DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) is the financial-sector regulation that became fully applicable on 17 January 2025. NIS2 is the horizontal cyber directive. For financial entities they overlap heavily — but DORA is lex specialis under Article 4 of NIS2: when both could apply, DORA wins. This page is the complete crosswalk plus a clear decision rule on which clock you actually answer to.
Under Article 4 of NIS2, where a sector-specific Union legal act (here, DORA) imposes equivalent or more stringent obligations, the sector-specific act prevails. For credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and many other financial entities listed in DORA Article 2: DORA is your primary clock. NIS2 still applies to specific points where DORA is silent (e.g. some staff-training language).
Type: EU directive (transposed into national law in each member state)
In force: EU member states had to transpose by 17 October 2024
Who: Essential / Important entities in ~18 sectors
Sanctions: Up to €10M or 2% of global turnover for Essential entities
Reports go to: National CSIRT (ANSSI / BSI / ACN / CNCS …)
Governance: Article 20 — management body accountability and training
Type: EU regulation (directly applicable — no transposition needed)
In force: Fully applicable since 17 January 2025
Who: Financial entities listed in Art. 2 + their critical ICT third-party service providers
Sanctions: Up to 1% of average daily worldwide turnover; per-day periodic penalties; criminal sanctions in some MS
Reports go to: Competent financial authority (ACPR / BaFin / Banca d'Italia / CSSF / CONSOB …) — NOT the national CSIRT
Governance: Art. 5 — management body has full ownership of the ICT risk management framework
This crosswalk is currently undergoing an independent review by an external DORA / EU financial-services GRC practitioner. The mapping reflects Reglyze's own technical analysis; the reviewed-and-signed badge will appear here once the engagement closes.
Each NIS2 minimum measure has an equivalent or more demanding obligation in DORA. The rows marked « DORA wins (lex specialis) » are the ones where you should NOT build a NIS2-only programme if you are a financial entity — DORA supersedes and the auditor walks the DORA register, not the NIS2 register.
Overlap rating reflects how completely the NIS2 article's substance is covered by the listed DORA articles. « DORA wins (lex specialis) » badge marks the rows where DORA supersedes NIS2 for financial entities under Article 4 of NIS2.
Risk analysis and information system security policies
DORA: Art. 5–6, Art. 8–9 — ICT risk management framework + governance and organization + identification of ICT-supported business functions
Incident handling
DORA: Art. 17–22 — ICT-related incident management, classification, reporting to competent authorities, RTS 2024/1772
Business continuity and crisis management
DORA: Art. 11–13 — Response & recovery policy, backup policies, learning and evolving
Supply chain security
DORA: Art. 28–30 — ICT third-party risk management — contractual provisions, register of information, exit strategies
Security in acquisition, development and maintenance
DORA: Art. 8(7), Art. 9(4) — ICT systems acquisition and maintenance + ICT change management
Policies and procedures to assess effectiveness
DORA: Art. 6(5), Art. 24–27 — Periodic review of the ICT risk management framework + digital operational resilience testing (TLPT for the largest entities)
Basic cyber hygiene and training
DORA: Art. 13 — Learning and evolving — staff training on ICT risk management
Cryptography and encryption
DORA: Art. 9(2), Art. 9(4)(c) — Protection of ICT assets — confidentiality, integrity, authenticity
HR security, access control, asset management
DORA: Art. 8(1)–(4), Art. 9(4)(b) — Identification and classification of ICT-supported business functions and information assets + access management
MFA, secure communications, secure emergency comms
DORA: Art. 9(4)(d), Art. 9(4)(e) — Strong authentication mechanisms + secure network communications
Board oversight and accountability
DORA: Art. 5 — Management body — full ownership of ICT risk management framework, approves strategy, allocates resources
Management body training
DORA: Art. 5(4) — Management body members shall actively keep up-to-date sufficient knowledge and skills to understand and assess ICT risk
DORA is your primary obligation. You report ICT-related incidents to your financial competent authority (not the national CSIRT). You maintain the DORA Register of Information for ICT third-party arrangements (Art. 28(3)). Your management body owns the ICT risk management framework (Art. 5). NIS2 still applies for the narrow gaps DORA does not address — most operators will be told by their competent authority which parts they still need to satisfy under the national NIS2 transposition.
What you actually need to do:
If you are a critical ICT third-party service provider (cloud, software, MSP, payment processor, etc.) supplying a DORA-regulated firm, DORA Articles 28–30 will reach you through your contracts even though you are not a financial entity yourself. NIS2 remains your primary regulatory obligation, but you should expect DORA-flavoured contractual requirements (incident notification deadlines, audit rights, exit clauses).
What financial-entity customers will require from you: