The difference between DORA and NIS2 in the financial sector: what you should know

If you are responsible for compliance, risk management or information security within a financial organisation, you are undoubtedly dealing with DORA and NIS2. Both European regulatory frameworks have been in force since 2025 and impose stringent requirements on cybersecurity, ICT risk management and operational continuity.

But what exactly is the difference between DORA and NIS2? And more importantly, what do these regulations mean in practical terms for banks, insurers, investment firms and fintechs?

In this blog, we compare DORA and NIS2, explain where they overlap, and show how financial organisations can prepare in practice, including the role of digital escrow and continuity assurance provided by Escrow4all.

What is DORA?

The Digital Operational Resilience Act (DORA) is a European regulation that is exclusively focused on the financial sector. DORA has been applicable since 17 January 2025 and applies to approximately twenty types of financial entities, including:

• Banks
• Insurance companies
• Payment service providers
• Investment firms
• Crypto-asset service providers

The objective of DORA is clear: financial institutions must be resilient to digital disruptions, such as cyberattacks, ICT outages and the failure of critical third-party providers.

The five pillars of DORA

DORA is highly specific and structured around five core areas:

1. ICT risk management
   A demonstrable framework for the identification, protection, detection, response and recovery of ICT risks.
2. Incident reporting
   The classification and reporting of significant ICT-related incidents to supervisory authorities.
3. Digital resilience testing
   Mandatory penetration testing and, for larger institutions, threat-led penetration testing (TLPT).
4. Third-party ICT risk management
   Strict requirements for contracts and dependencies involving external ICT and cloud service providers.
5. Information and threat intelligence sharing
   Voluntary cooperation between financial institutions to share threat intelligence.

Because DORA is an EU regulation, it applies directly and uniformly across all Member States.

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is a European directive that strengthens cybersecurity requirements for organisations operating in 18 critical sectors, including:

• Energy
• Transport
• Healthcare
• Digital infrastructure
• (Parts of) the financial sector

In the Netherlands, NIS2 is implemented through the NIS2 Implementation Act. Unlike DORA, NIS2 requires national transposition, which may result in minor differences between Member States.

Key obligations under NIS2

• Severe sanctions (up to €10 million or 2% of global annual turnover)
• Risk management measures for cybersecurity
• Supply chain security (chain responsibility)
• Incident reporting obligation (initial notification within 24 hours)
• Direct management and board-level accountability

The key differences between DORA and NIS2

Although both DORA and NIS2 aim to strengthen digital resilience, they differ fundamentally in structure, scope and focus. The first distinction lies in their applicability. DORA is a sector-specific regulatory framework that applies exclusively to financial institutions and their critical ICT service providers. In this sense, DORA functions as a lex specialis: a specialised legal framework that takes precedence where it overlaps with more general legislation. NIS2, by contrast, has a broader, cross-sector scope, applying to organisations in eighteen critical sectors, including a part of the financial sector.

Their legal nature also differs. DORA is an EU regulation, meaning its rules apply directly and uniformly across all Member States. NIS2 is an EU directive, which must be transposed into national law by each Member State. This can lead to minor differences in implementation and enforcement between countries.

There is also a clear difference in level of detail and regulatory approach. DORA is highly technical and prescriptive. It explicitly defines how ICT risk management must be organised, which tests are mandatory and what contractual requirements apply to external ICT providers. NIS2 follows a more principle-based and outcome-driven approach, requiring organisations to demonstrate that appropriate measures have been taken to manage cyber risks and ensure service continuity.

The supervisory framework differs as well. DORA is enforced by financial supervisory authorities, such as the European Supervisory Authorities (ESAs) and, in the Netherlands, De Nederlandsche Bank (DNB) and the Authority for the Financial Markets (AFM). NIS2 is supervised by national competent authorities, designated by each Member State.

Finally, there are differences in incident reporting requirements. DORA focuses specifically on ICT incidents that affect the operational resilience and critical functions of financial institutions. NIS2 imposes strict reporting timelines, including an initial notification within 24 hours of detection, followed by subsequent reports within defined timeframes.

Practical implications for financial institutions

In practice, this means that financial organisations must take several concrete steps. They need to determine which regulatory framework applies to them — DORA, NIS2 or both. They must structurally embed ICT risk management, review and update contracts with external providers such as cloud, SaaS and software vendors, and perform resilience testing on a regular basis.

In addition, incident response processes must be formally defined and tested, and organisations must be able to demonstrably ensure the continuity of critical systems in the event of disruptions.

The role of Escrow4all in being DORA and NIS2 compliant

Both DORA and NIS2 place explicit emphasis on third-party risk management and the continuity of critical ICT services. For many financial institutions, dependency on software vendors, SaaS solutions and cloud platforms represents a significant operational risk.

Escrow4all supports organisations in managing these risks through digital escrow solutions, including:

• secure storage of source code, documentation and configurations
• escrow arrangements for SaaS and cloud environments
• continuity arrangements in the event of bankruptcy, acquisition or service discontinuation
• independent assurance towards regulators and auditors

Digital escrow makes it possible to demonstrably meet DORA and NIS2 requirements related to:

• supply chain security
• business continuity
• exit and fallback scenarios

As such, escrow is not a legal formality, but a practical risk management instrument.

Conclusion: DORA and NIS2 reinforce each other

DORA and NIS2 are not competing regulations, but complementary frameworks. Together, they require financial institutions to organise digital resilience in a structural and integrated manner — technically, organisationally and contractually.

By investing now in:

• robust ICT risk management
• clear contractual arrangements with suppliers
• digital continuity through escrow

you ensure that your organisation is not only compliant, but also resilient to disruptions that can cause direct financial and reputational damage.

Would you like to learn how escrow solutions can support DORA and NIS2 compliance and risk management in the financial sector? Feel free to contact Escrow4all for more information.