NIS2 vs. DORA: The Ultimate Guide to the New EU Cybersecurity Rules for 2026

The NIS2 Directive (Network and Information Security) is the EU’s response to the increased threat level from state actors and cybercriminals. It significantly expands the number of affected companies.

The two NIS2 categories:

• Essential entities: Large companies in sectors with high criticality (energy, transport, banking, healthcare).
• Important entities: Providers in sectors such as waste management, food production, or the chemical industry.

SMEs are often affected indirectly: If a small supplier works for an energy corporation, it may be contractually required to meet NIS2 standards to secure the supply chain.

The Digital Operational Resilience Act (DORA) is a regulation – meaning it applies directly, without national transposition. DORA assumes that an IT outage in the financial system can trigger a chain reaction that threatens the entire EU economy.

The five pillars of DORA:

1. ICT risk management: A robust framework for identifying and mitigating risks.
2. Reporting ICT-related incidents: Classification and reporting of major incidents.
3. Digital operational resilience testing: Regular penetration testing (TLPT).
4. Third-party risk: Oversight of cloud providers and software vendors.
5. Information sharing: Promoting cooperation between financial institutions.

This is the key question for compliance teams. The governing principle is “lex specialis derogat legi generali.”

Because DORA is more specifically tailored to the financial sector, its rules take precedence over NIS2. Financial institutions must therefore primarily comply with DORA. But note: in areas DORA does not explicitly cover (e.g., certain physical security aspects of infrastructure), NIS2 may still apply as a complementary layer.

This is where the most serious operational differences become visible.

For SMEs, DORA’s 4-hour deadline means manual processes are no longer sufficient. Automated monitoring tools become essential. 

Both NIS2 and DORA take accountability seriously. The days when cybersecurity could be “dumped” on the IT department are over.

• Management liability: Senior leadership must approve cybersecurity measures and oversee their implementation. Negligence can lead to personal liability.
• Fines: Under NIS2, up to €10 million or 2% of global annual turnover. DORA provides for similar magnitudes, plus daily penalty payments for critical third-party providers.

To avoid drowning in complexity, SMEs should follow this path:

• Scope analysis: Am I an “essential entity” (NIS2) or an “ICT third-party provider” (DORA)?
• Gap analysis: Compare the current state against ISO 27001 or NIST standards (a strong foundation for both).
• Incident response plan: Build playbooks that reflect DORA’s extremely short deadlines.
• Supply chain audit: Review your own subcontractors—because their security is now your security.

NIS2 and DORA are not just bureaucratic hurdles. They force organizations to build digital resilience that is essential for survival in an era of AI-driven cyberattacks. Companies that integrate these requirements early not only protect themselves from fines, but also secure the trust of customers and partners.

Does DORA also apply to small insurance intermediaries?

Yes. DORA has a very broad scope, but includes proportionality rules for micro-enterprises.

Do I need to implement an ISMS for NIS2?

In practice, yes. Even if the law does not prescribe a specific system, an Information Security Management System (ISMS) aligned with ISO 27001 is the safest route to compliance.

Can authorities shut down my business for DORA violations?

DORA allows supervisors to impose far-reaching sanctions, up to and including license withdrawal or bans on certain services.