Three European acts, three regulatory logics, one goal: digital resilience. But for those who fall within several perimeters — from a bank to a software vendor — the question is concrete: which discipline prevails? The answer lies in the coordination clauses: Article 4 of NIS 2, the lex specialis of DORA and the complementarity of the CRA. Let us clarify.
In our previous contributions we dealt with the labyrinth of EU cybersecurity rules, which now has three main strands: Directive (EU) 2022/2555 (NIS 2), transposed in Italy by Legislative Decree 138/2024; Regulation (EU) 2022/2554 (DORA), on the digital operational resilience of the financial sector; and Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA), on horizontal cybersecurity requirements for products with digital elements. This seems the right place to examine how the three acts coordinate.
Three calendars to bear in mind
The first order of clarity is temporal. For NIS 2, Article 41 requires Member States to apply the transposing measures “from 18 October 2024”; in Italy the implementation phase entrusted to the ACN’s determinations is in full swing. For DORA, Article 64 is clear: “it applies from 17 January 2025” — the financial sector is therefore already fully operational. For the CRA, Article 71(2) sets three stages: “this Regulation applies from 11 December 2027. However, Article 14 applies from 11 September 2026 and Chapter IV (Articles 35 to 51) applies from 11 June 2026.” This is crucial: the reporting obligations of Article 14 kick in already from 11 September 2026, before the general product obligations.
NIS 2 and DORA: the sectoral-acts clause
The pivot of coordination is Article 4 of NIS 2, headed “Sector-specific Union legal acts”, which at paragraph 1 provides that “where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive […] shall not apply to such entities”. DORA qualifies itself precisely in these terms. Recital 16 clarifies that “this Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555”, and Article 1(2) makes the coordination operative: for financial entities identified as essential or important under the national rules transposing Article 3 of NIS 2, “this Regulation is considered a sector-specific Union legal act in relation to Article 4 of that Directive”. In other words: for financial entities subject to DORA, the corresponding NIS 2 provisions on measures and notifications give way. But beware of the hasty reading: the yielding operates for the “relevant provisions”, not for the whole framework, and presupposes equivalence of effects; punctual mapping remains a case-by-case exercise.
The CRA: a different plane, not a derogation
The CRA’s logic is different: it does not regulate entities and services, but products with digital elements — security by design across the lifecycle, manufacturer obligations, CE marking. Not by chance, the CRA contains no speciality clause vis-à-vis NIS 2; Recital 13 describes rather its complementarity. The most concrete point of contact is procedural: Article 14(1) of the CRA hooks reporting onto the NIS architecture: “a manufacturer shall notify simultaneously to the CSIRT designated as coordinator […] and to ENISA any actively exploited vulnerability contained in the product with digital elements that it becomes aware of”. The NIS entity that is also a manufacturer of digital products will therefore have to oversee two distinct notification channels, each with its own triggers and timing.
ENISA’s compass
To support operators, ENISA has made available valuable mapping tools. The NIS360 report “assesses the maturity and criticality of sectors of high criticality under the NIS2 Directive”. And the ENISA Threat Landscape 2025 gives the picture of the threat: “this latest edition […] analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025”.
Conclusions
For those within several perimeters, the operational sequence we suggest is: map your roles (NIS entity? DORA financial entity? CRA manufacturer?); identify, for each obligation, the applicable discipline in light of the coordination clauses; build a unitary governance framework satisfying the most demanding requirement, avoiding documentary duplication; oversee the distinct notification channels with dedicated procedures. In the light of the above, one wonders whether the European cybersecurity mosaic will find in practice the coherence that positive law entrusts, for now, to the coordination clauses: a truly integrated resilience requires bringing the obligations of the different perimeters back to unity, rather than duplicating them, so as to raise the level of effective security in the face of a threat that knows no perimeters.
