NIS2 + DORA for Banks and Financial Services

April 27, 2026· Category: NIS2· As of: 2026-05-02· Reading time: ~6 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

DORA (Regulation 2022/2554) has applied to financial services since 17 January 2025
DORA supersedes NIS2 for the financial sector as lex specialis
Five DORA pillars: ICT risk management, incident reporting, resilience testing, third-party risk, information sharing
BaFin is the competent authority alongside MaRisk, KAGB, KWG
Penalty exposure: up to 1% of group turnover for significant institutions

1. DORA takes precedence over NIS2

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has applied to financial services since 17 January 2025. For this sector, DORA replaces the equivalent NIS2 requirements as lex specialis. NIS2 only fills gaps that DORA does not address.

2. The five DORA pillars

ICT risk management framework with board accountability
ICT incident reporting on classified incidents to the competent authority
Digital operational resilience testing, including TLPT for significant institutions
ICT third-party risk management with mandatory contract clauses
Cyber threat intelligence sharing on a voluntary basis

3. BaFin supervision

BaFin (Federal Financial Supervisory Authority) is the competent supervisor for DORA compliance in Germany. The DORA framework runs alongside MaRisk, KAGB (Capital Investment Code), and KWG (German Banking Act). Audit programs typically combine all four.

4. Mandatory penetration testing

DORA Art. 26 requires Threat-Led Penetration Testing (TLPT) for significant institutions. Frequency: every three years. Methodology aligns with TIBER-EU. Tests must cover live production systems, supervised by independent threat-intelligence and red-team providers.

5. Third-party contract clauses

DORA Art. 28 prescribes specific mandatory clauses for ICT service providers to financial entities. These are stricter than the supply-chain provisions in Section 30 BSIG: full audit rights, sub-outsourcing approval, exit strategy, and explicit data-location commitments.

6. Penalty exposure

DORA fines reach up to 1% of group turnover for significant institutions. MaRisk and Section 56 KWG penalties apply on top. The board carries personal accountability for the ICT risk-management framework, similar in spirit to Section 38 BSIG management liability.

Summary

For banks and financial services, the cybersecurity playbook is DORA, not NIS2. ISO 27001 helps but does not satisfy DORA on its own; expect to map controls to all five pillars and budget for TLPT.

View NIS2 Kit →

Frequently Asked Questions

Which applies: NIS2 or DORA?

DORA since 17.01.2025 for the financial sector. NIS2 only subsidiarily.

Is ISO 27001 sufficient?

It helps, but does not replace DORA requirements 1:1.

Sources

Regulation (EU) 2022/2554 — DORA (As of: 2026-05-02)
Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
BSIG 2025 (consolidated) (As of: 2026-05-02)

Tools & self-assessments

NIS2 Readiness Check Assess your NIS2 readiness in 10 minutes. Fining Calculator Estimate the potential fine exposure for your organisation. NIS2 Self-Test Am I in scope? Check thresholds and sector criteria. NIS2 Mandatory Measures Audit 10 mandatory measures from Section 30 BSIG with maturity rating.