Am I a bank under NIS 2?
Credit institutions are listed in Annex I sector 3 of NIS 2. Article 4 NIS 2 then defers the substantive cybersecurity and incident-notification duties to DORA. The Article 27 registration duty with your national authority stays in place either way.
The short version
Banks are in NIS 2 scope. Annex I sector 3 lists 'credit institutions' as defined in Article 4(1) of Regulation (EU) No 575/2013 (CRR). If you are a Kreditinstitut under the CRR, you are inside the NIS 2 perimeter.
But Article 4 NIS 2 is a lex specialis clause. Where a sector-specific EU act lays down at least equivalent cybersecurity and incident-reporting duties, the NIS 2 substantive obligations step aside. DORA (Regulation (EU) 2022/2554) was written for exactly this purpose. So Article 21 (risk management measures) and Article 23 (significant incident notification) under NIS 2 do not apply to financial entities subject to DORA. The equivalent DORA chapters apply instead.
The carve-out is not total. Article 27 NIS 2 (registration with the national authority for situational awareness at EU level) still applies. The BSI keeps your entry in the §33 BSIG registry. The Commission and ENISA keep their EU-wide view of who is in scope, even when the substantive duties live in another regulation.
NIS 2 Annex I sector 3 + Article 4 (Directive (EU) 2022/2555)
Credit institutions as defined in Article 4, point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council. [Annex I, Sector 3, Banking] / Where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply to such entities. [Article 4(1)]
Annex I puts banks in scope. Article 4 then carves out the substance when a sector-specific act is at least equivalent in effect. Article 4 does not carve out registration. Article 27 NIS 2 still binds.
DORA (Regulation (EU) 2022/2554)
This Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities... in order to achieve a high common level of digital operational resilience.
DORA is the sector-specific act that triggers Article 4 NIS 2. It is directly applicable EU law. It covers ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk and information sharing. Together those chapters are deemed equivalent in effect to Articles 21 and 23 NIS 2, so those NIS 2 articles step aside for DORA-subject entities.
§28 BSIG + national DORA implementation
§28 BSIG operationalises the Article 4 NIS 2 lex specialis rule in German law. BaFin supervises DORA compliance for German credit institutions. The BSI still maintains the §33 BSIG registry that implements Article 27 NIS 2.
Two German authorities matter here. BaFin holds the substantive supervision (risk management measures, incident reporting under DORA). The BSI holds the §33 registry entry under Article 27 NIS 2. Both are real obligations. Neither replaces the other.
Are you a credit institution per CRR Article 4(1)?
The NIS 2 banking sector uses the CRR definition. A Kreditinstitut takes deposits or other repayable funds from the public and grants credits for its own account. If you are licensed by BaFin / ECB as a credit institution, you fit. Payment institutions, e-money institutions, investment firms have their own scope tests under NIS 2 sector 4 (financial market infrastructure) or DORA.
Articles 21 + 23 NIS 2 replaced by DORA
Article 4 NIS 2 hands the substantive duties over. DORA Chapter II (ICT risk management) replaces Article 21 NIS 2. DORA Chapter III (ICT-related incident reporting) replaces Article 23 NIS 2. The DORA RTS and ITS define the technical detail BaFin supervises against. You run one risk management framework under DORA, not two.
Article 27 NIS 2 registration still applies
Article 27 NIS 2 obliges essential and important entities to give their national authority a defined set of data (name, address, sector, contact point, IP ranges where applicable). DORA does not replace this. The BSI runs the §33 BSIG registry for Germany. Banks register there alongside everyone else in scope. Updates within two weeks under Article 27(2).
The equivalence test (Article 4(1) NIS 2)
Article 4 only carves out where the sector-specific act is 'at least equivalent in effect' to the relevant NIS 2 obligations. DORA was specifically engineered to meet that test. Recital 28 NIS 2 and DORA's own scope chapter confirm the fit. If a future sector act fell short, the equivalence test would fail and the NIS 2 duties would snap back in. So far that has not happened for banks.
