Why DORA Doesn’t Cover All Banking — and Where NIS2 Applies Instead
Most banking compliance departments are focused on DORA. The Digital Operational Resilience Act entered application on 17 January 2025, imposing prescriptive ICT risk management frameworks, mandatory resilience testing, and a 4-hour initial incident reporting window on financial institutions across the EU. The working assumption in many institutions is that DORA is the banking sector’s cybersecurity law — NIS2 belongs to energy companies, hospitals, and logistics operators.
That assumption is incomplete in two important ways.
The NIS2 Directive (EU) 2022/2555 classifies banking and financial market infrastructure as Annex I sectors — the highest criticality tier, alongside energy, transport, and health. NIS2 Article 4 contains a lex specialis provision that gives DORA precedence over equivalent NIS2 obligations, but this carve-out has limits. First, DORA’s scope explicitly excludes six categories of banking and financial entity, which remain under NIS2 alone. Second, even entities fully within DORA scope retain residual NIS2 obligations that DORA does not replace. Third, national NIS2 transpositions can introduce obligations beyond DORA’s scope that apply to all in-scope banking entities regardless of DORA status.
This guide maps the boundary precisely for compliance professionals at credit institutions, investment management firms, and financial market infrastructure operators. For context on the NIS2 framework, see What Is the NIS2 Directive?. For entity scope thresholds and size criteria, see Who Must Comply with NIS2?.
Scope Map: Which Framework Applies to Your Entity Type
The table below gives a baseline classification. The analysis in each subsequent section explains the distinctions that matter for compliance planning. Work through the table by matching your entity’s regulatory authorisation status — not its economic function — to the correct row.
| Entity Type | In DORA scope? | NIS2 applies? | Primary framework |
|---|---|---|---|
| Licensed credit institution (bank) | Yes | Partial — residual obligations remain | DORA + NIS2 registration |
| Central counterparty (CCP) | Yes | Partial — residual obligations remain | DORA + NIS2 registration |
| Central securities depository (CSD) | Yes | Partial — residual obligations remain | DORA + NIS2 registration |
| Trading venue (regulated market / MTF / OTF) | Yes | Partial — residual obligations remain | DORA + NIS2 registration |
| Licensed payment institution | Yes | Partial — residual obligations remain | DORA + NIS2 registration |
| Large AIFM (full AIFMD authorisation) | Yes | Partial — residual obligations remain | DORA primary; NIS2 residual |
| Small AIFM (AIFMD Article 3(2) exempt) | No | Yes — if medium enterprise or larger | NIS2 Important entity |
| MiFID II Article 2 / 3 exempt investment firm | No | Yes — if medium enterprise or larger | NIS2 Important entity |
| SME insurance intermediary | No | Yes — if medium enterprise or larger | NIS2 Important entity |
| Post-office giro institution | No | Yes | NIS2 Essential or Important |
| National development bank (DORA opt-out applied by member state) | Depends on member state | Yes | NIS2 Essential entity |
| Central bank (ECB / national central bank) | No — Recital 63 carve-out | No — excluded from NIS2 scope | Neither |
The Lex Specialis Principle: How DORA Displaces NIS2 — and Where It Doesn’t
NIS2 Article 4(1) provides that where a sector-specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to NIS2 obligations, the relevant NIS2 provisions shall not apply to such entities.
DORA satisfies this standard for financial entities it covers. The European Supervisory Authorities — EBA, ESMA, and EIOPA — developed regulatory technical standards and implementing technical standards under DORA that are more prescriptive than NIS2’s baseline Article 21 security framework. A licensed credit institution with a compliant DORA ICT risk management framework does not need a separate NIS2 Article 21 security programme. The DORA implementation satisfies the equivalent NIS2 obligation on cybersecurity risk management.
The carve-out applies precisely — only to what DORA addresses. Three categories of NIS2 obligation remain intact for DORA-covered entities:
Registration with national authorities. NIS2 requires essential and important entities to register with the national competent authority designated under the directive in each member state. DORA creates no equivalent registration obligation. In Germany’s NIS2 transposition (NIS2UmsuCG), Section 33 requires this registration from all qualifying entities, explicitly including those primarily regulated under DORA. Several other member states impose comparable requirements. Failing to register is an NIS2 non-compliance exposure, independent of DORA compliance status.
National transposition additions. NIS2 is a directive — member states transpose it into national law and may introduce requirements beyond the minimum harmonisation floor. Where transpositions introduce obligations without a DORA equivalent — specific CSIRT notification formats, incident disclosure timelines shorter than DORA’s, or mandatory participation in national sector information-sharing bodies — these apply to DORA-covered banking entities in that jurisdiction. Banking groups operating across multiple EU jurisdictions need a jurisdiction-by-jurisdiction review of national transpositions to identify any obligations their DORA programme does not address.
