DORA vs NIS2 vs CRA
Relationship Between the Legal Acts
Pursuant to Art. 1(2), DORA is a sector-specific legal act (lex specialis) within the meaning of Art. 4 of the NIS2 Directive. This means:
- DORA takes precedence over NIS2 in the areas of ICT risk management and incident reporting
- Financial entities remain part of the NIS2 ecosystem but apply DORA requirements
- ICT service providers serving both financial and other sectors may be subject to both regulatory frameworks
Comparison Matrix
| Aspect | DORA | NIS2 | CRA | AI Act |
|---|---|---|---|---|
| Legal act type | Regulation | Directive | Regulation | Regulation |
| Applicable since | 17.01.2025 | 18.10.2024 (transposition deadline) | Phased from 2026 | Phased from 2024 |
| Target sector | Financial sector | Critical infrastructures (18 sectors) | Products with digital elements | AI systems |
| Affected entities | ~22,000 financial entities + ICT service providers | ~160,000 entities EU-wide | Manufacturers, importers, distributors | Providers, deployers, importers |
| Risk management | ICT risk management framework (Art. 5–16) | Cybersecurity risk management (Art. 21) | Security requirements throughout product lifecycle | Risk management system for high-risk AI |
| Reporting obligations | 4h/72h/1M (3 stages) | 24h/72h/1M (3 stages) | Vulnerabilities: 24h to ENISA | Depending on risk class |
| Testing | Baseline tests + TLPT | Not explicitly prescribed | Conformity assessment | Conformity assessment (high-risk) |
| Third parties | Comprehensive (information register, CTPPs) | Supply chain security (Art. 21(2)(d)) | Supply chain component security | Value chain |
| Sanctions | Up to 2% annual turnover + EUR 2.5 million periodic penalty | Up to EUR 10 million/2% or EUR 7 million/1.4% | Up to EUR 15 million/2.5% annual turnover | Up to EUR 35 million/7% annual turnover |
| Supervision | ESAs + national supervisors (BaFin) | National cybersecurity authorities (BSI) | Market surveillance authorities | AI authorities |
Overlaps for BAUER GROUP
As an IT service provider serving both financial and other sectors:
| Requirement | DORA Obligation | NIS2 Obligation | Synergies |
|---|---|---|---|
| Risk management | Art. 5–16 | Art. 21 | DORA compliance largely covers NIS2 |
| Incident reporting | 4h/72h/1M to BaFin | 24h/72h/1M to BSI | Parallel reporting channels, but different authorities |
| Supply chain | Information register, contractual requirements | Supply chain security | DORA goes significantly further |
| Testing | Mandatory test programme | Implicit through "appropriate measures" | DORA tests fulfil NIS2 requirements |
| Governance | Personal liability of management | Management training obligation, liability | Similar governance requirements |
Synergy Effects
Organisations that fully implement DORA have automatically covered the following requirements of other regulatory frameworks:
- NIS2: ~80% of requirements (gap: sector-specific NIS2 requirements)
- CRA: Partially (product safety is standalone)
- AI Act: Limited overlap (only when AI is used in financial services)