DORA and NIS2 are the EU’s two big cyber-resilience regimes, both fully applicable since 2024–2025, and they are frequently confused. The short version: NIS2 is the broad, cross-sector cybersecurity directive; DORA is the specialised regulation for the financial sector. Where both could apply to a financial entity, a precise legal rule decides which prevails. This guide makes that rule concrete for Belgian organisations.
TL;DR
- NIS2 = directive, broad sectors, transposed nationally (Belgium: in force 18 Oct 2024, supervised by the CCB).
- DORA = regulation, financial entities only, directly applicable since 17 Jan 2025.
- For financial entities, DORA is lex specialis (Recital 16) and a sectoral act under NIS2 Art. 4 — its risk & reporting duties displace the equivalent NIS2 ones.
- It does not exempt financial entities from the NIS2 ecosystem (cooperation, CSIRTs).
- If you have no financial licence, you are likely in NIS2, not DORA.
Scope: who each one binds
DORA (Regulation (EU) 2022/2554) applies to a closed list of “financial entities” in Art. 2(1) — credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers under MiCA, insurers and intermediaries, fund managers, trading venues, and more — plus ICT third-party service providers, who fall under its oversight regime. NIS2 (Directive (EU) 2022/2555)covers “essential” and “important” entities across many sectors (energy, transport, health, digital infrastructure, public administration, and more), generally above a size threshold. Crucially, DORA is a regulation — directly applicable, identical across the EU — while NIS2 is a directive that each member state transposes; in Belgium that is the law of 26 April 2024, in force since 18 October 2024 and supervised by the Centre for Cybersecurity Belgium (CCB).
The lex specialis rule — how overlap is resolved
A financial entity could, on its face, qualify under both. DORA settles this. Recital 16 states that DORA is lex specialis relative to NIS2, and Art. 1(2) provides that for financial entities identified as essential or important under national NIS2 rules, DORA counts as a Union sectoral legal act for the purposes of NIS2 Article 4. Article 4 of NIS2 is the mechanism: where a sectoral EU act imposes at-least equivalent cybersecurity and reporting requirements, the sectoral rules apply instead of the corresponding NIS2 obligations. So for in-scope financial entities, DORA’s ICT risk-management and incident-reporting duties replace the equivalent NIS2 ones.
Important nuance: this is not an exemption. Financial entities remain part of the NIS2 ecosystem — the cooperation group, CSIRT links — and DORA Art. 47 organises that coordination. Do not read “DORA prevails” as “NIS2 no longer matters”.
The five pillars of DORA
| Pillar | Articles | In short |
|---|---|---|
| 1. ICT risk management | Art. 5–16 | Governance, framework, identify/protect/detect/respond, backups. |
| 2. ICT incident management & reporting | Art. 17–23 | Classify and report major ICT-related incidents to authorities. |
| 3. Digital operational resilience testing | Art. 24–27 | Regular testing; advanced threat-led penetration testing (TLPT). |
| 4. ICT third-party risk | Art. 28–44 | Manage provider risk; oversight of critical third parties. |
| 5. Information sharing | Art. 45 | Voluntary sharing of cyber-threat intelligence. |
The third-party pillar is where most organisations feel DORA first — it is covered in depth in building your DORA Register of Information.
Key dates
- DORA: in force 16 January 2023; applicable from 17 January 2025 (Art. 64) — no transposition needed.
- NIS2: EU transposition deadline 17 October 2024; in Belgium, national rules apply from 18 October 2024.
Which applies to you? A decision guide
- Are you a licensed financial entity in the Art. 2(1) list (bank, payment/e-money institution, investment firm, MiCA crypto provider, insurer, fund manager…)? → DORA applies, and it displaces the equivalent NIS2 duties while you remain in the NIS2 ecosystem.
- Not a financial entity, but an essential/important entity in a NIS2 sector? → NIS2 applies (see the 18 Belgian sectors).
- An ICT provider to financial entities? → You feel DORA contractually (your clients must impose Art. 30 terms) and may be designated a critical third-party provider; you may also be in NIS2 in your own right.
A “fintech” has no single answer — it depends entirely on its regulatory status. The right reflex is: what licence do you hold? That, not the label, decides DORA vs NIS2. See also GDPR vs NIS2 for how data-protection duties layer on top.
General information, not legal advice; for a definitive scoping, validate with a qualified adviser or the competent authority (in Belgium, the NBB/FSMA for financial entities, the CCB for NIS2). ICTLAB helps Belgian organisations scope and operationalise DORA and NIS2 — explore our NIS2 & compliance service or talk to our team.