Supervisory coordination obligations. NIS2 creates cooperation mechanisms involving national CSIRTs, the NIS Cooperation Group, and ENISA that DORA does not replicate. Banking sector entities classified as NIS2 essential entities may face information requests and cross-border incident coordination demands from national cybersecurity authorities — distinct from their DORA supervision by the European Supervisory Authorities. ENISA formalised this coordination by signing a multilateral Memorandum of Understanding with EBA, EIOPA, and ESMA in June 2024, but that MoU reduces duplication rather than eliminating the separate NIS2 supervisory channel.
The practical conclusion: completing DORA implementation does not produce full NIS2 compliance. Banking compliance programmes need to map national NIS2 transpositions in each operating jurisdiction and identify the obligations that DORA’s lex specialis effect does not satisfy.
DORA’s Banking Scope: The 21 Regulated Entity Types
DORA Article 2(1) identifies 21 categories of financial entity in scope. For banking and financial market infrastructure, the key categories are credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds with full AIFMD authorisation, UCITS management companies, insurance and reinsurance undertakings above Solvency II thresholds, insurance intermediaries above SME scale, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. ICT third-party service providers designated as critical by the European Supervisory Authorities are also in scope.
DORA applies without a general size threshold. A fund manager authorised under the full AIFMD regime with 15 employees is as firmly in DORA scope as one managing a €50 billion portfolio. Article 18 of DORA provides proportionality relief — microenterprises may adopt a simplified ICT risk management framework — but proportionality adjusts implementation burden; it does not change whether the regulation applies.
Understanding DORA’s scope is essential precisely because its exclusions define which banking and financial entities remain under NIS2. The boundaries of DORA Article 2(3) and 2(4) determine who faces the compliance gap the next section addresses.
The Compliance Gap: Six Banking Entity Categories Outside DORA
DORA Article 2(3) and 2(4) exclude six categories of financial entity from the regulation’s scope. These exclusions exist not because the entities are unimportant — some are substantial businesses — but because their regulatory authorisation status falls outside DORA’s definitional boundaries. Each excluded category becomes an NIS2 entity if it crosses the medium enterprise size threshold (50 or more employees, or annual turnover and balance sheet total exceeding €10 million).
1. Sub-threshold alternative investment fund managers
The Alternative Investment Fund Managers Directive permits fund managers below prescribed thresholds to register rather than seek full authorisation. The thresholds are €100 million AUM for leveraged funds or those with redemption rights within five years, and €500 million AUM for unleveraged funds with no redemption rights within five years.
DORA defines “manager of alternative investment funds” by reference to full AIFMD authorisation. Sub-threshold AIFMs operating under the lighter Article 3(2) registration regime fall outside DORA’s scope. This is not a marginal category — a large share of European private equity, venture capital, real assets, and hedge fund strategies is managed by firms below the AIFMD authorisation threshold. If a sub-threshold AIFM employs 50 or more people, or has annual turnover and balance sheet total exceeding €10 million, it qualifies as an NIS2 important entity in the financial market infrastructure sector, subject to the full Article 21 security framework and incident reporting requirements.
2. MiFID II Article 2 and Article 3 exempt investment firms
MiFID II Articles 2 and 3 exempt specific firm categories from the directive’s licensing requirements. Article 2 exemptions include firms trading commodities or commodity derivatives for own account, local firms in futures and options markets, and insurance companies conducting investment activities within their primary business. Article 3 allows member states to exempt smaller investment intermediaries not dealing to clients from MiFID II licensing requirements.
DORA’s definition of “investment firm” tracks MiFID II’s authorisation framework. Entities exempt from MiFID II licensing fall outside DORA’s scope by definition. This affects commodity trading houses, proprietary trading firms operating on own capital, and financial advisory firms operating under national exemptions. Where these firms are medium-to-large enterprises — 50 or more employees and €10 million or more in annual turnover — they are NIS2 important entities in the financial market infrastructure sector.
3. Post-office giro institutions
DORA Article 2(3)(d) explicitly excludes post-office giro institutions as referenced in Article 2(5)(3) of the Capital Requirements Directive (CRD IV). These institutions — deposit and payment services historically embedded in postal networks — exist across several EU member states. Post-office giro institutions are credit institutions under Regulation (EU) No 575/2013, placing them squarely in NIS2 Annex I’s banking sector. They face the full NIS2 Article 21 security programme, mandatory incident reporting, and registration requirements. DORA does not apply to them.
4. SME insurance intermediaries
DORA Article 2(3)(c) excludes insurance intermediaries, reinsurance intermediaries, and ancillary intermediaries that are microenterprises, small enterprises, or medium-sized enterprises. A substantial portion of the European insurance distribution market operates at SME scale. Where an insurance intermediary crosses the NIS2 medium enterprise threshold — 50 or more employees — it becomes an NIS2 important entity. The absence of DORA obligation does not indicate the absence of NIS2 obligation. Growing insurance brokers and multi-line intermediaries approaching the 50-employee threshold should reassess NIS2 status as part of their annual compliance planning.
