DORA vs. NIS 2: How to comply with European cybersecurity requirements

Differences, similarities and practical guidelines for achieving compliance

Two regulatory pillars define the current cybersecurity framework in Europe: the NIS 2 Directive (transposed into Bulgarian legislation through the Cybersecurity Act) and the DORA Regulation. Although they share a common goal – increasing the protection of critical IT infrastructure – they differ in scope, technical requirements and enforcement mechanisms.

What are DORA and NIS 2?

NIS 2 (Network and Information Security Directive)

NIS 2 is a horizontal directive that establishes a baseline for cybersecurity in a wide range of economic sectors (18 in total), classified as “essential” and “important” entities. It requires Member States to harmonize their national laws to ensure a uniform level of protection across the Union. In Bulgaria, this has already been done – through the amendments to the Cybersecurity Act of February this year.

DORA (Digital Operational Resilience Act)

DORA is a specialized regulation (Lex Specialis) aimed exclusively at the financial sector and its critical ICT service providers. As a regulation, it applies directly and with priority over NIS 2 for financial institutions. DORA introduces significantly more detailed requirements regarding resilience testing.

Key similarities: The common basis for protection

Despite their different focus, the two regulations share common principles:

• Management responsibility: Management bodies are now directly responsible for approving and overseeing risk management frameworks.
• Cybersecurity training is mandatory for both employees and management.
• Third-party risk management (supply chain security): Both regulations require strict control over the supply chain and ICT service providers.
• Incident reporting: Strict deadlines are introduced for notifying national competent authorities in the event of security breaches (with initial notification within 24 hours for NIS 2 and immediate/within hours for critical incidents under DORA).
• Proportionality principle: The severity of the measures depends on the size of the organisation, its turnover and the criticality of its activities.

Key differences: Horizontal vs. vertical approach

Technological implementation of compliance through Paraflow's expertise

Paraflow offers an integrated approach to achieving full compliance with the requirements of the NIS 2 Directive, the DORA Regulation and the Cybersecurity Act (CSA).

• Initial consultation and classification of the organization.
• Assessment of the IT infrastructure, GAP analysis / verification of the degree of compliance with regulatory requirements.
• Preparation of a compliance strategy and a plan for eliminating non-compliances.
• Technological solutions from leading manufacturers and developers, including Cisco, Palo Alto, Cynet, Check Point, Fortinet, Rapid7, Microsoft, Broadcom and others: Next Generation Firewall, Endpoint Protection with EDR, SOC – Security Operation Center (24/7 incident monitoring), Backup and Recovery solutions (to ensure process continuity), etc.
• Stress tests and attack simulations.
• Specialized cybersecurity training for staff and managers.
• A full set of compliance documentation, including development of plans, procedures, instructions and policies for risk management and incident response.