Briefing Document: Resilience and Security under the NIS2 Directive and DORA Regulation

Executive Summary

This document provides a comprehensive analysis of two pivotal European Union legislative frameworks designed to enhance digital resilience and cybersecurity: the Network and Information Systems 2 (NIS2) Directive and the Digital Operational Resilience Act (DORA). While both aim to create a harmonized approach to security, they differ significantly in legal nature, scope, and prescriptiveness.

• Core Distinction: DORA is a highly prescriptive regulation with specific, legally binding obligations targeting the financial sector. In contrast, NIS2 is a directive that sets goals for EU member states to achieve through national laws, applying to a broader range of "essential" and "important" entities across critical sectors.
• Scope: DORA's scope is confined to financial entities such as credit institutions, investment firms, and crypto‑asset service providers. NIS2 has a much wider purview, covering sectors of high criticality (e.g., energy, transport, banking, health, digital infrastructure) and other critical sectors (e.g., postal services, manufacturing, digital providers).
• Key Mandates: Both frameworks mandate robust risk management, information security measures, senior management accountability, and stringent incident reporting. However, DORA specifies detailed requirements for an ICT risk management framework, business continuity plans, and third‑party contractual provisions.
• Testing and Reporting: A significant divergence lies in testing obligations. DORA mandates threat‑led penetration testing (TLPT) at least every three years on live production systems, a requirement absent in NIS2. Incident reporting timelines are also distinct: NIS2 requires an "early warning" within 24 hours of a significant incident, whereas DORA demands an initial report within four hours of classifying an incident as "major."
• Penalties and Third‑Party Risk: NIS2 establishes substantial maximum fines for noncompliance‑up to €10 million or 2% of global turnover for essential entities. DORA empowers competent authorities to set penalties, which may include criminal charges, without specifying monetary amounts. DORA is also more explicit regarding ICT third‑party risk management, requiring specific contractual clauses and a formal risk strategy.

Enterprises operating within or providing services to the EU must assess their obligations under these frameworks, as noncompliance carries significant financial and reputational risks. Both NIS2 and DORA have extraterritorial effects, impacting third‑party providers globally.

--------------------------------------------------------------------------------

1. Overview and Scope

1.1. Legal Nature and Purpose

The European Union has enacted NIS2 and DORA to strengthen the resilience of critical services that rely on information and communication technology (ICT). Their primary distinction lies in their legal form:

• NIS2 Directive: As a directive, NIS2 establishes goals that all EU member states must achieve. It is the responsibility of each member state to transpose the directive into national law. NIS2 replaced the original NIS1 directive, expanding its scope to include a wider range of sectors and services.
• DORA Regulation: As a regulation, DORA is more prescriptive and directly enforceable as law across the EU. It outlines specific obligations for covered entities and is supplemented by legally binding regulatory technical standards (RTS).

1.2. Scope of Application

While an enterprise may be subject to DORA, NIS2, both, or neither, their scopes are largely distinct.

NIS2 Directive NIS2 applies to "essential" and "important" entities providing services or conducting activities within the EU. Classification depends on sector, enterprise size, and other factors, such as being a sole service provider or the potential for disruption to impact public security or health.

DORA Regulation DORA's scope is specifically tailored to the financial sector. Some obligations may differ for micro, small, or medium‑sized enterprises.

2. Risk Management, Business Continuity, and Disaster Recovery

Both frameworks mandate comprehensive risk management, but DORA's requirements are more detailed and specific.

• NIS2 requires entities to implement adequate measures to address risks to network and information systems. This includes developing policies for risk analysis and assessing the effectiveness of cybersecurity risk management measures.
• DORA mandates the establishment and maintenance of a detailed ICT risk management framework. This framework must be documented, reviewed at least annually (or periodically for microenterprises), and subject to internal audit. It must include a digital operational resilience strategy that outlines risk tolerance, security objectives (KPIs and KRIs), and methods for detection and protection.

Business Continuity and Recovery DORA places a strong emphasis on business continuity, requiring financial entities to establish:

• An ICT business continuity policy and an associated ICT disaster recovery plan, which must be tested and, for most enterprises, subject to independent audit.
• A backup policy defining what data is backed up and at what minimum frequency, based on data criticality.
• Mechanisms for anomaly detection that are tested regularly.

