SaaSFort A fintech CTO discovers a privileged-access misconfiguration in production at 14:03 on a Tuesday. By 14:30, three regulators are theoretically expecting different artifacts on different deadlines. DORA wants ICT-incident classification within hours and a major-incident report within 4 business days. NIS2 wants a 24-hour early warning to the national CSIRT. GDPR wants a 72-hour personal-data breach notification if any EU resident’s personal data was exposed.
Same incident. Three regulators. Three filing cadences. Most fintechs that have been working on DORA since January 2025 are surprised to learn that NIS2 (October 2026) does not subsume their DORA work — and vice versa. They overlap roughly 65 percent. The other 35 percent is where audit findings live.
This is the side-by-side map.
One Sentence Each
DORA (Regulation EU 2022/2554, applicable since 17 January 2025) is the EU’s harmonized rulebook for the digital operational resilience of financial entities and their critical ICT third-party providers — banks, fintechs, insurers, and the SaaS that serves them.
NIS2 (Directive EU 2022/2555, German implementation 1 October 2026) is the EU’s broader cybersecurity framework for “essential” and “important” entities across 18 sectors — including digital infrastructure, banking, financial market infrastructure, and managed services.
When both apply, DORA is lex specialis for ICT risk and incident reporting in finance. Article 1(2) of NIS2 explicitly defers to DORA on those topics — but NIS2’s other obligations (governance, supply chain beyond ICT, training, registration) still apply.
The Side-by-Side Map
The 12 dimensions that decide which framework you write evidence against, and where:
| Dimension | DORA | NIS2 |
|---|---|---|
| Legal instrument | Regulation 2022/2554 (directly applicable, no national transposition) | Directive 2022/2555 (national transposition required, e.g. NIS2UmsuCG in Germany) |
| Effective date | 17 January 2025 | Member-state dependent — Germany 1 October 2026 |
| Primary regulator | Sector-specific NCAs (BaFin in Germany, AMF/ACPR in France) | National cybersecurity authorities (BSI in Germany, ANSSI in France, ACN in Italy) |
| Scope | ~22,000 financial entities + critical ICT third-party providers | ~160,000 EU entities across 18 sectors (~29,000 in Germany alone) |
| Risk-management framework | Article 6 ICT Risk Management Framework — far more prescriptive | Article 21(2) — 10 mandatory measures, principle-based |
| Incident classification | Article 18 — quantitative thresholds (clients affected, geographic spread, duration, economic impact) | Article 23(3) — “significant incident” qualitative test |
| Initial notification | ”Early as possible” within hours; precise deadline set by RTS | 24-hour early warning |
| Intermediate report | 72 hours (intermediate report) | 72 hours (incident notification) |
| Final report | 1 month (with extension to 6 weeks possible) | 1 month |
| Threat-led penetration testing | TLPT every 3 years for systemic entities | Not required |
| Supply chain / third-party | Article 28-30 — explicit ICT-third-party register, exit strategies, contractual minima | Article 21(2)(d) — supply chain security risk-management measure |
| Personal liability for management | Article 5 — board approval and oversight of ICT risk strategy | §38 BSIG (Germany) — non-delegable management duty + temporary management ban under Article 32(6) |
The deliberate visual split: DORA is more prescriptive on ICT detail; NIS2 is broader in sector and obligation reach.
Where They Overlap (≈65 Percent)
The shared bedrock is real. A fintech that has built mature DORA-compliant programs has already done the bulk of NIS2 Article 21 — but the mapping is not automatic. You need to re-cite the same evidence under different control IDs and submit it under different governance.
Concrete overlap:
- Risk-management policy and methodology — DORA Article 6 frameworks satisfy NIS2 Article 21(2)(a). Same evidence, different filing.
- Incident-handling procedures — DORA’s classification + workflow satisfies NIS2 Article 21(2)(b). Filings still go to two regulators.
- Business continuity and DR — DORA Articles 11–14 satisfy NIS2 Article 21(2)(c). Same RTO/RPO documentation, different audit window.
- Cryptography, MFA, access control — DORA Article 9 satisfies NIS2 Article 21(2)(h/i/j). One technical baseline, two reporting tracks.
- Vulnerability handling — DORA’s vulnerability management satisfies NIS2 Article 21(2)(e/f). Same scanner output, two compliance frames.
The SaaSFort scan maps every finding to NIS2 Article 21 and DORA articles — both citations show in the NIS2 compliance PDF export and the live API at /api/nis2/controls/dora. One scan, two regulator-ready artifacts.
Where DORA Goes Further
DORA explicitly covers ground NIS2 leaves principle-based:
- Threat-led penetration testing (TLPT) — required every 3 years for systemic entities under Article 26. NIS2 has no equivalent.
- ICT third-party register — DORA Article 28(3) mandates a structured register of every ICT contract. NIS2 Article 21(2)(d) requires “supply chain security” without prescribing the format.
- Concentration risk — DORA Articles 28-29 specifically address over-reliance on single ICT providers. NIS2 doesn’t formalize this.
- Critical ICT third-party provider designation — DORA Articles 31-44 create an ESA-led oversight regime with EU-wide designations. NIS2 has no parallel.
- Exit strategies — DORA contractual minima include exit and termination scenarios. NIS2 leaves this to general business continuity.
If you ship SaaS to banks, the DORA contractual obligations land on you whether or not you’re a designated CTPP — your customers will require the contractual minima downstream.
Where NIS2 Goes Further
NIS2 covers ground DORA does not touch because DORA’s scope stops at finance:
- Cybersecurity training — NIS2 Article 20(2) requires regular cybersecurity training for management bodies. DORA expects competence; NIS2 prescribes documented training every 3 years (BSI guidance specifies records: participants, content, trainer, duration).
