A new era in IT security: a comparison of NIS2 and DORA

As digitalization advances, companies and organizations are increasingly confronted with complex challenges around IT security and digital operational resilience. Within a few months, the European Union has adopted two important pieces of legislation to strengthen IT and cybersecurity, which will now come into force in the near future: the “Directive on measures for a high common level of cybersecurity across the Union” (NIS2) and the Digital Operational Resilience Act (DORA).

Both pieces of legislation are designed to strengthen companies and organizations that are important for the economy and society against cyber attacks. NIS2 and DORA are currently receiving a lot of attention because the corresponding implementation deadlines are approaching, but implementing the new IT security requirements is sometimes very challenging for the companies concerned. The IT security requirements of NIS2 and DORA are diverse, complex and often necessitate a complete renewal of IT processes within companies.

Even though the EU’s intention for NIS2 and DORA may appear similar at first glance, the two regulations differ in important respects. In this article, we will clarify the differences, the relationship between the legal acts and which of the two legal acts is relevant for you.

1. Objectives

• NIS2 was introduced in response to the increased threat to critical infrastructure from digital attacks, which have become particularly apparent during the coronavirus crisis. NIS2 is the successor to the original “Network and Information Directive” (NIS) from 2016 and aims to harmonize and strengthen cybersecurity standards in the European Union, particularly to ensure the security and resilience of critical sectors. Its primary objective is to increase the resilience of networks and information systems by setting out specific requirements for IT security and IT risk management.
• DORA focuses on the financial sector and is part of the EU’s broader efforts to digitize the financial sector. DORA is designed to ensure that the financial sector is able to maintain its operational capacity even in the event of significant IT disruptions. The DORA requirements are intended to improve the vulnerability of financial firms’ information and communication technology (ICT) to cyber threats and disruptions. In addition, the EU legislature has recognized that the financial sector is highly dependent on external service providers in the area of IT because IT processes and infrastructures increasingly have to be outsourced. In this regard, DORA also introduces new and far-reaching regulations and will in future enable the direct supervision of so-called critical ICT service providers, which particularly often provide IT services for the financial sector and where extensive operational disruptions could have potentially systemic effects on the entire financial market.

The different objectives are reflected in different forms of similar requirements. This is evident, for example, from the fact that the NIS2 requirements focus on the security of the supply chain, while DORA (also) requires the management of risk associated with third-party service providers through comprehensive requirements. Organizations that fall under NIS2 in Germany must demonstrate compliance with the regulations by undergoing a security audit every two years. DORA has stricter requirements for security audits and requires a test of operational resilience of all critical/important functions of financial institutions at least once a year. NIS2 also provides for high and already defined financial sanctions for non-compliance, while DORA leaves the assessment of sanctions to the member states and their competent authorities (in Germany, the BaFin).

2. Scope of application / companies affected

One of the main differences between the two sets of regulations lies in their scope of application:

• NIS2 is aimed at a wide range of sectors, including banking, energy, transportation, health, drinking water, food production and digital infrastructure, as well as cloud services. It affects both essential facilities, which are considered critical to the maintenance of key societal functions, and important facilities that operate in economically significant areas. NIS2 thus aims at a general improvement of cybersecurity and affects a wide range of industries.  Estimates suggest that around 25,000 to 40,000 companies in Germany are affected by NIS2. Companies must register under NIS2 and will not receive any official notification that they are affected by NIS2. Those affected must therefore recognize for themselves whether they fall within the scope of NIS2.
• DORA is specifically tailored to the financial sector. It regulates the digital operational resilience of financial companies and their service providers. DORA focuses on financial service providers and their ability to manage IT risks and respond to cyber threats to ensure the stability of the financial system. Third-party ICT service providers such as cloud providers or hosting providers that work for the financial sector also fall within the scope of the regulation. Across the EU, around 22,000 financial companies will be affected by DORA. It remains to be seen how many service providers for the financial sector will be affected and how many critical ICT service providers will be classified.

Download as PDF

3. Legal nature

NIS2 and DORA are two different legal instruments of the European Union and are designed differently in their legal nature:

• NIS2 is a European directive, i.e. a legal act that sets out a goal to be achieved by EU countries. It is the responsibility of the individual countries to enact their own legislation to achieve this goal. Each member state has to incorporate the necessary measures to achieve the objectives of the directive into its national law. NIS2 is therefore not directly applicable to the companies concerned, but must be transposed into national law. In Germany, this transposition is being carried out by means of the so-called “NIS2 Implementation Act” (current draft of the federal government as of October 2, 2024 „NIS2UmsuCG“). The draft of the NIS2UmsuCG was passed on July 24, 2024. The promulgation of the law is expected by December 31, 2024.
• DORA, unlike NIS2, is designed as an EU regulation and is therefore directly applicable law in all member states of the European Union. DORA does not require national implementation because EU regulations have immediate legal effect and apply directly in all member states from the time of their entry into force. EU regulations also take precedence over national law. The direct applicability of DORA means that the financial companies and their ICT third-party service providers affected by DORA cannot wait for any transitional periods due to national legislative procedures, but must have fully implemented the DORA requirements by the time DORA entries into force on January 17, 2025.

4. IT Security requirements

NIS2 rather roughly defines the risk management and IT security requirements for the companies concerned, while DORA prescribes more specific measures such as penetration tests and security audits to ensure the continued functionality of IT systems in the financial sector.

