SaaSFort NIS2 vs DORA
Same incident, two regulators, two filing cadences. Most fintechs that have been working on DORA since January 2025 assume NIS2 (Germany, October 2026) is covered by that work. It is not, and the reverse is also not true. The two regimes overlap roughly 65 percent on technical controls. The other 35 percent, where DORA resilience testing meets NIS2 registration and management training, is where audit findings live. Here is the axis-by-axis split.
Axis-by-axis comparison
| Axis | DORA | NIS2 |
|---|---|---|
| Legal instrument | Regulation (EU) 2022/2554. Directly applicable, no national transposition. | Directive (EU) 2022/2555. Needs national transposition (NIS2UmsuCG in Germany). |
| Who it covers | Financial entities and their critical ICT third-party providers: banks, fintechs, insurers, and the SaaS that serves them. | Essential and important entities across 18 sectors: digital infrastructure, managed services, banking, and more. |
| Effective date | Applicable since 17 January 2025. | Member-state dependent. Germany: 1 October 2026. |
| Primary regulator | Sector NCAs: BaFin in Germany, AMF/ACPR in France. | National cyber authorities: BSI in Germany, ANSSI in France, ACN in Italy. |
| Core obligation | ICT risk management, resilience testing, incident reporting, and oversight of critical ICT third parties. | Article 21 risk-management measures, Article 23 incident reporting, governance, supply chain, and management training. |
| Incident reporting | Initial notification around 4h if classified major, intermediate at 72h, final report at 1 month (Art. 19). | Early warning 24h, notification 72h, final report 1 month (Art. 23). |
| Penalties | Sectoral sanctions via the NCA. No management-ban mechanism. | Up to €10M or 2% turnover. Article 32(6) allows a temporary management ban, plus §38 BSIG personal liability. |
| When both apply | DORA is lex specialis for ICT risk and incident reporting in finance. NIS2 Art. 1(2) defers to it. | Non-ICT obligations still apply: governance, supply chain beyond ICT, training, registration. |
Common confusion
"DORA covers cybersecurity for finance, so NIS2 does not apply to my fintech."
False. DORA is lex specialis only for ICT risk and incident reporting. NIS2 Article 1(2) defers to DORA on those specific topics, but NIS2 keeps its other obligations: governance, supply-chain risk beyond ICT, management-body training, and registration with the national authority. A fintech in NIS2 scope still registers and still trains its management body, even with a complete DORA program. Treat them as overlapping circles, not one inside the other.
Cover the shared 65 percent in 60 seconds
The external posture both DORA and NIS2 care about (TLS, DNS, headers, exposed services) is deterministic and auditable. SaaSFort scans it, maps each finding to NIS2 Article 21 and ISO 27001 Annex A, and hands you a dated PDF. Run the free scan, or take the €39 Audit Pack with 90 days of re-scans to show progress over time.
Frequently asked questions
Do I need NIS2 if my fintech already complies with DORA?
Usually you carry both, but they do not duplicate. For ICT risk management and incident reporting, DORA is lex specialis for financial entities, and NIS2 Article 1(2) explicitly defers to it. The catch is the other 35 percent: NIS2 obligations on governance, supply chain beyond ICT, management-body training, and national registration still apply if you are in NIS2 scope. So your DORA workflow does not subsume your NIS2 registration or your Article 20 training records.
Does DORA lex specialis mean I can skip NIS2 Article 23 incident reporting?
For the ICT incident itself, filing under DORA Article 19 to your NCA (BaFin in Germany) generally satisfies the financial-sector reporting path. But the same incident can still trigger a NIS2 notification to the BSI if you are also a NIS2 entity, and the cadences differ (DORA initial around 4h vs NIS2 early warning at 24h). The conservative path is a dual-filing playbook: pre-write the DORA template for the NCA and the NIS2 template for the cyber authority, because one incident can hit both.
Which regulator do I report to, BaFin or BSI?
Both, potentially, for the same incident. DORA reporting goes to your sector National Competent Authority, which is BaFin in Germany. NIS2 reporting goes to the national cybersecurity authority, which is the BSI. A fintech that is in scope for both files the DORA report to BaFin and the NIS2 notification to the BSI. Map your reporting lines before an incident, not during one.
How much do DORA and NIS2 overlap?
Roughly 65 percent on the technical controls: access control, encryption, logging, vulnerability management, and external posture all serve both regimes. The 35 percent that does not overlap is where audit findings cluster: DORA resilience testing and ICT third-party registers on one side, NIS2 registration and management-body training on the other. Build the shared 65 percent once, then close each regime-specific gap separately.
Can a SaaSFort scan produce evidence for both DORA and NIS2?
For the externally-observable portion, yes. The scan checks TLS, DNS, security headers, certificate chains, and exposed services, and maps each finding to NIS2 Article 21 and ISO 27001 Annex A control IDs. That external posture is part of the shared 65 percent: it supports DORA ICT risk management and NIS2 Article 21 at the same time. It does not assess internal resilience testing or third-party registers, which are the regime-specific parts a deeper engagement covers.
Related: DORA vs NIS2 fintech compliance map · NIS2 vs ISO 27001 · What a NIS2 audit costs · NIS2 Article 21 measures · NIS2 Article 23 incident response