NIS2 or DORA? What actually applies to insurers and financial entities

NIS2 (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554) were adopted on the same day and overlap on cyber risk. For a licensed financial entity the short answer is: for ICT risk management, incident reporting, resilience testing and third-party risk, DORA applies — not NIS2. The reason is a lex-specialis mechanism, and the precise wording matters more than it sounds ^[1][2].

The rule of thumb: is the entity a DORA financial entity under Art. 2(1)? → DORA governs ICT cyber/resilience, and the NIS2 duties in Arts. 21/23 are displaced. Is it instead an Annex I/II entity but not a DORA financial entity? → NIS2 applies directly. Group membership transfers neither status.

NIS2 distinguishes essential and important entities (Art. 3). The basic rule (Art. 2(1)) ties to the EU SME definition (Recommendation 2003/361/EC). Two thresholds are often confused: an Annex I/II entity becomes important from medium size (≥ 50 employees, or turnover/balance sheet > EUR 10m); it becomes essential only once it exceeds the medium-enterprise ceiling (≥ 250 employees, or > EUR 50m turnover and > EUR 43m balance sheet) ^[1][3].

There are also cases where size is irrelevant (Art. 2(2)) — e.g. trust service providers, TLD/DNS operators, or the sole provider of an essential service. Banking and financial market infrastructures sit in Annex I (“sectors of high criticality”). Being listed there does not mean NIS2 operationally governs their cyber duties — those are displaced by DORA (next section).

NIS2 Art. 4 governs the relationship with sector-specific Union law: where such an act requires at-least-equivalent cyber risk-management or notification duties, the corresponding NIS2 provisions do not apply. Art. 4 does not name DORA — the displacement is triggered from the DORA side: DORA Art. 1(2) expressly declares DORA the sector-specific act within the meaning of NIS2 Art. 4 for financial entities, and Recital 16 calls DORA “lex specialis” to NIS2 ^[1][2].

The precise wording is decisive: it is not a blanket exemption of the entity from NIS2 but a displacement of the overlapping duties — specifically the NIS2 risk-management duties (Art. 21) and the reporting duty (Art. 23), to the extent DORA requires at least equivalent measures. Financial entities report ICT incidents through the DORA channel to their financial supervisor (e.g. BaFin/FMA), not under NIS2 to the CSIRT/BSI.

An insurance or reinsurance undertaking falls under DORA Art. 2(1)(n), an insurance intermediary under point (o) — both therefore follow DORA. The catch is the group: NIS2/DORA scoping is done per legal entity by activity, not group-wide. A non-financial subsidiary (e.g. a group-internal data-centre, cloud or IT-services company, an energy or telecoms arm) that meets the size threshold can fall directly under NIS2 — DORA does not shield it.

Further edge cases: a captive IT provider is typically caught contractually under DORA’s third-party regime (and may be designated a critical ICT third-party provider by the ESAs) — and may additionally be an NIS2 entity itself. Pure holding companies are often neither a DORA financial entity nor an Annex I/II entity (but check the size-irrelevant hooks in Art. 2(2)). And where DORA imposes no equivalent requirement, the corresponding NIS2 duty continues to apply to the financial entity. A designation as a critical entity under the CER Directive (Directive (EU) 2022/2557) for physical resilience is unaffected in any case.

The EU transposition deadline was 17 October 2024 — many Member States missed it, and the Commission opened infringement proceedings. The German-speaking core markets are now done: Germany has adopted the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) — promulgated in BGBl. 2025 I No. 301, in force since 6 December 2025; the operative statute is the recast BSI Act (BSIG) with the categories “particularly important” and “important” entities ^[4].

Austria has enacted the Network and Information Systems Security Act 2026 (NISG 2026) — BGBl. I No. 94/2025, in force since 24 December 2025 (it replaces the old 2018 NISG) ^[5]. Multi-jurisdictional groups must check transposition country by country: competent authorities, registration duties and deadlines are set nationally and diverge.

The fine ranges are substantial (Art. 34): for essential entities up to EUR 10m or 2% of worldwide annual turnover (whichever is higher), for important entities up to EUR 7m or 1.4%. Germany has mirrored these ranges in the BSIG ^[1].

Especially relevant is Art. 20: the management body must approve the risk-management measures, oversee their implementation, and can be held liable for infringements; management members must also undergo training. The German BSIG specifies a non-fully-delegable personal responsibility and a documented training cycle. This lifts cybersecurity from a pure IT topic to a board matter — and these non-ICT governance duties can reach a financial entity even where its ICT duties are displaced by DORA.

The clean answer is never “we do DORA and ignore NIS2”, but a map per legal entity: which status applies, which duties are displaced, which remain, and in which country. In large groups with mixed structures, this boundary is precisely the error-prone spot — and it shifts with every national transposition act, every ESA Q&A and every Commission guideline on Art. 4.

Horizon scanning keeps that map current: it monitors NIS2, DORA, the national transposition acts and the supervisors at the source, detects changes and routes them to the team that implements them — tagged by which regime and which legal entity is affected.