5. Small occupational pension institutions
Institutions for occupational retirement provision operating schemes with 15 or fewer total members are excluded from DORA under Article 2(3)(b). These micro-schemes are unlikely to cross the NIS2 size threshold. However, larger pension fund administrators — those operating at medium enterprise scale — are NIS2 important entities in the financial market infrastructure sector under most member state transpositions.
6. National development banks where the DORA opt-out is applied
DORA Article 2(4) grants member states discretion to exclude entities listed in Article 2(5)(4)–(23) of CRD IV from DORA scope within their territory. This list includes national development banks — institutions such as KfW in Germany, Bpifrance in France, CDP in Italy, and BGK in Poland. If a member state exercises this exclusion, the relevant development bank is outside DORA.
The consequence is not regulatory freedom. National development banks are credit institutions under Regulation (EU) No 575/2013, placing them squarely in NIS2 Annex I’s banking sector. A national development bank excluded from DORA by member state opt-out is a full NIS2 essential entity — subject to the complete Article 21 security framework, mandatory registration with the national competent authority, incident reporting on NIS2 timelines, and penalties reaching EUR 10 million or 2% of global annual turnover. Whether a specific member state has exercised the Article 2(4) opt-out for its development bank is a legal question requiring analysis of the national transposition act.
What NIS2 Still Requires from DORA-Covered Banking Entities
For entities within DORA’s full scope — licensed credit institutions, CCPs, CSDs, trading venues — DORA is the primary cybersecurity framework. But three categories of NIS2 obligation survive the lex specialis carve-out and require active management.
National competent authority registration. NIS2 obliges essential and important entities to register with the national authority designated under the directive in each member state. DORA supervision runs through the European Supervisory Authorities — EBA for credit institutions, ESMA for market infrastructure, EIOPA for insurance. The national NIS2 registration is a separate filing to a different authority. Several member state transpositions make this explicit: in Germany, Section 33 of the NIS2UmsuCG implementation act requires this registration even from entities otherwise governed by DORA. Failing to register at the national level is an NIS2 violation independent of DORA compliance status.
Jurisdiction-specific transposition obligations. NIS2’s minimum harmonisation structure allows member states to introduce requirements beyond the directive’s baseline when transposing it into national law. Where transpositions add obligations without a DORA equivalent — mandatory notification to a national CSIRT using local formats, incident disclosure timelines shorter than DORA’s, or specific cooperation requirements with national cybersecurity authorities — these apply to DORA-covered banking entities in that jurisdiction. Banking groups operating across multiple EU member states should audit each jurisdiction’s transposition act independently and map residual NIS2 obligations that their DORA programme does not satisfy.
ENISA and NIS2 cooperation obligations. NIS2 creates coordination mechanisms — the NIS Cooperation Group, the CSIRT Network, and ENISA’s oversight functions — that DORA does not replicate. Banking sector entities classified as NIS2 essential entities may receive information requests, joint supervisory enquiries, or cross-border coordination demands under NIS2, separate from their ESA supervisor relationships. The ENISA–ESA Memorandum of Understanding signed in June 2024 is designed to coordinate the two supervisory regimes, but it does not merge them or eliminate the separate NIS2 compliance channel for DORA-covered entities.
NIS2 Article 21 Security Requirements for Non-DORA Banking Entities
For banking and financial services entities outside DORA scope — sub-threshold AIFMs, MiFID II-exempt investment firms, post-office giro institutions, and national development banks where the opt-out is applied — NIS2 Article 21 governs the cybersecurity risk management obligation. Ten security domains are mandatory under Article 21(2):
(a) Policies for risk analysis and information system security — (b) Incident handling — (c) Business continuity, backup management, and disaster recovery — (d) Supply chain security, covering relationships with direct suppliers and service providers — (e) Security in network and information systems acquisition, development, and maintenance — (f) Policies for assessing the effectiveness of cybersecurity risk management measures — (g) Basic cyber hygiene practices and cybersecurity training — (h) Policies on cryptography and encryption — (i) Human resources security, access control, and asset management — (j) Multi-factor authentication or continuous authentication, secured communication systems, and secured emergency communications.
The Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 specifies technical requirements for these security measures. ENISA’s NIS2 Technical Implementation Guidance, published in June 2025, provides a 170-page operational playbook covering actionable controls, evidence examples, and mappings to ISO 27001, NIST CSF, and other recognised frameworks. For entities without a pre-existing security programme equivalent to DORA or ISO 27001, the full Article 21 implementation represents a substantial exercise — ENISA’s guidance places it at 12–18 months for organisations starting from a low baseline.
