EU Cybersecurity & Resilience Regulations

Interactive explorers for the two landmark EU frameworks shaping digital operational resilience and cybersecurity across Europe. Choose a regulation to dive in.

🛡

DORA

Regulation (EU) 2022/2554

The Digital Operational Resilience Act is a binding EU regulation requiring financial entities to withstand, respond to, and recover from ICT-related disruptions and threats. It establishes a comprehensive framework across five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.

Explore DORA
64
Articles
5
Pillars
21
Entity Types
Jan 2025
Applies From
🔒

NIS2

Directive (EU) 2022/2555

The Network and Information Security Directive is a binding EU directive requiring essential and important entities across 18 critical sectors to implement cybersecurity risk management measures, report significant incidents, and submit to supervisory oversight. It introduces personal liability for management and harmonised penalties across member states.

Explore NIS2
46
Articles
5
Pillars
18
Sectors
Oct 2024
Applies From

Side-by-Side Comparison

Both frameworks share the goal of strengthening Europe's cyber resilience, but they differ in scope, legal instrument, and enforcement approach.

DORANIS2
Legal Instrument Regulation — directly applicable in all EU member states Directive — must be transposed into national law by each member state
Primary Focus ICT operational resilience in the financial sector Cybersecurity across 18 critical sectors economy-wide
Who's In Scope 21 types of financial entities (banks, insurers, investment firms, ICT third-party providers, etc.) Essential & important entities in energy, transport, health, digital infrastructure, public admin, etc.
Key Obligations ICT risk framework, incident reporting, TLPT testing, third-party oversight, information sharing Risk management measures, incident notification, supply chain security, governance accountability
Incident Reporting Multi-stage: initial (4h), intermediate (72h), final (1 month) Early warning (24h), full notification (72h), final report (1 month)
Personal Liability Competent authorities can hold management functions responsible Explicit: management bodies can be personally liable, suspended from duties
Penalties Member-state penalties; periodic penalty payments for non-compliance Up to €10M or 2% of global turnover (essential); €7M or 1.4% (important)
Application Date 17 January 2025 18 October 2024
EU Regulation Explorer — For educational and reference purposes only. Not legal advice.