When DORA Meets Critical Infrastructure: The Convergence With NIS2 and Energy Regulation
The Lex Specialis That Leaks
DORA is lex specialis to NIS2 for the financial sector. Article 1(2) of DORA establishes that for financial entities, DORA takes precedence over NIS2's general cybersecurity requirements. This is a clean legal boundary — on paper.
In practice, the boundary leaks. Financial institutions do not operate in isolation. They depend on infrastructure that falls under NIS2's scope: energy grids that power data centers, telecommunications networks that carry financial transactions, internet exchange points that route traffic, and cloud providers that serve both financial services and other critical sectors.
The Iberian blackout of April 2025 was the most vivid demonstration of this dependency. When the Spanish and Portuguese power grid failed, financial services in the Iberian Peninsula were immediately affected. ATMs went offline. Payment terminals stopped working. Online banking became inaccessible. The financial sector's operational resilience was constrained by the energy sector's operational resilience — and the two were governed by different regulations with different supervisory authorities.
DORA governs how financial institutions manage their ICT risk. NIS2 governs how essential and important entities (including energy, transport, digital infrastructure) manage their cybersecurity risk. The convergence between these two frameworks is not theoretical. It is operational, immediate, and insufficiently governed.
The Regulatory Landscape: DORA vs NIS2
Scope and Overlap
| Dimension | DORA | NIS2 |
|---|---|---|
| Scope | Financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers) | Essential and important entities across 18 sectors |
| Sector focus | Financial services exclusively | Energy, transport, health, digital infrastructure, ICT service management, space, water, food, manufacturing, and more |
| Applicable since | January 17, 2025 | October 17, 2024 (transposition deadline) |
| Legal instrument | Regulation (directly applicable) | Directive (requires national transposition) |
| Supervisor | Financial supervisory authorities (NCAs, ECB-SSM, ESAs) | National NIS2 authorities (often separate from financial supervisors) |
| Incident reporting | To financial supervisory authority | To national CSIRT/competent authority |
| Third-party oversight | Critical third-party provider oversight framework (Art. 31-44) | Supply chain security requirements (Art. 21(2)(d)) |
Where They Intersect
The intersection occurs at dependency chains. A bank (DORA) depends on a cloud provider (potentially both DORA and NIS2), which depends on a data center operator (NIS2), which depends on an energy provider (NIS2), which depends on a grid operator (NIS2). A failure at any point in this chain impacts the bank's operational resilience.
The Cloud Provider: Dual-Regulated Entity
Cloud service providers occupy the most complex position in this landscape. Under DORA, major cloud providers are likely to be designated as Critical Third-Party Providers (CTPPs) subject to the oversight framework in Art. 31-44. Under NIS2, cloud computing services are "important entities" subject to cybersecurity risk management and incident reporting requirements.
The practical question for financial institutions: when a cloud provider suffers an incident, who governs the response? The DORA oversight authority (the Lead Overseer designated by the ESAs) or the NIS2 competent authority? The answer is both — with different reporting timelines, different requirements, and potentially different supervisory expectations.
Cross-Sector Dependencies: The Risk Map
Energy Dependency
Financial services depend on electricity for every aspect of operations. Data centers, trading floors, ATM networks, payment infrastructure, and telecommunications — all require continuous power supply.
| Financial Function | Power Dependency | Backup Duration | Gap if Grid Failure > Backup |
|---|---|---|---|
| Data centers | Critical — 100% | UPS: 15-30 min, Generators: 24-72 hours | Full service outage |
| Trading platforms | Critical — real-time | UPS: 15 min, Generator: 4-8 hours | Market access lost |
| ATM networks | Distributed — per location | Battery: 2-4 hours | Cash access lost |
| Payment terminals | Distributed — per merchant | None (grid-dependent) | Card payments unavailable |
| Branch offices | Important — business hours | Generator: limited sites | Branch services unavailable |
The Iberian blackout demonstrated that even generator-backed systems have limits: fuel supply chains depend on logistics networks that also depend on electricity. Extended grid failures create cascading impacts that exceed backup capacity.
Telecommunications Dependency
SWIFT messages, interbank settlement, real-time payment systems, and customer-facing channels all depend on telecommunications infrastructure. A telecommunications outage — whether from cyberattack, infrastructure failure, or natural disaster — impacts financial services regardless of the bank's own resilience.
NIS2 governs telecommunications providers. DORA governs the financial institution's management of its telecommunications dependency. The gap is that no single regulation governs the interface between the two — the SLA between the bank and its telecom provider, the bank's assessment of telecom provider resilience, and the bank's contingency plan for telecom unavailability.
Internet Infrastructure Dependency
DNS, BGP routing, certificate authorities, and CDN providers — the invisible infrastructure of the internet — are increasingly recognized as critical dependencies for financial services. A DNS provider failure can render online banking inaccessible even when the bank's own systems are fully operational.
