NIS2 vs. DORA - Unterschiede der EU Cyber Security Regularien

There is still a large variance when it comes to the level of knowledge in companies about the changes to cyber security regulations. One of the most important changes is the Network and Information Security Directive 2.0 (NIS-2) and the Digital Operational Resilience Act (DORA). The aim of this blog post is to familiarize you with the most important differences, similarities and synergies between the two standards and to help you prepare for their entry into force in good time.

The Network and Information Security Directive 2.0 (NIS-2) is, as the name suggests, the update of the NIS Directive. NIS-2 came into force on January 16, 2023. The aim is to harmonize important and essential cybersecurity companies within the European Union (18 sectors according to NIS-2 Annex I and Annex II). In addition to specifications for functioning risk management, the standard also defines reporting obligations for companies.

The Digital Operational Resilience Act (DORA), on the other hand, is limited to the financial sector. The aim is to ensure resilience to cyber attacks, such as denial of service attacks. The standard summarizes the guidelines of the European Banking Authority (EBA) in a compact framework.

Even though the two pieces of legislation appear to be very different at first glance, they have a lot in common.

Both regulations deal with cyber security in companies, in particular the risks arising from the use of information and communication technology (ICT), as part of risk management. Both NIS-2 in part and DORA as a whole describe requirements for financial service providers. Both directives also include supply chains, meaning that companies that are not actually directly affected by the standards are forced to implement measures such as risk assessments.

Furthermore, both regulations also define penalties that companies, but also individuals themselves (such as top management and directors), face in the event of non-compliance. As with the General Data Protection Regulation, the penalty is based either on the annual turnover or a fixed sum (whichever is higher).

Even if there are similarities between NIS-2 and DORA, the two are fundamentally different.

NIS-2 focuses on harmonizing cybersecurity across the EU and, in particular, sharing information with the member states following successful attacks. It sets out broad requirements for information security (especially risk management) and reporting requirements.

Unlike NIS-2, DORA is primarily aimed at operational stability. The aim is to ensure functionality despite successful attacks. The standard focuses on more specific requirements, such as the performance of penetration tests and security audits.

DORA further defines many of the requirements listed in NIS-2. However, as DORA regulates a specific sector, this means that DORA must be given priority (lex specialis). However, in cases where NIS-2 regulates areas that are not covered by DORA, NIS-2 must still be considered.

2, so it can be useful to use them to gain an initial overview of how your own company is positioned in comparison. For example, areas can be identified in which no or hardly any measures have been taken to prepare for NIS-2.

NIS-2 has been in force since January 2023. The member states have until October to transpose the directive into national law.
 DORA, on the other hand, is a regulation and will enter into force in 2025. It is not necessary to transpose it into national law.

COMPLION is your trusted partner when it comes to compliance. With many years of experience in the KRITIS sector and in the financial sector in particular, we are your point of contact when it comes to preparing you.

Author: Robin Enste