comprehensive ICT risk management framework integrated into overall risk management. This includes a digital operational resilience strategy detailing risk tolerance, security objectives, ICT architecture, and detection/prevention mechanisms. Simplified requirements apply to certain smaller entities (Art. 16).

  • Key Processes:
    • Identification (Art. 8): Continuously identify and document ICT-supported functions, information assets, ICT assets, and their interdependencies, conducting regular risk assessments.
    • Protection and Prevention (Art. 9): Implement policies and controls for data security, network management, access control (MFA), cryptography, change and patch management.
    • Detection (Art. 10): Establish mechanisms for prompt detection of anomalous activities and incidents.
    • Response and Recovery (Art. 11): Develop and test (at least annually) an ICT business continuity policy and response/recovery plans, including crisis management and communication. Conduct Business Impact Analyses (BIA).
    • Backup, Restoration, Recovery (Art. 12): Implement backup policies with physically/logically segregated systems, regular testing, and defined Recovery Time/Point Objectives (RTOs/RPOs).
    • Learning and Evolving (Art. 13): Gather threat intelligence, conduct post-incident reviews, and ensure continuous improvement. Mandatory ICT security awareness and resilience training for all staff and management.
    • Communication (Art. 14): Implement crisis communication plans for disclosing major incidents or vulnerabilities.



This pillar focuses on managing and reporting ICT-related incidents.


  • Incident Management Process (Art. 17): Establish a process to detect, manage, record, and notify ICT-related incidents, including root cause analysis and early warning indicators.
  • Classification Criteria (Art. 18): Classify incidents based on criteria like affected clients, duration, geographical spread, data losses, and economic impact. "Major" incidents are determined by thresholds in RTS (e.g., Commission Delegated Regulation (EU) 2024/1772).
  • Reporting Obligations (Art. 19): Report major ICT-related incidents to competent authorities using standardized templates (ITS, e.g., Commission Implementing Regulation (EU) 2025/302) via a multi-stage process:
    • Initial Notification: Within 4 hours of classification as major (max 24 hours from awareness).
    • Intermediate Report: Within 72 hours of initial report.
    • Final Report: Within one month of intermediate report. Entities must also inform clients if a major incident impacts their financial interests. Competent authorities share details with ESAs, ECB, and NIS 2 Directive bodies.
  • Centralisation and Feedback (Art. 21-22): ESAs have explored a single EU Hub for incident reporting. Authorities provide feedback to entities.


C. Pillar 3: Digital Operational Resilience Testing (DORA Articles 24-27)

DORA mandates a rigorous testing program.


  • General Requirements (Art. 24 & 25): Implement an annual testing program (vulnerability scans, penetration tests, etc.) for critical ICT systems, conducted by independent testers, with identified weaknesses remediated.
  • Threat-Led Penetration Testing (TLPT) (Art. 26): Significant financial entities (identified by authorities) must conduct advanced TLPT at least every three years, covering critical functions and involving supporting ICT third-party providers. The TIBER-EU framework provides guidance. Pooled testing for TPPs is an option.


D. Pillar 4: ICT Third-Party Risk Management (TPRM) (DORA Articles 28-44)

This pillar addresses risks from reliance on external ICT providers, crucial for DORA compliance.


  • General Principles & Strategy (Art. 28): Entities retain full responsibility. Adopt a strategy on ICT third-party risk, including a policy for services supporting critical/important functions. Maintain a detailed Register of Information (RoI) of all ICT service contracts.
  • Pre-Contracting & Due Diligence (Art. 28): Assess criticality, risks, and provider suitability before contracting.
  • Contractual Arrangements (Art. 30): Mandate specific clauses in all ICT service contracts. For critical/important functions, additional stringent clauses are required, including full SLAs, provider cooperation in TLPT, unrestricted audit/access rights for the entity and authorities, and dedicated exit strategies. This often necessitates contract renegotiation.
  • Oversight Framework for Critical ICT Third-Party Providers (CTPPs) (Art. 31-44): Establishes an EU-level oversight framework where ESAs designate CTPPs. A Lead Overseer (EBA, ESMA, or EIOPA) for each CTPP directly monitors its risk management, with powers to request information, conduct investigations, issue recommendations, and impose penalties.


E. Pillar 5: Information Sharing Arrangements (DORA Article 45)

DORA encourages voluntary sharing of cyber threat information and intelligence among financial entities within trusted communities. This must protect confidentiality, personal data (GDPR), and adhere to competition law. Participating entities notify their competent authority.



