verified_user
Standardful
EU Compliance

NIS2 vs DORA: Which EU Digital Resilience Rule Applies to You in 2026?

NIS2 and DORA are both EU cybersecurity regulations that took effect in 2024-2025. They overlap, they conflict, and they probably both apply to you. Here's how to tell them apart.

calendar_today April 24, 2026schedule 11 min readperson Standardful Team

Two massive EU cybersecurity regulations landed in the same 12-month window. NIS2 became enforceable in October 2024. DORA became fully applicable in January 2025. Both target IT resilience. Both cover incident reporting. Both come with eye-watering fines. And confusingly, depending on what your business does, one, the other, or both can apply to you at the same time.

I've had the same conversation with roughly a dozen SaaS founders in the last six months. It usually starts with "so we got an email from our German customer about NIS2, but our payment partner keeps talking about DORA — which one is the real thing?" The honest answer: they're both real, they're both enforceable, and they mostly don't overlap in who they apply to. But when they do overlap, things get messy.

Let's sort it out.

The Short Version

NIS2 applies to organizations operating "essential" or "important" services across 18 sectors — energy, transport, healthcare, digital infrastructure, public admin, manufacturing of critical products, and more. If you're not in finance and your business touches one of these sectors (or you provide IT services to someone who does), NIS2 is probably your concern.

DORA applies to the EU financial sector — banks, insurers, investment firms, crypto asset service providers, payment institutions — plus their critical ICT third-party providers. If you're a fintech, a payments SaaS, or you power financial services in any way, DORA is your concern.

The single biggest source of confusion: if you're a cloud or SaaS provider serving both sectors, you may need to comply with both, and the requirements are not identical.

What NIS2 Actually Requires

The NIS2 Directive (Directive (EU) 2022/2555) replaces the original 2016 NIS Directive and dramatically expands its scope. It covers around 160,000 organizations across the EU, compared to maybe 20,000 under the original.

The core obligations fall into a few buckets:

Risk management measures. Organizations must implement "appropriate and proportionate" technical, operational, and organizational measures. The directive lists ten minimum measure categories, including risk analysis, incident handling, business continuity, supply chain security, vulnerability disclosure, access control, cryptography, and security training.

Incident reporting with a tight timeline. Significant incidents must be reported to the national CSIRT or authority within 24 hours (early warning), 72 hours (initial assessment), and one month (final report). This is aggressive — aggressive enough that several national authorities have published detailed guidance clarifying what "significant" means.

Management accountability. Senior management personally must approve cybersecurity risk management measures and oversee their implementation. Members of management bodies can be held personally liable for non-compliance. This isn't theoretical — Germany's BSI has already flagged board-level cybersecurity governance as an inspection focus.

Supply chain security. Essential and important entities must address supply chain security in their risk management. In practice, this means auditing your vendors — which is why so many SaaS companies are fielding NIS2 questionnaires from their customers.

Fines go up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important entities, whichever is higher.

What DORA Actually Requires

DORA (Regulation (EU) 2022/2554) is a regulation, not a directive — which means it applies directly across the EU without needing national transposition. It covers about 22,000 financial entities and their critical ICT suppliers.

The five pillars:

ICT risk management. Financial entities must implement a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery. The requirements are more prescriptive than NIS2 — there are detailed RTS (regulatory technical standards) from the European Supervisory Authorities specifying exactly what's expected.

Incident reporting. Similar to NIS2 in concept but with different thresholds and a different regulatory body. Major ICT-related incidents must be reported to the relevant competent authority within four hours of classification, with follow-ups at 72 hours and one month.

Digital operational resilience testing. Financial entities must regularly test their ICT systems. Large, systemically important entities must conduct advanced Threat-Led Penetration Testing (TLPT) every three years — a rigorous, intelligence-driven red team exercise.

ICT third-party risk management. This is the part that drags non-financial companies into DORA's scope. Any financial entity must maintain a detailed register of its ICT third-party arrangements, conduct due diligence before contracting, and include specific contractual provisions (on audit rights, termination, data access, etc.).

Oversight of critical ICT third-party providers. The European Supervisory Authorities designate some cloud and ICT providers as "critical." Those providers fall under direct EU oversight — with inspection powers, binding recommendations, and potential fines.

Fines for financial entities can reach 1% of average daily worldwide turnover per day of violation. For critical ICT providers under oversight, penalties can reach 1% of daily turnover for each day the violation continues, up to six months.

Where They Overlap — And How They Differ

On paper, NIS2 explicitly defers to DORA for the EU financial sector. Article 4 of NIS2 says that where DORA applies, DORA's provisions on risk management, incident reporting, and oversight take precedence. Financial entities aren't double-regulated on those topics.