- Registration obligation — NIS2 entities must register with national authorities (Germany: BSI portal, deadline 6 March 2026 — passed for ~17,500 unregistered entities per b2b-cyber-security.de). DORA has no registration analogue.
- Personal liability with non-delegability — Germany’s §38 BSIG implementation makes cybersecurity oversight non-delegable for managing directors. DORA Article 5 requires board oversight; §38 BSIG goes further with personal liability cascades. See our §38 BSIG personal-liability guide.
- Temporary management ban — Article 32(6) NIS2 allows supervisors to suspend managing directors for severe non-compliance. DORA has no equivalent enforcement option.
- Broader supply chain — NIS2 Article 21(2)(d) covers all suppliers, not just ICT providers. Office providers, courier services, cleaning contractors that touch sensitive areas — all in scope.
The Filing Sequence If Both Apply
A significant ICT incident at a German fintech triggers the following timeline (DORA hours rounded for clarity; consult RTS for exact figures):
| T+ | Action | Recipient | Authority basis |
|---|---|---|---|
| Awareness | Internal escalation, declare awareness in writing | Internal | Both regimes — clock-start |
| ~4 hours | DORA initial notification (if classified major) | BaFin | DORA Art. 19 + RTS |
| 24 hours | NIS2 early warning | BSI Meldeportal | NIS2 Art. 23(4)(a) |
| 72 hours | DORA intermediate report + NIS2 incident notification | BaFin + BSI | DORA Art. 19 + NIS2 Art. 23(4)(b) |
| 72 hours (if personal data) | GDPR breach notification | DPA (BfDI / state authority) | GDPR Art. 33 |
| 1 month | NIS2 final report | BSI | NIS2 Art. 23(4)(c) |
| 1 month (extendable to 6 wks) | DORA final report | BaFin | DORA Art. 19 |
Three filings, one incident. The free incident-readiness bundle includes the NIS2 24h/72h/1-month templates plus the BSI Meldeportal field-map — pair it with your DORA classification workflow and your GDPR breach playbook to cover the trio.
Action Plan for Fintechs in Scope of Both
If both apply (most banks, most large fintechs, most regulated payment providers), the highest-leverage sequence:
- Map your DORA evidence to NIS2 Article 21 — most controls already satisfy NIS2; what’s missing is governance, training, and registration. Use the free NIS2 Article 21 self-audit Excel template to identify gaps in one hour.
- Register with BSI if you haven’t — the deadline passed; you are exposed to €500K registration fines independent of any incident.
- Document §38 BSIG-required management training — DORA expects competence but NIS2 (German implementation) prescribes records. The audit gap most DORA-mature firms have is exactly this.
- Build the dual-filing incident playbook — your DORA workflow goes to BaFin; your NIS2 workflow goes to BSI. The same incident triggers both. Pre-write the templates.
- Run an external scan — both DORA Article 9 and NIS2 Article 21(2)(e/f) require vulnerability handling. A SaaSFort scan covers both citations in one report.
For a deeper dive on the fintech-specific NIS2 angle, see our NIS2 compliance for fintech & payment providers guide. For B2B SaaS vendors selling into regulated fintechs, the supply-chain cascade determines what evidence procurement teams will pull from you.
FAQ
If I’m DORA-compliant, am I automatically NIS2-compliant?
No. DORA covers ICT risk and incident reporting comprehensively for finance — that satisfies the technical core of NIS2 Article 21. But NIS2 adds management training records, BSI registration, broader supply-chain scope, and personal-liability provisions that DORA does not address. Plan for ~30-40 percent additional NIS2-specific work on top of a mature DORA program.
Which regulator do I file with first during an incident?
DORA. The DORA initial notification clock is faster (hours) than the NIS2 24-hour early warning. File DORA first, then NIS2 within its window. If personal data is involved, GDPR’s 72-hour clock runs in parallel with NIS2’s 72-hour incident notification.
Are the fines additive?
Yes. DORA Article 50 allows administrative penalties under national law. NIS2 imposes up to €10M or 2% global turnover for essential entities (€7M / 1.4% for important entities). GDPR adds up to €20M or 4%. The same incident can trigger fines from up to three regimes for different aspects of the failure.
Does DORA’s lex specialis status mean I can ignore NIS2 Article 23 if I file under DORA?
For incident reporting in scope of DORA — yes, NIS2 defers to DORA on Article 1(2). But this only covers incident notification. The other NIS2 obligations (registration, training, governance, broader supply chain) still apply independently.
My fintech is sub-50 employees. Are we still in scope?
Likely yes for DORA (no minimum-size threshold for many financial entities). For NIS2, the size thresholds (50+ employees / €10M turnover) apply but with sectoral exceptions — public electronic communications providers, trust service providers, top-level domain registries, and others have no size threshold. Self-classification is your call until BaFin or BSI disputes it; conservative path is to register and assess Article 21 even if borderline.
What about other EU member states beyond Germany?
DORA is uniform across the EU (regulation, no transposition). NIS2 transposition varies — France, Italy, Spain are at different deadlines and have different implementation choices. The 12-dimension table above holds across member states; the regulator names and deadlines change. The MSP NIS2 compliance guide covers multi-jurisdiction filing patterns.
One scan, two compliance frames. Run a free SaaSFort scan — every finding maps to NIS2 Article 21 and DORA articles, exportable as a NIS2 PDF and queryable via /api/nis2/controls/dora. New accounts get a 14-day Growth trial. For internal evidence, the free NIS2 Article 21 self-audit Excel template covers all 10 measures with status, priority, owner, and deadline columns.
Passez de la lecture à l'action
Scannez votre domaine gratuitement. Premiers résultats en moins de 10 secondes — sans inscription.