Table 2: DORA Pillar Summary and Key Requirements


Pillar Key Focus Core Requirements for Financial Institutions
1. ICT Risk Mgt. & Governance (Art. 5-16) Foundational ICT risk control & management body oversight Management body responsible for strategy/policies/training; comprehensive, documented & audited ICT risk framework; processes for ID, protect, detect, respond, recover, learn.
2. ICT Incident Mgt. & Reporting (Art. 17-23) Handling and notifying authorities of ICT incidents Incident management process; classify incidents (major vs. others per RTS); multi-stage reporting of major incidents to authorities (per ITS); client notification.
3. Digital Resilience Testing (Art. 24-27) Verifying resilience capabilities Annual comprehensive testing program (pen tests, vulnerability scans); mandatory triennial TLPT for significant entities, involving key TPPs.
4. ICT Third-Party Risk Mgt. (TPRM) (Art. 28-44) Managing risks from external ICT service providers Strategy & policy; Register of Information; due diligence; mandatory contractual clauses (audit/access rights, exit strategies); EU oversight framework for Critical TPPs.
5. Information Sharing (Art. 45) Enhancing collective resilience through intelligence exchange Voluntary sharing of threat intelligence within trusted communities; protect confidentiality/data; notify authorities of participation.

V. Supervision, Enforcement, and Guidance for NIS 2 and DORA Compliance
V. Supervision, Enforcement, and Guidance for NIS 2 and DORA ComplianceI

V. Supervision, Enforcement, and Guidance for NIS 2 and DORA Compliance


Achieving NIS2 Compliance and DORA adherence requires financial institutions to navigate a multi-layered supervisory ecosystem. This section outlines the key EU and national authorities, technical standards, and enforcement mechanisms.


A. The EU Supervisory Ecosystem for the NIS 2 Directive and DORA


Several EU bodies and national authorities oversee the NIS 2 Directive and DORA:


  • European Supervisory Authorities (ESAs - EBA, ESMA, EIOPA): Central to DORA, the ESAs develop binding Regulatory and Implementing Technical Standards (RTS/ITS) detailing requirements across its five pillars and issue guidelines. Critically, under DORA, ESAs also act as Lead Overseers for designated Critical ICT Third-Party Providers (CTPPs), giving them direct supervisory powers.
  • European Commission: The Commission adopts the RTS/ITS developed by the ESAs. It also provides guidance (e.g., on the NIS 2 Directive/DORA lex specialis relationship) and ensures Member States transpose directives like the NIS 2 Directive, initiating infringement procedures if needed.
  • ENISA (EU Agency for Cybersecurity): Key to the NIS 2 Directive framework, ENISA supports the NIS Cooperation Group and CSIRTs Network, produces reports on EU cybersecurity, and issues guidance. Under DORA, ENISA collaborates closely with the ESAs (formalised by an MoU), contributing to threat analysis and potentially supporting oversight.
  • National Competent Authorities (NCAs): These are the primary day-to-day supervisors for financial entities under DORA (e.g., BaFin, CSSF). They monitor compliance, enforce DORA (and relevant NIS 2 Directive aspects), receive incident reports, and cooperate with ESAs and other national bodies. They are also key for overseeing NIS2 Compliance in their jurisdictions.
  • CSIRTs (Computer Security Incident Response Teams): Designated under the NIS 2 Directive, national CSIRTs handle incidents, issue warnings, and coordinate vulnerability disclosure. Financial entities interact with them, often via DORA NCAs sharing incident information.

For financial institutions, the NCA is the primary supervisor for core DORA compliance. The relevant ESA Lead Overseer is critical for CTPP interactions. Broader EU cybersecurity coordination and national support often involve NIS 2 Directive structures (NCAs, CSIRTs, ENISA).



B. Technical Standards (RTS/ITS) and Guidelines for NIS 2 and DORA


Detailed technical specifications are crucial for implementing the NIS 2 Directive and DORA:


  • DORA Level 2 & 3: DORA mandates numerous RTS (binding details) and ITS (uniform formats/procedures) from the ESAs. These cover ICT risk management, incident classification/reporting, TPRM policy, RoI templates, CTPP designation/oversight, and TLPT. ESAs also issue non-binding Guidelines. Financial institutions must monitor these for detailed DORA compliance obligations.
  • NIS 2 Implementing Acts & Guidance: The NIS 2 Directive also uses implementing acts (e.g., Commission Implementing Regulation (EU) 2024/2690 on risk management for certain digital entities). ENISA provides supporting technical guidance. While DORA takes precedence for financial entities' core duties, this NIS 2 Directive guidance can inform best practices.


