NIS2 vs GDPR vs DORA: Which Frameworks Apply to Your Business?

The EU compliance landscape is confusing. Here’s how the three big frameworks fit together — and how to figure out which ones apply to you.

If you run a business in the EU, you’re probably dealing with an alphabet soup of compliance requirements: NIS2, GDPR, DORA, ISO 27001, PCI DSS, SOC 2, the EU AI Act...

The question most business leaders ask is simple: "Which ones apply to me?" The answer, for most EU businesses, is: more than one.

This guide compares the three major EU regulatory frameworks — NIS2, GDPR, and DORA — explains who they apply to, what they require, and most importantly, where they overlap so you can do the work once and apply it across frameworks.

The Three Frameworks at a Glance

NIS2 — Network and Information Security Directive

What it is: An EU directive setting cybersecurity requirements for organisations providing essential and important services.

Who it applies to: Organisations in 18 sectors (energy, transport, health, digital infrastructure, manufacturing, food, etc.) with 50+ employees or €10M+ turnover. Also applies through supply chain requirements.

What it requires: Risk management, incident reporting (24hr early warning, 72hr full notification), supply chain security, business continuity, governance/accountability.

Penalties: Up to €10M or 2% of global turnover (essential entities); €7M or 1.4% (important entities). Personal liability for management.

GDPR — General Data Protection Regulation

What it is: The EU regulation governing the processing of personal data.

Who it applies to: Any organisation that processes personal data of EU residents, regardless of size or sector. This means virtually every business.

What it requires: Lawful basis for processing, data subject rights (access, erasure, portability), privacy notices, data security measures, breach notification (72hr to DPA), DPIAs for high-risk processing, DPAs with processors.

Penalties: Up to €20M or 4% of global turnover (higher tier); €10M or 2% (lower tier).

DORA — Digital Operational Resilience Act

What it is: An EU regulation establishing ICT resilience requirements specifically for the financial sector.

Who it applies to: Banks, payment institutions, insurers, investment firms, crypto providers, pension funds — and the ICT third-party providers that serve them.

What it requires: ICT risk management framework, incident management and reporting (4hr initial notification), resilience testing (annual + TLPT every 3 years for significant entities), third-party ICT risk management, information sharing.

Penalties: Determined by national competent authorities. Up to 1% of daily worldwide turnover for critical ICT third-party providers.

Side-by-Side Comparison

| | NIS2 | GDPR | DORA |

|---|---|---|---|

| Type | Directive | Regulation | Regulation |

| Scope | Essential/important services (18 sectors) | Any org processing EU personal data | Financial sector + ICT providers |

| Size threshold | 50+ employees or €10M+ turnover | None | None (sector-based) |

| Risk assessment | Required | Required (Art. 32) | Required (Pillar 1) |

| Incident reporting | 24hr + 72hr | 72hr to DPA | 4hr + 72hr + 1 month |

| Supply chain | Required | DPAs required | Pillar 4 (ICT third-party) |

| Testing | Implied | Not specified | Annual + TLPT |

| Board accountability | Yes | DPO required (sometimes) | Yes (management body) |

| Max penalty | €10M / 2% | €20M / 4% | National authority |

Where They Overlap

Here’s the good news: there’s significant overlap between all three frameworks. If you address the common requirements once, you’re well on your way to compliance across all of them.

Common requirements across NIS2, GDPR, and DORA:

  1. Risk assessment — All three require you to assess and manage risk. A single, comprehensive cybersecurity risk assessment covers this for all frameworks.

  2. Incident response — All three require you to detect, respond to, and report incidents. One incident response plan, tested regularly, serves all three.

  3. Access control — Restricting access to data and systems on a least-privilege basis is required by all three.

  4. Encryption — Protecting data in transit and at rest is either required or strongly implied by all three.

  5. Business continuity — NIS2 and DORA require explicit BC/DR planning. GDPR requires measures to ensure "ongoing confidentiality, integrity, availability" (Art. 32).

  6. Supply chain / third-party management — NIS2 requires supply chain security, GDPR requires DPAs with processors, DORA has an entire pillar on ICT third-party risk.

  7. Governance — All three require management accountability for security/privacy.

What’s unique to each:

  • NIS2 only: Registration with national authorities, specific sector designations

  • GDPR only: Data subject rights (access, erasure, portability), lawful basis requirements, DPIAs, privacy notices

  • DORA only: Digital operational resilience testing (TLPT), ICT third-party register, information sharing arrangements

How to Figure Out Which Frameworks Apply to You

Work through this decision tree:

Step 1: Do you process personal data of EU residents?

If yes → GDPR applies. (This is almost every business.)

Step 2: Are you in one of the 18 NIS2 sectors with 50+ employees or €10M+ turnover?

If yes → NIS2 applies.

If no but your clients are NIS2 entities → NIS2 may apply through supply chain requirements.

Step 3: Are you a financial entity or an ICT provider to financial entities?

If yes → DORA applies.

Step 4: Do your clients require ISO 27001, SOC 2, or PCI DSS?

If yes → Those voluntary standards apply based on contractual requirements.

For most EU businesses with 50+ employees, the answer is: GDPR definitely, plus at least one of NIS2 or DORA depending on sector.

How ShieldIQ Helps

ShieldIQ lets you assess your compliance across all three frameworks (and 6 more) from a single platform. Because the questionnaires overlap, answering for one framework gives you a head start on the others.

The cross-framework gap analysis (Enterprise tier) shows you where your controls satisfy multiple frameworks simultaneously and where framework-specific gaps remain. This means you do the work once and get coverage across your entire regulatory landscape.

Start with whichever framework is most urgent for your business, then expand.

Ready to find out where you stand?

Start your free compliance assessment at app.shieldiqcyber.com

No credit card. No sales call. Under 15 minutes.