NIS 2 vs DORA: How the Financial-Sector Carve-Out Actually Works
Article 4 NIS 2 hands financial entities to DORA for risk management, incident reporting and supervision. Article 27 NIS 2 is not on that list. Banks, payment institutions, central counterparties and crypto-asset service providers still register with the BSI under §33 BSIG.
Two regulators, one carve-out, one obligation that survives
Regulation (EU) 2022/2554 (DORA) entered into application on 17 January 2025 and covers around twenty categories of financial entities, from banks and insurance undertakings to crypto-asset service providers and trading venues. For everything DORA already regulates, Article 4 NIS 2 displaces the corresponding NIS 2 articles. That is the lex specialis rule and it sits at the centre of every conversation about how financial firms map themselves against NIS 2.
The displacement is narrow. Article 4(2) NIS 2 lists exactly which NIS 2 articles step aside when a sector-specific act is at least equivalent in effect. The list covers Article 21 (risk-management measures), Article 23 (incident reporting) and Chapter VII (supervision and enforcement). Article 27 (registration) is not on the list. Nor are the scope provisions in Annex I that put banking and financial market infrastructure inside NIS 2 in the first place.
The practical result for a German bank, BaFin-licensed payment institution or central counterparty: substance comes from DORA, supervision in Germany sits with BaFin and the Bundesbank, but the entity still registers with the BSI through the §33 BSIG portal. One regulator on the registry. A different regulator on everything that matters in operation.
NIS 2 Directive, Article 4(1) and 4(2)
Where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VII, shall not apply to such entities.
Two conditions are stacked: a sector-specific Union act must exist, and its requirements must be at least equivalent in effect. Only then do Articles 21, 23 and Chapter VII step aside. Article 27 is conspicuously absent from this list and therefore continues to apply.
Regulation (EU) 2022/2554 (DORA)
Articles 5 to 17 (ICT risk management), Articles 17 to 23 (ICT-related incident reporting), Articles 24 to 27 (digital operational resilience testing), Articles 28 to 44 (managing ICT third-party risk), Article 45 (information-sharing arrangements).
DORA is a Regulation, applied directly in every member state since 17 January 2025. For entities inside its scope, this is the body of rules that fills the space NIS 2 Articles 21 and 23 would otherwise occupy. The substantive cybersecurity rulebook is DORA, not the BSIG implementation of NIS 2.
NIS 2 Article 27 and §33 BSIG
Member States shall ensure that essential and important entities submit the following information to the competent authorities: the name of the entity, the address and up-to-date contact details, the relevant sector and subsector under Annex I or II, and a list of Member States where the entity provides services.
Article 27 NIS 2 obliges registration with the national competent authority. In Germany, §33 BSIG channels this to the BSI registration portal. Article 4 does not touch Article 27. DORA has its own register at the European Supervisory Authorities, but that does not replace the national NIS 2 registry. Financial entities therefore live in both.
DORA, not NIS 2 Article 21
ICT risk management, third-party risk, resilience testing and incident classification follow DORA Articles 5 to 44. NIS 2 Article 21 measures (the ten categories under §30 BSIG in Germany) do not apply to entities inside DORA's scope. Where DORA is silent, NIS 2 does not fill the gap either: the carve-out is about which act governs, not about layering both.
BSI under §33 BSIG, no displacement
Article 27 NIS 2 sits outside the Article 4 list. The national registry survives the carve-out. A BaFin-licensed bank or payment institution registers with the BSI through the §33 portal, submits sector classification, contact details and IP address ranges, and updates within the deadlines that apply to every other in-scope entity. Non-registration carries its own penalty track.
BaFin and Bundesbank, not BSI
Chapter VII NIS 2 (supervision and enforcement) is displaced for financial entities. DORA Article 46 designates the existing financial supervisors as the competent authorities. In Germany this means BaFin and Deutsche Bundesbank for banking and payment matters, with the European Supervisory Authorities (EBA, ESMA, EIOPA) coordinating at EU level. The BSI is not the operational supervisor for DORA substance.
Lex specialis is narrow, not blanket
Article 4 displaces only the NIS 2 articles it names. Registration under Article 27, scope under Annex I and II, and the sector definitions all continue to apply. A bank does not become a non-NIS 2 entity. It becomes a NIS 2 entity governed by DORA for the substantive parts. The distinction matters when registration deadlines, sector reclassifications or cross-border service notifications come up.
Equivalent in effect, not identical in text
Article 4(1) NIS 2 sets the bar at equivalent in effect. DORA does not need to reproduce Article 21 word for word. It needs to cover the same ground at the same depth. Recital 28 NIS 2 confirms DORA was drafted to clear this bar. In practice the European Commission has treated DORA as fully equivalent, but the test sits in the text and would be the legal anchor in any dispute over a gap.
BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht)
Lead competent authority for DORA in Germany under Article 46 DORA. Supervises ICT risk management, incident reporting and third-party risk arrangements for banks, payment institutions, insurance undertakings, investment firms and crypto-asset service providers. Existing BAIT, VAIT, KAIT and ZAIT circulars are being aligned to DORA Articles 5 to 17.
BSI (Bundesamt für Sicherheit in der Informationstechnik)
Operates the §33 BSIG registration portal. Receives the registration of financial entities even though it does not supervise the DORA substance. The BSI also acts as the national CSIRT under Article 10 NIS 2 and provides voluntary support. The dividing line: registration and CSIRT services with the BSI, substance and supervision with BaFin and Bundesbank.
EBA, ESMA, EIOPA and ECB
The European Supervisory Authorities issued the DORA Regulatory Technical Standards on ICT risk management, incident classification, third-party risk registers and oversight of critical ICT third-party providers. The ECB supervises significant credit institutions under the Single Supervisory Mechanism and applies DORA inside that mandate. The Article 4 NIS 2 carve-out is what makes this stacked supervisory structure work without double regulation.
Myth: DORA replaces NIS 2 completely for financial entities.
DORA replaces Article 21, Article 23 and Chapter VII. It does not replace Article 27 (registration), the scope provisions in Annex I and II, or the cooperation mechanisms in Chapter IV. The §33 BSIG registry stays. A bank that skips registration faces the standalone penalty for non-registration, not a DORA-only enforcement file.
Myth: DORA only applies to banks, so non-bank financial entities follow NIS 2.
DORA Article 2 lists around twenty entity categories. Insurance and reinsurance undertakings, payment and electronic money institutions, central counterparties, central securities depositories, trading venues, crypto-asset service providers, account information service providers and others are all inside DORA. If your sector is in Annex I sector 3 or 4 of NIS 2 and also in DORA Article 2, the carve-out applies.
Myth: Two registers means filing twice for the same data.
The DORA register of information at the ESAs covers ICT third-party arrangements (Article 28 DORA). The §33 BSIG portal covers entity identification and sector classification. The fields do not overlap. Filing both is one obligation each, not the same obligation twice. Practitioners often confuse this because both involve typing details into government portals.
If you sit inside a BaFin-licensed entity, treat DORA as your day-to-day rulebook and NIS 2 as the registry layer. The substantive uplift programme lives in DORA Articles 5 to 17 (risk management) and Articles 28 to 44 (third-party risk). The §33 BSIG registration is a one-off administrative task that gets renewed when contact details change. Confusing the two leads to wasted effort, often a duplicate Article 21 mapping nobody asked for.
If you sit inside a financial group that also runs in-house IT services for non-financial subsidiaries, the carve-out only protects the financial entity. The non-financial subsidiary, if in scope of NIS 2 Annex I or II, owes the full set of obligations including Article 21 measures and Article 23 incident reporting. Group-wide ICT programmes need to be readable by both supervisors. BaFin asks for DORA evidence, BSI asks for §30 BSIG evidence at the non-financial entity.
The platform models NIS 2 Article 27 registration as a first-class obligation independent of risk-management content. A financial entity using the platform sees registration deadlines, contact-detail change reminders and §33 BSIG portal status without inheriting any NIS 2 Article 21 task list it does not need.
The DORA substantive layer is out of scope for the open-source platform. The recommended pattern is: track Article 27 NIS 2 here, run the DORA programme in the BaFin-aligned tooling your supervisors expect, and use the registry status from the platform as the audit trail that proves the §33 BSIG obligation was met.
- Directive (EU) 2022/2555 (NIS 2), Article 4 (lex specialis), Article 27 (registration obligation), Annex I sector 3 (financial market infrastructure) and sector 4 (banking)
- Regulation (EU) 2022/2554 (DORA), Articles 5 to 17 (ICT risk management), Articles 17 to 23 (incident reporting), Articles 24 to 27 (resilience testing), Articles 28 to 44 (ICT third-party risk), Article 45 (information sharing), Article 46 (competent authorities)
- BSIG (NIS2UmsuCG-amended), §33 (registration), §65 (penalties for non-registration)
- Recital 28 NIS 2 Directive on the relationship between NIS 2 and sector-specific Union acts
- BaFin guidance on DORA application and the alignment of BAIT, VAIT, KAIT, ZAIT circulars (2025)
- EBA, ESMA and EIOPA Regulatory Technical Standards under DORA (2024 and 2025)