---
title: "NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-dora"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-dora"
author: "Sorena AI"
description: "Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIS2 vs DORA"
  - "DORA sector-specific Union act"
  - "EU cybersecurity"
  - "financial entities"
  - "Article 21"
  - "Article 23"
  - "ICT risk management"
  - "NIS2"
  - "DORA"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance

Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.

*Artifact Guide* *EU*

## NIS2 vs DORA where EU cyber duties split

Use this comparison to decide when NIS2 remains the horizontal cyber-security workstream and when DORA takes over cyber risk-management, incident-reporting, testing, information-sharing, and ICT third-party duties for covered financial entities.

Grounded in the NIS2 Directive, the Commission NIS2 FAQ, and the Commission Article 4 guidelines. DORA detail is limited to what those NIS2-folder sources support.

NIS2 and DORA overlap most clearly around financial-sector cybersecurity. NIS2 treats DORA as a sector-specific Union act for covered financial entities, so DORA applies instead of NIS2 for listed cybersecurity risk-management, reporting, supervision, and enforcement duties. NIS2 still matters for cooperation, national strategies, CSIRT visibility, and entities or obligations not covered by DORA.

## NIS2 vs DORA: what changes for scope, duties, and evidence

Use the rows to separate active NIS2 duties from DORA-displaced financial-entity duties and the cooperation paths that still connect both regimes.

- **NIS2**: Horizontal EU cybersecurity directive for essential and important entities, with Article 21 risk-management measures, Article 23 incident reporting, management-body duties, registration, and national supervision.
- **DORA**: Sector-specific Union act for covered financial entities where the NIS2 sources say DORA applies instead for named ICT risk, incident, testing, information-sharing, and ICT third-party duties.

| Dimension | NIS2 | DORA | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | Essential and important entities in NIS2 Annex I and Annex II sectors, subject to size-cap and special inclusion rules, unless a sector-specific Union act displaces the relevant NIS2 duty. | Covered financial entities where DORA is the sector-specific Union act for the cybersecurity topics named in the NIS2 recital and Article 4 guidance. | Start with entity type and duty type. The same corporate group can need a DORA handoff for one financial-entity ICT duty and NIS2 analysis for another entity, service, or sector. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Who must act | Management bodies of essential and important entities approve and oversee Article 21 measures; security, incident-response, supplier-risk, legal, and country teams maintain the operating evidence. | Financial-entity ICT risk, resilience, incident, procurement, outsourcing, and regulatory-reporting owners handle the DORA-displaced topics, with DORA authorities connected to NIS2 cooperation channels. | Assign one owner for the active legal workstream and one owner for information-sharing or CSIRT/SPOC coordination when the regimes meet. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Trigger or threshold | NIS2 is triggered by covered sector, entity category, size or special-case inclusion, jurisdiction, and the presence of Article 21 or Article 23 duties not displaced by another act. | The DORA handoff is triggered when the entity is a covered financial entity and the duty falls into the DORA areas listed by the NIS2 Article 4 guidance. | Do not decide from the acronym alone. Write the entity, service, jurisdiction, and specific duty before choosing NIS2, DORA, or both for coordination. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Core obligations | Article 21 cybersecurity risk-management measures, Article 23 significant-incident notifications, management-body accountability and training, supplier-risk controls, and registration or jurisdiction records where applicable. | For covered financial entities, DORA applies instead for ICT risk management, ICT-related incidents and major ICT incident reporting, resilience testing, information-sharing arrangements, and ICT third-party risk. | Turn each active duty into an owner, source citation, evidence file, and reporting path; avoid a combined checklist that hides which regime controls. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Evidence and records | NIS2 evidence includes scope analysis, management-body approval and training records, Article 21 control evidence, supplier-risk files, incident logs, notification records, and national registration details. | For DORA overlap in this NIS2-grounded page, evidence should prove the handoff: covered financial-entity status, the DORA topic involved, the source citation, and the authority/reporting route. | Shared inventories, contracts, tests, and incident logs can be reused only if each item is labelled with the regime and duty it supports. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Timing and cadence | NIS2 timing includes Member State transposition and registration processes plus the Article 23 sequence: early warning within 24 hours, incident notification within 72 hours, and later reporting steps. | For DORA-covered topics, use the DORA workstream timeline and keep NIS2-side coordination visible where incident or threat details must reach CSIRTs, competent authorities, or SPOCs. | Calendar the earliest active reporting clock and add reassessment triggers for entity changes, new financial services, supplier changes, cross-border services, and incident escalation. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Enforcement or assurance route | NIS2 supervision and enforcement run through national competent authorities, with differentiated treatment for essential and important entities and administrative fines for Article 21 or Article 23 infringements. | For DORA-displaced financial-entity duties, the NIS2 sources point to financial-sector supervisory authorities and cooperation with NIS2 competent authorities, CSIRTs, SPOCs, and the Cooperation Group. | Escalate to the authority path that owns the active duty, while preserving NIS2 information-sharing records where the regimes require cooperation. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Overlap and reuse | NIS2 continues to provide the horizontal cyber framework and cooperation architecture, including CSIRTs, SPOCs, Cooperation Group participation, and national cyber strategies. | DORA takes the sector-specific role for covered financial entities on the listed ICT topics, but the NIS2 sources keep information exchange with NIS2 bodies in scope. | Reuse evidence at the control level, not at the legal conclusion level. A reused log or supplier file still needs a source-linked label for each regime. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |
| Practical decision rule | Use NIS2 when the entity and duty remain within the NIS2 scope and are not displaced by a sector-specific Union act with equivalent cyber requirements. | Use the DORA handoff when the entity is a covered financial entity and the duty is one of the DORA ICT risk, incident, testing, information-sharing, or ICT third-party topics identified in the NIS2 sources. | The output should be a concise scope note: entity, duty, active regime, displaced regime if any, evidence owner, reporting route, and reassessment trigger. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.<br>[Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.<br>[European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities. |