C. Enforcement Mechanisms and Penalties under the NIS 2 Directive and DORA


Both frameworks include significant penalties to ensure compliance:


  • NIS 2 Directive Penalties: Member States must set effective, proportionate, and dissuasive penalties. The NIS 2 Directive specifies minimums for maximum administrative fines:

    • Essential Entities: At least up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
    • Important Entities: At least up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher. Non-monetary remedies (compliance orders, audits) and potential personal liability for management (including temporary bans) are also key to ensuring NIS2 Compliance.
  • DORA Penalties: DORA (Article 50) requires Member States to establish rules on administrative penalties for financial entities, ensuring they are effective, proportionate, and dissuasive. Unlike the NIS 2 Directive, DORA does not set EU-level minimums for maximum fines for financial entities; amounts depend on national transposition (though often cited as potentially similar to NIS 2 Directive levels). DORA also allows for criminal penalties (Article 52) and implies management accountability. For Critical ICT Third-Party Providers (CTPPs), DORA (Article 35) grants the Lead Overseer (ESA) direct power to impose periodic penalty payments up to 1% of the CTPP's average daily worldwide turnover to compel compliance.

While NIS 2 Directive sets an EU baseline for fines for its in-scope entities, fines for financial entities under DORA are nationally determined. The direct EU-level fining power over CTPPs under DORA is a notable feature.



Table 3: NIS 2 Directive vs. DORA Penalties for Non-Compliance Overview


Feature NIS 2 Directive DORA (for Financial Entities) DORA (for Critical ICT Third-Party Providers - CTPPs)
Authority for Penalties National Competent Authorities (NCAs) National Competent Authorities (NCAs) Lead Overseer (ESA: EBA, ESMA, or EIOPA)
Basis for Fines EU-level minimums for maximum fines set in Directive National law (no EU-level minimums for maximums set in DORA for financial entities) EU-level (periodic penalty payments set in DORA)
Max Admin Fines (Typical) Essential: Min. €10M or 2% turnover. <br> Important: Min. €7M or 1.4% turnover. (whichever is higher) Determined by national law; potentially similar to NIS 2 but not mandated at EU level by DORA. Up to 1% of average daily worldwide turnover (periodic payment)
Management Liability Explicitly foreseen (incl. temporary bans) Implied via management body responsibilities; depends on national transposition for specifics. N/A (targets CTPP entity)
Other Remedies Compliance orders, binding instructions, audits, threat notifications. Remedial measures as per national law. Recommendations, orders to take action or cease conduct.
Primary Goal Ensure NIS2 Compliance across a broad range of critical sectors. Ensure DORA compliance and financial stability. Ensure CTPPs manage risks to financial entities.


 VI. Financial Sector Compliance with DORA: Status, Challenges, and Strategies


Achieving compliance with the Digital Operational Resilience Act (DORA), situated within the broader EU cybersecurity framework influenced by the NIS 2 Directive, presents notable challenges and requires strategic planning by financial institutions. This section reviews industry readiness around DORA's January 17, 2025 application, common hurdles, effective strategies, and economic impacts.


A. Industry Readiness and Preparedness (as of early 2025)

Surveys leading up to and shortly after DORA's application painted a mixed picture:


  • High Engagement, Variable Readiness: While most financial institutions (FIs) actively engaged with DORA requirements—with surveys (e.g., McKinsey, CSSF) showing high percentages conducting gap analyses (~90%) and dedicating board-level attention—actual readiness varied.
  • Significant Gaps Persisted: Many FIs (e.g., 71% in a CSSF survey) classified themselves as only "partially ready" by late 2024, with few claiming full DORA compliance. Some (e.g., 43% of UK FIs in an Orange Cyberdefense survey) anticipated missing the January 2025 deadline.
  • Sectoral Differences: Readiness levels differed, with credit institutions often more advanced than some investment firms or payment institutions. Banking and FMIs generally showed higher maturity compared to some other sectors initially assessed under NIS 2 Directive contexts.

This indicates that despite significant preparatory efforts, achieving full DORA compliance was an ongoing process for many financial institutions into 2025, with potential disparities in resilience, especially for smaller entities.



B. Common DORA Compliance Hurdles

Financial institutions consistently reported several key challenges in their DORA compliance journey:


  • Complexity and Scope: Understanding and integrating DORA's detailed requirements with existing frameworks, including identifying Critical or Important Functions (CIFs) and mapping dependencies.
  • Third-Party Risk Management (TPRM): Conducting due diligence, maintaining the Register of Information (RoI), assessing concentration risk, and remediating numerous ICT third-party contracts with DORA's mandatory clauses.
  • Resilience Testing: Implementing rigorous testing programs, especially advanced Threat-Led Penetration Testing (TLPT) for significant entities, which demands specialized expertise and complex coordination with third parties.
  • Resource Constraints (Budget and Skills): Securing sufficient budget and skilled personnel (cybersecurity, risk, legal) for DORA implementation and ongoing maintenance.
  • Governance and Board Engagement: Ensuring active management body understanding, oversight, and integration of ICT risk into overall governance, moving beyond seeing cybersecurity as solely an IT function.
  • Incident Reporting: Meeting strict classification and multi-stage reporting timelines efficiently.
  • Short Timelines: The perceived brief period for implementing comprehensive changes, alongside delays in some technical standards finalisation.



