DORA falls out of the scope of NIS 2 cybersecurity Directive
On September 18, 2023, the European Commission published guidelines on the application of Article 4 of NIS 2 Directive (Network and Information System Security) on cybersecurity (Directive (EU) 2022/2555).
The guidelines seek to clarify the application of Article 4(1) and (2) of NIS 2, which disapply relevant provisions of NIS 2 to essential or important entities subject to equivalent requirements under sector-specific EU legal acts, and cover:
assessing the equivalence of obligations to adopt cybersecurity risk management measures and to notify significant incidents; and
the consequences of equivalence, such as in relation to supervision and enforcement, and national cybersecurity strategies.
An appendix to the guidelines sets out a non-exhaustive list of EU legal acts that the Commission considers fall within the scope of Article 4, which at present only lists the Digital Operational Resilience Act (DORA). The Commission notes, among other things, that Member States should not apply relevant NIS2 provisions to financial entities covered by DORA.