But it's not that clean in practice. Here's where things get awkward:

SaaS and cloud providers serving financial customers. You're probably in-scope for NIS2 as a "digital infrastructure" or "ICT service management" entity. At the same time, your financial-sector customers are pulling you into DORA's third-party risk regime via contractual requirements. You end up implementing NIS2 controls for your overall operation and DORA-aligned controls for your financial customers specifically.

Incident reporting. If a single incident affects both financial and non-financial customers across the EU, you may need to notify under both NIS2 and DORA — to different authorities, on different timelines, in different formats. Major incident response runbooks need to account for this.

Supply chain due diligence. NIS2's supply chain security and DORA's ICT third-party risk management overlap but are not identical. DORA is more prescriptive (register, contractual clauses, exit strategies). NIS2 leaves more to "appropriate and proportionate" judgment. If you implement DORA-level controls, you're generally exceeding NIS2 requirements — but the reverse is not true.

ISO 27001 as the connector. Both regulations explicitly encourage using international standards. A mature ISO 27001 ISMS gives you most of what NIS2 requires in terms of controls, and a big chunk of DORA's ICT risk management framework. It's not sufficient on its own for either regulation (you still need the incident reporting processes, the supply chain register, the testing regime), but it's the single best foundation to build from.

How to Figure Out What Applies to You

Start with three questions.

1. Are you a financial entity as defined in DORA? This includes banks, insurers, investment firms, crypto asset service providers (CASPs), payment institutions, e-money institutions, and about a dozen other categories. If yes: DORA applies, full stop. NIS2 defers to DORA for you.

2. Are you an ICT service provider to financial entities? If yes, you're not directly in scope for DORA, but your financial customers will flow DORA requirements to you contractually. You may also be separately in scope for NIS2 depending on your sector.

3. Do you operate in any of the 18 NIS2 sectors? The full list is in Annexes I and II of the directive. Key ones that catch SaaS and tech companies: digital infrastructure, ICT service management, digital providers (online marketplaces, search engines, social networks), manufacturing of computers and electronics, and research. Size thresholds matter — generally medium-sized entities (50+ employees or €10M+ turnover) and above, with some exceptions.

If the answer to (2) is yes and the answer to (3) is yes, you're managing both regimes. That's the position a lot of mid-sized SaaS companies find themselves in.

Practical Steps for 2026

If you're just getting started, here's what actually moves the needle:

Build your asset inventory first. Both regulations assume you know what systems you have, who owns them, and how critical they are. If you don't have this, everything else is theoretical.

Set up incident classification and reporting now. The timelines are aggressive. You don't want to be figuring out who to call and what format to use at hour 22 of a breach. Tabletop exercises help surface the gaps.

Map your third-party dependencies. Know your critical vendors, have their contracts on file, and understand what happens if one goes down. For DORA specifically, maintain the register in the format ESAs have specified.

Get leadership involved. Both NIS2 and DORA attach personal accountability to senior management. Board training on cyber risk is no longer optional, and neither is executive sign-off on your security posture. Related: the SOC 2 compliance and governance practices most SaaS companies already have are a decent starting point, but they don't cover the incident reporting timelines these EU rules demand.

Plan for audits. Both regimes assume they'll be checked. NIS2 inspections have started in Germany, France, and the Netherlands. DORA oversight begins this year for designated critical ICT providers. If you're relying on "nobody will come looking," that's a bet with a bad risk/reward.

The Bottom Line

NIS2 and DORA aren't competing frameworks — they're complementary pieces of the EU's push to make critical services resilient. NIS2 sets a cybersecurity baseline across sectors that matter to everyday life. DORA layers stricter, more prescriptive requirements on top of the financial sector specifically.

If both apply to you, treat DORA as the higher bar and build once. If only NIS2 applies, focus on the ten minimum measures and your incident reporting capability. If you're in finance, ignore NIS2 (it defers to DORA anyway) and throw your weight behind the five DORA pillars.

And if you're genuinely unsure whether either applies? You probably haven't audited your customer base recently. That's where the answer usually lives — in the contracts your customers are starting to send you.

References

  1. Directive (EU) 2022/2555 (NIS2) — Official Journal of the EU
  2. Regulation (EU) 2022/2554 (DORA) — Official Journal of the EU
  3. ENISA NIS2 Resources — European Union Agency for Cybersecurity
  4. DORA Regulatory Technical Standards — European Banking Authority

Related Topics

NIS2DORAEU cybersecuritydigital resiliencefinancial compliancecritical infrastructureICT risk managementsupply chain security

Related Standards

verified

NIS2 Directive

EU Cybersecurity Directive for Essential & Important Entities

verified

DORA

Digital Operational Resilience Act for EU Financial Entities

verified

ISO/IEC 27001:2022

Information Security Management System

verified

IEC 62443

Industrial Automation & Control Systems Security

arrow_back Back to Blog