A structured approach is vital for effective DORA compliance:


  1. Gap Analysis: Assess current practices against DORA and its associated RTS/ITS.
  2. Roadmap & Prioritization: Develop a detailed implementation plan with clear actions, timelines, and responsibilities, prioritizing by risk.
  3. Board Engagement & Governance: Ensure management body understanding, approval of strategy/policies, regular training, and clear roles across functions.
  4. Strengthen ICT Risk Management: Enhance the ICT risk framework per DORA Articles 6-14 (asset ID, risk assessments, security policies, BCP/DR plans).
  5. Implement Robust TPRM: Develop a TPRM strategy, conduct due diligence, remediate contracts, maintain the RoI, and monitor third-party risk.
  6. Operationalize Incident Reporting: Establish clear processes for incident detection, classification, internal escalation, and timely external reporting using mandated templates.
  7. Establish Resilience Testing Program: Plan and execute regular testing (vulnerability assessments, pen tests); prepare for TLPT if designated significant.
  8. Leverage Technology & Automation: Utilize GRC tools and security solutions to streamline compliance processes.
  9. Foster a Resilience Culture: Implement mandatory training and awareness programs for all staff and management.
  10. Continuous Improvement: Regularly review and update frameworks based on tests, incidents, threat intelligence, and regulatory changes.
  11. Seek External Expertise: Engage specialists for tasks like TLPT, contract remediation, or independent assurance where needed.


D. Economic Impact and Costs of DORA Compliance

DORA implementation represents a significant financial investment for the sector.


  • Substantial Costs: Surveys (e.g., Rubrik, McKinsey) indicated many FIs spent over €1 million, with initial budgets potentially reaching €5-15 million and total costs much higher (one large FI planned nearly €100 million). Some estimates suggest an average industry spend of over €15 million per institution.
  • Permanently Higher Run Costs: A majority of institutions (e.g., 70% in a McKinsey survey, 66% in an Orange Cyberdefense survey) anticipate permanently higher operational costs for technology and controls due to ongoing DORA compliance.

These costs must be weighed against the severe economic impacts of non-compliance, including administrative fines (potentially substantial under national laws implementing DORA), remedial actions, operational disruption, reputational damage, and direct losses from cyber incidents (IMF reported $12 billion since 2004 for the sector). While DORA includes proportionality, the investment required remains a concern for smaller FIs and fintechs, potentially impacting market dynamics.



VII. Conclusion: Advancing Digital Resilience in EU Finance


The NIS 2 Directive and the DORA Regulation together significantly elevate the standards for cybersecurity and operational resilience within the EU's financial sector, establishing a more demanding and harmonised framework against escalating digital threats. Achieving NIS2 Compliance and DORA adherence is now a critical focus.


A. NIS 2 and DORA: Combined Impact on Financial Sector Compliance


The NIS 2 Directive provides a broader EU baseline for cybersecurity, enhancing national capabilities and cross-border cooperation. For the financial sector, DORA acts as lex specialis, setting detailed and specific rules for digital operational resilience. This means financial institutions' primary compliance for ICT risk management, incident reporting, resilience testing, and third-party risk management is governed by DORA. The NIS 2 Directive offers context through national strategies, CSIRT roles, and EU cooperation bodies (NIS Cooperation Group, EU-CyCLONe). Understanding this hierarchy is crucial for effective compliance.


B. Proactive Compliance: A Strategic Imperative


Adhering to DORA, within the NIS 2 Directive's overarching framework, is a fundamental strategic imperative for financial institutions, not merely a regulatory cost. Digital resilience is now inextricably linked to financial stability, operational continuity, and customer trust. Proactive DORA implementation enhances an institution's ability to withstand disruptions, protect data, manage supply chain risks, and maintain a competitive edge, bolstering stakeholder confidence.


C. Future Outlook: A Dynamic Regulatory Landscape


The regulatory environment for cybersecurity and digital compliance remains dynamic. Financial institutions must continually monitor:


  • Finalisation and interpretation of DORA's technical standards (RTS/ITS) and guidelines.
  • Ongoing national transposition and enforcement of DORA's penalty frameworks and the (often delayed) NIS 2 Directive.
  • Periodic reviews of legislation like the NIS 2 Directive.
  • The broader ecosystem of EU digital regulations (e.g., Cyber Resilience Act, Cyber Solidarity Act, AI Act).

Reduce your
compliance risks

Sign Up Free Request Demo