Sources for Scope and covered activity - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Scope and covered activity - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Scope and covered activity - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Who must act - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Who must act - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Who must act - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Trigger or threshold - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Trigger or threshold - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Trigger or threshold - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Core obligations - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Core obligations - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Core obligations - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Evidence and records - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Evidence and records - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Evidence and records - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Timing and cadence - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Timing and cadence - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Timing and cadence - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Enforcement or assurance route - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Enforcement or assurance route - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Enforcement or assurance route - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Overlap and reuse - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Overlap and reuse - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Overlap and reuse - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

Sources for Practical decision rule - NIS2:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Practical decision rule - DORA:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"

Sources for Practical decision rule - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

### How should teams decide whether NIS2 or DORA controls a cyber-compliance duty?

- Identify the legal entity, financial-entity status, NIS2 sector or subsector, Member State jurisdiction, and concrete cyber duty.
- Check whether the duty falls into the DORA areas that the NIS2 Article 4 guidance treats as sector-specific for covered financial entities.
- If DORA displaces the NIS2 duty, document the DORA handoff and preserve any NIS2 cooperation, CSIRT, SPOC, or national-strategy information-sharing step.
- If DORA does not cover the entity or duty, run the NIS2 scope, Article 21, Article 23, management-body, and supervision analysis as its own workstream.

Sources for the practical decision rule:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"

## The short answer for NIS2 and DORA overlap

For financial entities covered by DORA, the NIS2 text says DORA is the sector-specific Union act in relation to NIS2. The practical result is not dual reporting for the same cyber duty: the DORA provisions on ICT risk management, ICT-related incident management and major-incident reporting, digital operational resilience testing, information-sharing arrangements, and ICT third-party risk apply instead of the NIS2 provisions for those areas.

That does not remove the financial sector from the NIS2 ecosystem. The same NIS2 recital and Commission FAQ keep information exchange with NIS2 bodies in view: DORA authorities can participate in the NIS Cooperation Group, cooperate with single points of contact and CSIRTs, and pass major ICT-related incident details or significant cyber-threat information into the NIS2 channels.

- Use DORA as the controlling workstream for covered financial entities on the DORA-listed ICT risk, incident, testing, information-sharing, and ICT third-party topics.
- Use NIS2 for entities, sectors, or duties not displaced by a sector-specific Union act and for NIS2 cooperation architecture that still receives financial-sector incident or threat information.
- Keep a written scope note showing which entity is covered, which obligation is displaced, and which authority or reporting route owns the next action.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.

## Where NIS2 remains the workstream

NIS2 remains the horizontal cybersecurity framework for essential and important entities in its Annex I and Annex II sectors unless a sector-specific Union act with at least equivalent cybersecurity risk-management or reporting obligations applies to the relevant entity and duty. NIS2 also contains its own management-body accountability, Article 21 risk-management measures, Article 23 incident-notification sequence, registration and jurisdiction rules, and supervision model.

For implementation teams, the useful first split is entity-and-duty specific. A banking or trading-venue fact pattern may point to DORA for ICT risk and major ICT incident reporting, while a non-financial digital infrastructure provider, managed service provider, public administration entity, or manufacturer in NIS2 scope may remain on the NIS2 workstream.