Management bodies of NIS2-regulated banking entities are personally accountable for approving the security programme. NIS2 Article 20 requires management board sign-off on the cybersecurity risk management approach, documented evidence of annual reviews, and the ability to demonstrate familiarity with incident response procedures. This board-level accountability obligation applies equally to national development banks, sub-threshold AIFMs, and post-office giro institutions — not only to DORA-covered institutions.
For a detailed breakdown of each Article 21 domain and what national authorities examine in audits, see NIS2 Security Requirements: Article 21 Explained.
Essential vs Important: How Banking Entities Are Classified Under NIS2
NIS2 classifies in-scope entities as essential (Annex I) or important based on sector and size. The classification determines supervisory intensity and the penalty ceiling — the underlying Article 21 security obligations are identical for both tiers. For banking entities, the Annex I banking sector classification as essential or important depends on whether the entity meets large or medium enterprise thresholds.
| Entity | Classification | Supervision mode | Maximum penalty |
|---|---|---|---|
| Credit institution: 250+ employees or >€50M turnover | Essential (Annex I) | Proactive — authority-initiated audits | EUR 10M or 2% global turnover |
| Credit institution: 50–249 employees, €10M–€50M turnover | Important | Reactive — following incidents or complaints | EUR 7M or 1.4% global turnover |
| National development bank (DORA opt-out applied) | Essential (Annex I — banking) | Proactive | EUR 10M or 2% global turnover |
| Sub-threshold AIFM (50+ employees) | Important (financial market infrastructure) | Reactive | EUR 7M or 1.4% global turnover |
| MiFID II-exempt investment firm (50+ employees) | Important (financial market infrastructure) | Reactive | EUR 7M or 1.4% global turnover |
| Post-office giro institution | Essential or Important — depends on size | Depends on classification | Up to EUR 10M or 2% turnover |
The essential/important distinction matters for audit planning. Essential entities face proactive supervision — authorities can initiate inspections, request documentation, and conduct audits without waiting for an incident. Important entities face reactive supervision — authorities investigate following incidents or credible concerns. Both face the same Article 21 security requirements and the same management liability obligations under Article 20.
Entities that cross the essential entity size threshold mid-year should notify their national competent authority promptly. Several member state transpositions require self-classification and notification within defined windows — failing to reclassify when the threshold is crossed is a standalone compliance exposure.
Frequently Asked Questions
Can a licensed bank comply with just DORA and ignore NIS2?
No. DORA is lex specialis to NIS2 on cybersecurity measures — DORA implementation satisfies equivalent NIS2 Article 21 obligations. But NIS2 registration with national authorities, national transposition additions, and NIS2 supervisory cooperation obligations are not covered by the lex specialis effect. A bank that ignores NIS2 entirely risks non-compliance on these residual obligations in every EU jurisdiction it operates.
Are investment funds under DORA or NIS2?
It depends on authorisation status. Fully authorised AIFMs and UCITS management companies are in DORA scope. Sub-threshold AIFMs operating under AIFMD Article 3(2) registration — below €100 million AUM for leveraged funds — are outside DORA and are NIS2 important entities in the financial market infrastructure sector if they meet the 50-employee size threshold.
Do central banks need to comply with NIS2 or DORA?
Central banks are explicitly excluded from NIS2 scope. DORA Recital 63 also carves out central banks operating payment or securities settlement systems from the ICT third-party service provider oversight framework. Central banks operate under national legislation and ECB oversight frameworks rather than under the commercial entity regime of NIS2 or DORA.
What incident reporting timeline applies to banking entities outside DORA?
NIS2’s three-stage timeline: an early warning within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month. DORA uses a tighter 4-hour initial notification window for the entities it covers. The 24-hour NIS2 early warning triggers on awareness of the incident, not on completion of impact assessment — do not wait for full scope confirmation before submitting.
Is a commodity trading house under DORA or NIS2?
If the firm trades commodities for its own account and qualifies for a MiFID II Article 2(1)(j) or equivalent national exemption, it falls outside DORA’s investment firm definition. As a medium-to-large enterprise active in financial markets, it is likely an NIS2 important entity in the financial market infrastructure sector. The deciding factor is MiFID II authorisation status — if no investment firm licence is held, DORA does not apply.
Sources
Regulation (EU) 2022/2554 — Digital Operational Resilience Act (DORA) — EUR-Lex
Directive (EU) 2022/2555 — NIS2 Directive — EUR-Lex
NIS2 Technical Implementation Guidance — ENISA, June 2025
Finance Sector Cybersecurity — ENISA
DORA Article 2 Scope — Springlex
NIS2 Meets DORA: Changes for Financial Institutions — PayTechLaw
Financial Entities Covered and Exempt Under DORA — DoraEdge
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