Registration is informational, not substantive
Article 27 NIS 2 sits outside the carve-out because it serves a different purpose. The substantive duties (Articles 21 and 23) regulate behaviour. The registration duty (Article 27) gives ENISA and the Commission a complete EU-wide picture of who falls under the regime. That picture has to include DORA-subject entities too, otherwise the supervisory map has holes. The Commission keeps that visibility on purpose.
BaFin (DORA supervisor)
BaFin supervises DORA compliance for German credit institutions. ICT risk management, the major ICT incident reports (DORA Article 19), the digital operational resilience testing programme, ICT third-party risk including critical ICT third-party providers. This is where the operational supervision sits for banks.
BSI (§33 BSIG registry)
The BSI maintains the registry implementing Article 27 NIS 2 in Germany. Banks register there even though their substantive duties are under DORA. The BSI does not double-supervise the substance. It keeps the entry, exchanges data with the Commission and ENISA, and stays the point of contact for Article 27 obligations.
ECB / SSM and Bundesbank
For significant institutions under the Single Supervisory Mechanism, the ECB takes lead supervision (DORA is brought into that supervisory cycle). For less significant institutions, BaFin and the Bundesbank lead. The Bundesbank handles ongoing supervisory data collection. None of these layers change the BSI's separate Article 27 registry role.
DORA replaces NIS 2 entirely. We do not have to do anything under NIS 2.
Article 4 NIS 2 only carves out the substantive obligations (Article 21 risk management, Article 23 incident notification). Article 27 (registration) is not on that list. The BSI still expects you in the §33 BSIG registry. Missing the registration creates a NIS 2 violation even when your DORA programme is in perfect shape.
We are DORA-only. The BSI does not regulate us.
The BSI does not supervise your risk management framework. BaFin does. But the BSI does run the §33 BSIG registry that implements Article 27 NIS 2, and you are in it. Address changes, contact-point changes, sector reclassifications still go to the BSI within the Article 27(2) two-week window.
We are a small bank, so we are out of NIS 2 scope.
Banking is one of the sectors where NIS 2 size thresholds can be overridden by 'regardless of size' provisions and by national supplementary scope (Annex II 'Sonstige kritische Einrichtungen'). DORA's own size logic applies independently. Do not assume out-of-scope without checking the CRR sector test, the NIS 2 'regardless of size' overrides and the DORA scope chapter in parallel.
Substance under DORA, registration under the BSI. A typical German Sparkasse or Volksbank does not stand up a parallel NIS 2 Article 21 framework. The ICT risk management chapter under DORA covers the same ground at the same depth. The major ICT incident reporting cycle under DORA Article 19 covers the same significant-incident loop NIS 2 Article 23 would have asked for, just on the DORA timeline and template.
On the registration side, the bank files once with the BSI under §33 BSIG, updates within two weeks under Article 27(2) when contact data or sector classification changes, and keeps a one-page internal memo explaining the Article 4 NIS 2 carve-out so the next supervisor or auditor does not have to relitigate it. That memo costs an afternoon to write and saves the equivalent of two audit cycles in awkward conversations.
The applicability check distinguishes substantive scope (Article 21 and 23 duties) from registration-only scope (Article 27 duty). A bank gets a registration-only result with a pointer to DORA. The output is a paste-ready memo your DORA project manager and your management body can both sign off on.
Where requirements overlap, we map the obligation against the DORA equivalent rather than asking you to satisfy it twice. The §33 BSIG registry workflow stays on the platform, including the two-week update cycle under Article 27(2). The substantive DORA workstream stays with BaFin and your existing ICT risk management tooling.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 3, Article 4, Article 27 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Regulation (EU) 2022/2554 (DORA), Article 1 scope and Chapters II + III — eur-lex.europa.eu/eli/reg/2022/2554/oj
- Regulation (EU) No 575/2013 (CRR), Article 4(1) — eur-lex.europa.eu/eli/reg/2013/575/oj
- BSI Act (BSIG), §28 (lex specialis) and §33 (registry) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BaFin guidance on DORA implementation for credit institutions — bafin.de