Employee Training Both frameworks recognize the importance of human factors in security.

• DORA requires ICT security awareness programs and digital operational resilience training for all employees and senior management, with content tailored to their roles.
• NIS2 requires essential and important entities to offer training related to cybersecurity risk management.

3. Information Security and Auditing

3.1. Security Measures

NIS2 and DORA both contain extensive provisions for the security of network and information systems.

Under NIS2, enterprises must have policies, procedures, and measures covering:

• Risk analysis and information system security policies
• Incident handling and business continuity
• Supply chain security
• Cybersecurity training and cyber hygiene
• Encryption and cryptography
• Human resources security and access control
• Use of multifactor authentication (MFA) or continuous authentication

Under DORA, financial entities must:

• Continuously monitor ICT systems and tools to identify potential service interruptions.
• Define alert thresholds to trigger incident detection and response processes.
• Develop policies for strong authentication mechanisms.
• Annually review the adequacy of information asset classification.

3.2. Audit Requirements

Audits are a key component of oversight and compliance for both frameworks.

• NIS2: Essential entities are subject to regular, targeted, and ad hoc security audits. Important entities are subject to targeted security audits. These may be conducted by an independent body or a competent authority.
• DORA:
  • The ICT risk management framework is subject to internal audit. Audit functions must possess appropriate ICT risk expertise and be independent.
  • Financial entities and competent authorities are granted the right to audit ICT third‑party service providers.

4. Incident Reporting Mandates

A core objective of both frameworks is to harmonize incident reporting. Both establish multi‑stage reporting processes with strict timelines, though the specifics differ.

NIS2: Significant Incident Reporting A "significant incident" is one that causes or could cause severe operational disruption, financial loss, or considerable damage to persons.

DORA: Major ICT‑Related Incident Reporting A "major ICT‑related incident" has a "high adverse impact on the network and information systems that support critical or important functions."

5. Testing and Validation

DORA is significantly more prescriptive than NIS2 regarding testing obligations.

• NIS2 does not specify particular testing measures that entities must implement.
• DORArequires financial entities to conduct:
  • Threat‑Led Penetration Testing (TLPT): This must be performed at a minimum of every three years on live production systems and cover critical or important functions. The scope can include ICT third‑party service providers.
  • Operational Resilience Testing: This risk‑based testing must be led by independent parties and may include vulnerability assessments, gap analyses, physical security reviews, and performance testing.

6. Third‑Party and Supply Chain Security

Both frameworks address the risks posed by third‑party service providers, a critical component of modern operations.

• NIS2 requires entities to address supply chain security as part of their risk management measures but does not outline specific contractual requirements.
• DORA mandates a comprehensive ICT third‑party risk strategy. It requires that contracts with ICT service providers include specific provisions to ensure accessibility, availability, integrity, and security. Contracts must also stipulate assistance during ICT incidents and methods for data recovery if the provider ceases operations.

Notably, NIS2 and DORA align on the definition of a critical ICT third‑party service provider, with NIS2 referencing DORA's Article 31 for the criteria.

7. Governance, Accountability, and Information Sharing

7.1. Management Responsibility

Both frameworks place ultimate responsibility for compliance on senior management.

• NIS2: Management bodies must approve cybersecurity measures and oversee compliance. Individuals may be held liable for noncompliance related to cybersecurity risk management.
• DORA: Management is responsible for overseeing and implementing the ICT risk management framework and must remain knowledgeable on the subject.

7.2. Voluntary Information Sharing

To promote collective resilience, both NIS2 and DORA allow for the voluntary sharing of cybersecurity‑related information among industry peers. Under NIS2, this can include information on:

• Cyberthreats and near misses
• Vulnerabilities
• Indicators of compromise
• Adversarial tactics and techniques

8. Noncompliance and Penalties

Noncompliance with either framework can result in severe penalties.

NIS2 Penalties Member states are empowered to impose fines for infringements of Articles 21 (risk management) and 23 (reporting).

Compliance has been a challenge, with only six of the EU member states meeting the 17 October 2024 transposition deadline. A survey from October 2024 indicated that 38% of Irish businesses would not be prepared for compliance.

DORA Penalties DORA does not set specific fine amounts. Instead, it allows competent authorities to determine appropriate penalties and remedial measures for noncompliance, which may include criminal penalties.

9. High‑Level Comparison