NIS2 and DORA both raise cybersecurity obligations across the EU, and they overlap enough to cause confusion. The short answer: NIS2 is the broad baseline across many sectors, DORA is the detailed rulebook for finance, and if you are a financial entity, DORA usually takes precedence. Here is the longer version.
NIS2, Directive (EU) 2022/2555, sets cybersecurity risk-management and incident-reporting duties across 18 sectors, from energy to health to digital infrastructure. It is a directive, so each member state transposes it into national law. We cover it fully in NIS2 explained.
DORA, Regulation (EU) 2022/2554, governs digital operational resilience for the financial sector and its critical ICT providers. It has applied since January 2025. Because it is a regulation, it applies directly across the EU without national transposition, so the text is the same in every member state.
If you are a bank, insurer, investment firm, or another financial entity, DORA is your primary regime. The principle at work is that the specialist rule governs over the general one. You should still understand NIS2, because partners and suppliers outside finance will be bound by it, and your contracts will need to reflect that.
Whichever applies, the engineering work rhymes: manage ICT risk, test your defenses, report incidents on a clock, and prove your suppliers are secure. Build that capability once and most of both regimes is satisfied. We map your obligations under NIS2 and DORA and turn them into the same body of work.
Pick the regime that governs you, then build security that would satisfy either. The work overlaps more than the lawyers do.
Book a scoping call and we will confirm which regime applies and what it means for you.