• NIS2 focuses on creating a general framework for improving cybersecurity. This includes requirements for risk management, reporting of security incidents and enforcement of IT security standards. Organizations covered by NIS2 must implement a range of organizational and technical measures to minimize risk and ensure that their networks and information systems can withstand the latest threats. These include, among other things:

• • maintaining an IT risk management system,
  • regular security checks and
  • reporting requirements in the event of security incidents.

• DORA on the other hand, focuses more specifically on the operational resilience of financial institutions. The requirements include, among other things:

• • management of IT risks,
  • IT business continuation strategies and plans,
  • regular testing and constant monitoring of the entire IT infrastructure
  • resilience requirements for third-party providers

It is particularly noteworthy that DORA requires financial institutions to actively manage IT risks and regularly conduct tests to ensure resilience against cyberattacks and other digital threats.

5. Regulatory enforcement and sanctions

Both sets of rules include strict enforcement mechanisms and sanctions for companies that fail to fulfill their obligations.

• NIS2 requires member states to establish supervisory authorities to monitor compliance with the directive. In Germany, the Federal Office for Information Security (“Bundesamt für Sicherheit in der Informationstechnik – BSI”) and the Federal Network Agency (“Bundesnetzagentur – BNetzA”) are responsible for this. For credit institutions and other financial service providers, BaFin is responsible for NIS2 supervision. There is no direct supervision by EU authorities for the affected entities under NIS2. Supervision is thus exclusively at the national level.Companies that violate the requirements of NIS2 face severe sanctions, such as audits and inspections by the regulatory authorities or fines. NIS2 specifically defines possible fines:
  • Companies in essential sectors, such as banking, financial market infrastructure and IT services, can be fined up to €10 million or 2% of their global annual turnover (whichever is higher).
  • For companies in important sectors, such as digital service providers, the maximum fine is 7 million euros or 1.4% of the global annual turnover of the previous financial year.

• DORA also contains clear rules on monitoring and enforcement. National supervisory authorities will monitor compliance and can impose sanctions in the event of violations. Under DORA, financial companies are primarily monitored by national supervisory authorities such as BaFin and the Bundesbank together with the European Central Bank, but they work closely with the EU authorities. For example, the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) play a central role in monitoring and enforcing the DORA regulation at the European level. These authorities coordinate supervisory activities and support national authorities in ensuring digital resilience in the financial sector. IT providers that are classified by the European Commission as “critical ICT service providers” are also directly supervised by the lead supervisory authorities of the ESAs (European Supervisory Authorities). Through this direct EU supervision, DORA integrates an additional layer of oversight, while NIS2, as a directive, leaves supervision exclusively to national authorities.DORA does not include fixed fines for general non-compliance with the requirements. The supervisory authorities will continue to have the same powers of sanction and fine as they have now (e.g. from the provisions in the German Banking Act (KWG) or the Payment Services Supervision Act (ZAG). However, there are specific rules for appointed critical ICT service providers. DORA allows leading regulatory bodies to fine ICT providers up to 1% of the provider’s average daily global revenue in the preceding fiscal year. Providers can be fined daily for up to six months until they comply.

A common aspect of the sanction mechanisms of both regulations is the personal liability of management. Both NIS2 and DORA stipulate that members of management can be held liable with their private assets for gross negligence or intentional violations of the NIS2 or DORA requirements. This means that managers are not only responsible for implementing cybersecurity requirements but can also face personal consequences for non-compliance. The draft of the German NIS2 Implementation Act (NIS2UmsuCG) also provides for the personal liability of managing directors and senior executives. A waiver by the company of claims for compensation against the management or a settlement of these claims is invalid.

6. Significance for companies

DORA further defines many of the NIS2 requirements for the special financial sector and, as a lex specialis, takes precedence over the NIS2 regulations. For organizations that fall under both NIS2 and DORA, this means that they must fully comply with DORA to meet regulatory requirements. DORA subjects the financial sector to particularly strict supervision, while NIS2 affects a broader range of industries. By contrast, organizations that do not belong to the financial sector only have to comply with the requirements of NIS2. Nevertheless, it may also make sense for these companies to refer to the more specific DORA requirements, as the DORA requirements can serve as a reference to obtain a more comprehensive overview of how the company is positioned in comparison to the stricter DORA requirements. This also enables companies from the non-financial sector to identify potential gaps or areas and to achieve NIS2 compliance in a timely manner.

Conclusion

From a legal perspective, both NIS2 and DORA are important instruments for strengthening cyber security and digital resilience in Europe. While NIS2 applies more broadly to various critical infrastructures, DORA focuses specifically on the financial sector and sets particularly high requirements for digital resilience. In both cases, affected companies will have to adapt to strict regulatory requirements, and it will be crucial to integrate the requirements of both frameworks to minimize legal and operational risk.

The coexistence of NIS2 and DORA poses a number of challenges. It is conceivable that the simultaneous existence of the two will lead to increased bureaucracy and that companies will be confronted with different requirements and testing procedures, which could lead to an audit chaos. It would therefore be desirable for the regulatory authorities to avoid redundancies, to improve the cooperation between the responsible parties involved and to provide clear guidelines for the implementation of the regulations.