- Identify the NIS2 sector or subsector, entity category, and Member State jurisdiction before assigning controls.
- Separate management-body approval and training evidence from technical control evidence so NIS2 Article 20 and Article 21 can be reviewed independently.
- Track 24-hour early warning, 72-hour incident notification, and final-report evidence where NIS2 Article 23 controls the incident sequence.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Commission implementing regulation setting technical and methodological requirements for selected NIS2 digital infrastructure and ICT service management entities.
- [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/NIS2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance with practical evidence examples for the NIS2 implementing regulation; advisory rather than legally binding.

## Where DORA replaces NIS2 duties for financial entities

The NIS2 Article 4 guidelines name the DORA areas that replace the equivalent NIS2 duties for covered financial entities: ICT risk management, ICT-related incident management and major ICT-related incident reporting, digital operational resilience testing, information-sharing arrangements, and ICT third-party risk. The guidance also identifies examples of overlapping financial entities, including credit institutions, trading venues, and central counterparties.

Because this page is grounded in the NIS2 source folder, it does not expand into unsupported DORA implementation detail. Use this page to identify the handoff; use a DORA-specific source pack for detailed DORA article-by-article implementation.

- Record the DORA-covered financial-entity type and the specific DORA topic that replaces the NIS2 duty.
- Do not cite NIS2 Article 21 or Article 23 as the active duty for the same covered financial-entity topic when the Article 4/DORA rule applies.
- Keep CSIRT, SPOC, and competent-authority information-sharing paths visible even when the primary reporting obligation sits in DORA.

Sources for this answer:

- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.

## Evidence to keep when both regimes are in the conversation

A useful comparison file should show the scoping conclusion, the source that supports it, the owner for the active workstream, and the evidence location. For NIS2 this may include sector classification, size-cap analysis, management-body approval and training records, Article 21 control evidence, supplier-risk files, and Article 23 incident records. For DORA overlap, keep the evidence at the handoff level unless DORA-specific sources are available.

Do not merge the regimes into one generic cybersecurity checklist. Shared inventories, supplier files, incident logs, and management approvals can be reused, but each evidence item should state whether it supports an active NIS2 duty, a DORA-displaced duty, or an information-sharing/cooperation step between the regimes.

- Label each evidence item by regime, article or source, owner, and review trigger.
- Add a short 'DORA replaces NIS2 for this duty' note when relying on the sector-specific Union act rule.
- Escalate to legal or regulatory counsel when the entity is partly in financial services and partly in another NIS2 sector.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
- [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/NIS2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance with practical evidence examples for the NIS2 implementing regulation; advisory rather than legally binding.

*Recommended next step*

*Placement: before sources*

## Use this comparison to separate active duties from handoff points

Sorena can help turn the NIS2/DORA split into cited scope notes, evidence requests, and owner assignments without treating the two regimes as one generic cybersecurity checklist.

- [Open Research Copilot for NIS2 and DORA overlap](/solutions/research-copilot.md): Ask source-linked questions about NIS2 scope, DORA handoffs for covered financial entities, incident-reporting paths, and evidence reuse.
- [Talk through implementation](/contact.md): Review your NIS2 and DORA overlap, unsupported source gaps, and next implementation steps with Sorena.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for scope, management-body accountability, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, supervision, and the DORA sector-specific rule.
  - Quote: "high common level of cybersecurity across the Union"
- [Commission Guidelines on NIS2 Article 4 and DORA](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A328%3AFULL&ref=sorena.io) - Commission guidance explaining when DORA is the sector-specific Union act for financial entities that are also within NIS2 scope.
  - Quote: "sector-specific Union legal act"
- [European Commission - NIS2 Directive FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ explaining NIS2 cooperation, transposition, jurisdiction, and the interaction between NIS2 and DORA for financial-sector entities.
  - Quote: "DORA will apply to these entities"
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Commission implementing regulation setting technical and methodological requirements for selected NIS2 digital infrastructure and ICT service management entities.
  - Quote: "technical and methodological requirements"
- [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/NIS2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance with practical evidence examples for the NIS2 implementing regulation; advisory rather than legally binding.
  - Quote: "examples of evidence"

## Related Topic Guides

- [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
- [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
- [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
- [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
- [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
- [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
- [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
- [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
- [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
- [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
- [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
- [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
- [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
- [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
- [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
- [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
- [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
- [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
- [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
- [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
- [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
- [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
- [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
- [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
- [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
- [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
- [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
- [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
- [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
- [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
- [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
- [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
- [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
- [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-dora