Banking under NIS 2
Annex I sector 4, the Article 4 interaction with DORA, and the registration duty that does not disappear.
Overview
Credit institutions and parts of the financial market infrastructure sit in Annex I sector 4 of Directive (EU) 2022/2555 (NIS 2). On paper the directive applies to them. In practice most of the operational obligations are read together with the Digital Operational Resilience Act, Regulation (EU) 2022/2554 (DORA).
Article 4 NIS 2 is the bridge clause. Where a sector specific Union act imposes ICT risk management or incident reporting obligations that are at least equivalent to NIS 2, the NIS 2 measures and reporting rules give way. For banks and a defined set of financial entities, DORA is that act. Article 21 (security measures) and Article 23 (incident reporting) of NIS 2 are displaced by the DORA equivalents.
One duty under NIS 2 is not displaced by Article 4: the registration duty in Article 27. Member States still collect a list of essential and important entities, including banks. In Germany this is the §33 BSIG entry in the BSI register. The directive layer keeps the headcount intact even where DORA runs the controls.
Directive (EU) 2022/2555, Annex I, sector 4 Banking
Credit institutions as defined in point (1) of Article 4 of Regulation (EU) No 575/2013 of the European Parliament and of the Council.
Annex I sector 4 covers credit institutions in the CRR sense. The next entry, Annex I sector 5, covers financial market infrastructures (trading venues and central counterparties). Together they form the banking and financial perimeter inside NIS 2.
Directive (EU) 2022/2555, Article 4(1)
Where sector specific Union legal acts require essential or important entities to adopt cybersecurity risk management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VII, shall not apply to such entities.
This is the lex specialis switch. The European Supervisory Authorities and the Commission have confirmed that DORA Regulation (EU) 2022/2554 meets the equivalence test for in-scope financial entities. NIS 2 Articles 21 and 23 step aside for those entities. The rest of the directive stays in place.
Directive (EU) 2022/2555, Article 27
Member States shall require essential and important entities to submit the following information to the competent authorities ... by 17 April 2025 at the latest, and thereafter without delay and in any event within two weeks from the date of the change.
Article 27 is the registration clause. It is not listed in the Article 4 carve out. In Germany §33 BSIG operationalises this with a BSI register. Banks file the registration even when their security and reporting obligations are governed by DORA.
You are in Annex I
If your entity is a credit institution under Article 4(1) of Regulation (EU) No 575/2013, you sit in Annex I sector 4. Size thresholds in Article 2 NIS 2 still decide whether you are essential or important. A small Sparkasse or a small cooperative bank is not automatically outside scope, because financial entities trigger the sector specific overrides in Article 2(2).
DORA runs the controls and reporting
Article 21 security measures and Article 23 incident reporting under NIS 2 are displaced for in-scope financial entities. ICT risk management, third party ICT risk, major incident reporting and resilience testing follow Regulation (EU) 2022/2554 and its delegated acts.
Article 27 registration survives
Registration as an essential or important entity is a directive duty that is not displaced by DORA. In Germany the §33 BSIG entry with the BSI applies. Updates within two weeks of any change still follow the directive rule.
Lex specialis is narrow, not total
Article 4 NIS 2 only switches off the parts of NIS 2 that have an equivalent in the sector specific act. For DORA that is the operational security and the incident reporting layer. Provisions outside that envelope, including registration and the supervisory architecture for entities that are not displaced, remain attached to NIS 2.
Registration is a directive duty, not a DORA duty
DORA does not create a NIS 2 style register of essential and important entities. Article 27 NIS 2 does. That is why banks appear in the §33 BSIG list even though their ICT controls are read against DORA. The two regimes are stitched together at the directive layer.
BaFin
The Federal Financial Supervisory Authority is the German DORA competent authority for banks, payment institutions and other in-scope financial entities. BaFin handles ICT risk supervision and major incident reports under Regulation (EU) 2022/2554.
BSI
The Federal Office for Information Security runs the §33 BSIG register that operationalises Article 27 NIS 2. Banks register with the BSI through the entity portal. Day to day cybersecurity supervision of the bank does not move to the BSI.
ECB and the SSM
Significant credit institutions inside the Single Supervisory Mechanism are supervised directly by the European Central Bank. For those entities DORA supervision sits with the ECB rather than the national competent authority, while Article 27 NIS 2 registration remains a national filing.
DORA replaces NIS 2 for banks, so NIS 2 does not apply.
Article 4 NIS 2 only displaces the parts of NIS 2 that DORA covers in equivalent form. Article 27 registration with the national authority is not one of those parts. The entity still appears as an essential or important entity in the national register.
We are a small bank, we are below the size threshold and outside scope.
Article 2(2) NIS 2 contains sector specific overrides. Credit institutions in Annex I sector 4 can fall in scope regardless of size where Member States or sector logic require it. A small Sparkasse or cooperative bank is not automatically exempt.
Once DORA is implemented we are done with NIS 2.
DORA gives you Article 21 and Article 23 equivalents. It does not give you the directive register, the Article 32 supervision residue for entities partially in scope, or the cross sector incident sharing channels under Chapter IV. Those remain attached to the NIS 2 layer.
A mid sized bank in Germany usually has two compliance tracks running. One under DORA, supervised by BaFin or by the ECB if the bank is significant. That track owns ICT risk, third party register, major incident reporting and resilience testing. The other under NIS 2 Article 27, supervised by the BSI, is a register entry plus updates within two weeks of any change.
Cooperative banks, Sparkassen and smaller credit institutions sit in the same logic. The DORA track is mandatory for them as financial entities under Regulation (EU) 2022/2554. The §33 BSIG entry sits next to it. Treating either track as optional creates an exposure that is visible from the public register and from BaFin reporting alike.
The platform is built around Article 21 and Article 23 NIS 2 control logic. For an in-scope financial entity those articles are displaced by DORA, so the platform is not the system of record for DORA ICT risk management. It is still useful as the Article 27 register companion, the policy and evidence library, and the place where a banking group documents the NIS 2 layer for supplier and group entities that are not financial entities under DORA.
Groups with a mixed perimeter, for example a bank plus a non financial IT services subsidiary in Annex I sector 8, often need both regimes mapped side by side. The platform is intended for the NIS 2 side of that map.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 4 and Article 4(1), EUR-Lex.
- Directive (EU) 2022/2555 (NIS 2), Article 27 registration duty, EUR-Lex.
- Regulation (EU) 2022/2554 (DORA), Articles 5 to 17 ICT risk management and Articles 17 to 23 incident reporting, EUR-Lex.
- Regulation (EU) No 575/2013 (CRR), Article 4(1) definition of credit institution, EUR-Lex.
- §33 BSIG, registration of essential and important entities with the BSI, gesetze-im-internet.de.
- BaFin guidance on DORA supervision for German financial entities, bafin.de.
- European Central Bank, SSM supervision of significant institutions, bankingsupervision.europa.eu.