Two EU regulations are driving compliance budgets in 2026, and they are constantly confused: NIS2 and DORA. They overlap in spirit — both demand stronger cyber risk management and incident reporting — but they apply to different organisations, on different legal bases, with different deadlines. If you operate in the EU, the first job is working out which one (or both) binds you, and how far behind you are.
NIS2 vs DORA at a glance
| Factor | NIS2 | DORA |
|---|---|---|
| Legal instrument | Directive (EU) 2022/2555 — transposed into national law | Regulation (EU) 2022/2554 — directly applicable |
| Who it covers | Essential & important entities across many sectors | Financial entities & their ICT third-party providers |
| Core demands | Risk management, incident reporting, supply-chain security, management accountability | ICT risk management, incident reporting, resilience testing, third-party risk |
| Status in 2026 | National transposition & enforcement ramping; significant penalties | Applicable since 17 January 2025; under active supervision |
| Penalty exposure | Up to €10M or 2% of global turnover (essential entities) | Supervisory measures; sector-specific sanctions |
Which one applies to you?
If you are a bank, insurer, investment firm, payment institution, crypto-asset provider, or a critical ICT provider to them, DORA almost certainly applies — and as a Regulation it applies uniformly across the EU without waiting for national law. If you operate in energy, transport, water, health, digital infrastructure, public administration, manufacturing of critical products, or you are a sizeable digital-service provider, NIS2 likely applies through your member state's transposing law. Financial entities can be in scope of both, with DORA acting as the sector-specific lex specialis for ICT risk.
The fastest way to get ready for either
Both regimes map closely onto an ISO 27001 information security management system. Building or extending an ISMS gives you the risk-management, incident-handling, and supplier-security controls both regulations expect, then you layer the regulation-specific obligations on top. Praxis-Q delivers NIS2 readiness and DORA readiness on an ISO 27001 backbone so you are not building three programmes in parallel.
How to prioritise in 2026
- Financial entity or ICT provider to one: DORA is live now — treat gaps as urgent, especially resilience testing and third-party registers.
- Critical-sector operator: confirm your member state's NIS2 transposition status and register/notify as required.
- In scope of both: run one ISMS-based programme and map controls to each regime to avoid duplication.
Frequently asked questions
What is the difference between NIS2 and DORA?
NIS2 is an EU directive covering essential and important entities across many sectors, transposed into national law. DORA is an EU regulation that applies directly and uniformly to financial entities and their ICT third-party providers. Financial firms can be subject to both, with DORA taking precedence for ICT risk.
Is DORA in force in 2026?
Yes. DORA has applied since 17 January 2025 and financial entities are under active supervision, so gaps in ICT risk management, resilience testing, and third-party oversight are a current exposure.
Does ISO 27001 help with NIS2 and DORA?
Yes. An ISO 27001 ISMS provides much of the risk-management, incident-handling, and supplier-security foundation both regimes require; you then add the regulation-specific obligations on top.
Free Consultation
Ready to Get Compliant?
ISO 27001, PCI DSS, HIPAA, SOC 2 & more — fast-track in a few weeks.
Tags
Share this article
Sahil Dubey
Compliance & Security Expert
CISA, ISO 27001 LA, AWS Certified. 11+ years in information security, cloud services, and compliance. Founder of Praxis-Q.