DORA and NIS2 are the EU’s newest and most far-reaching cybersecurity and resilience regimes. Both raise the bar on how organizations manage operational and cyber risk, and both extend obligations deep into the supply chain — making them major drivers of GRC programs for any organization operating in or selling into the EU.
This page is part of our GRC frameworks hub. For the broader discipline, see our complete guide to governance, risk, and compliance.
DORA: digital operational resilience for finance
The Digital Operational Resilience Act (DORA) is an EU regulation that applies to financial entities — banks, insurers, investment firms, and many others — and to the critical ICT third parties that serve them.
See the latest GRC Webinars (Updated Daily!)
Applying from January 2025, it sets uniform requirements across five areas: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. DORA’s emphasis on ICT third-party risk is notable: it brings critical technology providers (including major cloud services) under regulatory oversight and requires financial entities to manage and document that dependency rigorously.
NIS2: cybersecurity for essential sectors
The NIS2 Directive is the EU’s updated cybersecurity directive, significantly expanding the scope of its predecessor.
It applies to “essential” and “important” entities across sectors such as energy, transport, health, digital infrastructure, and more. NIS2 requires risk management measures, incident reporting, supply-chain security, and — importantly — introduces management accountability, holding senior leadership responsible for cybersecurity governance.
As a directive, NIS2 is transposed into each member state’s national law, so specific obligations vary somewhat by country.
How DORA and NIS2 fit a GRC program
Both regimes map directly onto GRC disciplines: risk management, incident response, and especially third-party risk management, which both elevate to a regulatory requirement.
Their shared emphasis on governance and senior accountability ties them to enterprise risk management and board reporting. Because they overlap with controls organizations already maintain for ISO 27001 and the NIST CSF, they are strong candidates for control cross-mapping within a compliance management program.
Frequently asked questions
What is DORA?
DORA is the EU’s Digital Operational Resilience Act, applying from January 2025, which sets uniform requirements for financial entities and their critical ICT providers across ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing.
What is the NIS2 Directive?
NIS2 is the EU’s updated cybersecurity directive, expanding the scope of essential and important entities subject to cybersecurity risk-management and incident-reporting obligations, and introducing senior-management accountability for cybersecurity governance.
Who does DORA apply to?
DORA applies to a wide range of EU financial entities — banks, insurers, investment firms, payment institutions, and more — and to the critical ICT third-party providers that serve them, including some major cloud and technology providers.
What is the difference between DORA and NIS2?
DORA is a regulation focused specifically on the operational resilience of the financial sector and its ICT providers; NIS2 is a broader directive covering cybersecurity across many essential and important sectors. Organizations in finance may fall under both.