| Full Name | Network and Information Systems Security Directive 2 | Digital Operational Resilience Act (DORA) |
| Adoption Date | 2022 (Member States must transpose it by October 2024) | 2022, effective from January 2025 |
| Scope | All entities operating in essential sectors, including energy, transport, health, finance, and critical infrastructures | Financial sector and its ICT service providers |
| Main Objective | Strengthening cybersecurity in essential and digital sectors, enhancing the resilience of critical infrastructures | Ensuring digital operational resilience of financial entities against cyber incidents or cyberattacks |
| Type of Regulation | Directive (requires transposition into national laws) | Regulation (directly applicable in Member States) |
| Involved Entities | Companies in essential sectors (health, energy, transport, water, public administration) and digital service providers (cloud, online platforms, search engines, etc.) | Banks, financial institutions, insurers, asset managers, and digital service providers in the financial sector |
| Security Obligations | Introduction of cybersecurity requirements for affected entities, including risk management, periodic assessments, and technical and organizational measures | Defining requirements to manage ICT and operational risks, with a focus on operational resilience and third-party risk management |
| Incident Reporting | Obligation to report relevant incidents within 24 hours of detection, with follow-up within 72 hours and final reporting | Obligation to report major cyber incidents to relevant authorities within a specified timeframe (to be defined in the regulation) |
| Sanctions | Member States must provide for effective and proportionate sanctions, with fines of up to 2% of global annual turnover or up to €10 million | Similar sanctions to NIS 2, with a focus on violations in the financial sector |
| ICT Risk Management | ICT risk is part of the overall risk management framework | ICT risk is central, with specific obligations for managing third-party providers and operational risks |
| Supervision and Control | Supervision by national competent authorities in each Member State | Supervision by European financial authorities, such as the European Banking Authority (EBA) |
| Third-party Providers | Focus on the security of essential digital service providers | Stringent obligations for managing risks related to critical ICT providers |