Governing Cross-Regulatory Dependencies
DORA Art. 28: The Bridge
Art. 28 third-party ICT risk management is DORA's bridge to NIS2-regulated dependencies. When a financial institution depends on an energy provider, a telecommunications operator, or a data center operator, that dependency is an ICT third-party risk. The institution must:
- Identify the dependency in the register of information (Art. 28(3))
- Assess the risk, including the provider's resilience posture
- Contract appropriate provisions including notification of incidents that may affect the institution
- Monitor the dependency continuously, not just at onboarding
- Plan for the dependency's failure — what happens when the power goes out, the network goes down, or the DNS stops resolving?
Practical Framework for Cross-Sector Risk Management
The Information Sharing Bridge
DORA Art. 45 information sharing provisions and NIS2's equivalent requirements create an opportunity for cross-sector threat intelligence sharing. Financial sector ISACs and energy/telecom sector CSIRTs operate largely independently. The institutions that bridge these information silos — monitoring threat intelligence from both their own sector and the sectors they depend on — will have earlier warning of cross-sector threats.
Supervisory Coordination Challenges
The dual regulatory framework creates supervisory coordination challenges:
Incident reporting duplication. A cloud provider incident affecting a financial institution may require reporting under both DORA (to the financial supervisor) and NIS2 (to the national CSIRT). The reporting timelines, formats, and recipients differ.
Oversight fragmentation. The DORA Lead Overseer for a critical cloud provider focuses on financial sector impacts. The NIS2 competent authority for the same provider focuses on broader cybersecurity. Neither has a complete picture.
Proportionality divergence. NIS2 applies proportionality based on whether the entity is "essential" or "important." DORA applies proportionality based on the financial entity's size, risk profile, and complexity. The same infrastructure provider may face different expectations depending on which regulation's lens is applied.
The EBA and ESMA have acknowledged these coordination challenges. The future evolution of DORA may include more explicit cross-regulatory coordination mechanisms. In the meantime, financial institutions must manage the complexity themselves.
Lessons From the Iberian Blackout
The April 2025 Iberian blackout provided a real-world stress test of cross-sector dependencies. Key lessons for DORA compliance:
1. Generator backup is necessary but insufficient. Institutions with generator backup restored core systems. But generators require fuel, and fuel supply chains depend on the same grid that failed. Extended grid failures exhaust backup capacity.
2. Payment infrastructure is grid-dependent. Point-of-sale terminals have no independent power supply. Card payments across the Iberian Peninsula ceased immediately, regardless of whether the bank's core systems were operational.
3. Telecommunications resilience is assumed, not tested. Financial institutions test their own systems' resilience. They rarely test what happens when the telecommunications link between their data center and their core banking provider fails — because they assume it will always be available.
4. Cross-sector incident coordination is immature. During the blackout, financial supervisors, energy regulators, and telecommunications authorities each managed their sector's response independently. Cross-sector coordination was ad hoc, not proceduralized.
Key Takeaways
- DORA is lex specialis to NIS2, but dependencies cross the boundary. Financial institutions depend on energy, telecom, and internet infrastructure governed by NIS2.
- The Iberian blackout proved the dependency is operational, not theoretical. Financial services resilience is constrained by infrastructure resilience.
- Art. 28 is the bridge: financial institutions must identify, assess, contract, and monitor their NIS2-regulated dependencies as ICT third-party risks.
- Cloud providers are dual-regulated under both DORA (as CTPPs) and NIS2 (as digital infrastructure). Institutions must understand how both frameworks apply.
- Cross-sector information sharing (Art. 45 + NIS2 equivalents) provides early warning of threats that originate outside the financial sector.
- Supervisory coordination is immature. Financial institutions should not wait for regulators to solve this — govern cross-sector dependencies proactively.
Resume en francais
DORA est lex specialis par rapport a NIS2 pour le secteur financier, mais les chaines de dependance traversent la frontiere reglementaire. Les institutions financieres dependent de reseaux electriques (NIS2), de telecommunications (NIS2), et d'infrastructure internet (NIS2) pour l'ensemble de leurs operations. Le blackout iberique d'avril 2025 a demontre cette dependance en conditions reelles : quand le reseau electrique espagnol et portugais a echoue, les services financiers ont ete immediatement impactes — distributeurs automatiques hors service, terminaux de paiement inoperants, banque en ligne inaccessible. L'article 28 de DORA est le pont : les dependances envers les fournisseurs reglementes NIS2 doivent etre identifiees dans le registre d'information, evaluees, contractualisees avec des provisions specifiques et surveillees en continu. Les fournisseurs cloud occupent une position unique, potentiellement reglementes sous DORA (comme CTPP) et sous NIS2 simultanement. Le partage d'informations inter-sectoriel (Art. 45) fournit une alerte precoce sur les menaces qui naissent en dehors du secteur financier. La coordination entre superviseurs DORA et autorites NIS2 reste immature — les institutions doivent gouverner proactivement leurs dependances inter-sectorielles.