Three regulators, three deadlines, three different theories of what cybersecurity disclosure is actually for. The EU’s NIS2 Directive treats it as national security infrastructure protection. The EU’s Digital Operational Resilience Act (DORA) treats it as financial stability oversight. The U.S. Securities and Exchange Commission’s cybersecurity rules treat it as an investor-protection problem. A company operating across jurisdictions can trigger all three in a single incident — with contradictory timelines, audiences, and content requirements.
This comparison strips out the compliance-vendor noise and lays out, side by side, who each rule applies to, what each actually requires, what “material” or “significant” means under each, and where the overlaps will bite you if you try to run one incident-response playbook for all three.
What Each Framework Is Trying to Fix
The three frameworks share a family resemblance — mandatory incident reporting, management accountability, third-party risk — but they were built to solve different problems.
NIS2 (Directive (EU) 2022/2555) is a wide-aperture sectoral rule. It covers 18 critical sectors and roughly 160,000 entities across the EU, up from the 10,000–15,000 under the original 2016 NIS Directive. The transposition deadline was 17 October 2024, but as of March 2026, national implementation is still uneven — Germany’s amended BSI Act entered force on 6 December 2025, Austria’s NISG 2026 was promulgated in December 2025 and fully enters force on 1 October 2026, and on 7 May 2025 the European Commission sent reasoned opinions to 19 member states for failing to notify full transposition. The objective: prevent disruption to essential services — energy, water, healthcare, transport, digital infrastructure — and force national CSIRTs into a coordinated posture.
DORA (Regulation (EU) 2022/2554) is narrower and sharper. It became enforceable on 17 January 2025 across roughly 22,000 financial entities with no transition period and no grace window. Because it’s a regulation, not a directive, it applies directly in all 27 member states without national transposition — a deliberate design choice to avoid the fragmentation that plagued NIS1. DORA’s target is financial stability: making sure a cloud outage, a ransomware hit on a core banking vendor, or a cascading ICT failure can’t tip the EU financial system into crisis. On 18 November 2025, the European Supervisory Authorities designated 19 critical ICT third-party providers (CTPPs) — including AWS, Microsoft Azure, and Google Cloud — for direct supervisory oversight.
The SEC rules (adopted July 2023, effective 18 December 2023 for most registrants and 15 June 2024 for smaller reporting companies) are narrower still. They apply only to public companies filing with the SEC. The theory is pure securities law: investors need timely, accurate information about events that could move a stock price. Cybersecurity just happens to be one of those events.
Who Each Rule Actually Covers
This is where most compliance planning goes wrong. The three frameworks use entirely different scoping logic.
NIS2 uses automatic size-based thresholds tied to sector. Medium and large enterprises (over 50 employees or €10M turnover) in any of the 18 covered sectors are in scope by default. The directive splits them into essential entities — the truly critical ones like energy operators, drinking water suppliers, core banking, and certain digital infrastructure — and important entities, which get the same substantive obligations but lighter-touch supervision. Micro and small firms are excluded in most sectors, with hard-coded exceptions: trust service providers, DNS providers, TLD registries, and electronic communications services are in scope regardless of size. National transpositions sometimes expand this — Germany’s revised BSI Act layers NIS2 categories on top of the pre-existing KRITIS framework, producing a more granular (and more demanding) scoping model than Brussels envisioned.
DORA covers 20 types of financial entity enumerated in Article 2 — credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, pension funds, credit rating agencies, and more — plus their ICT third-party service providers. Importantly, DORA extends extraterritorially: a non-EU cloud provider or SaaS vendor that serves EU financial entities and gets designated as a CTPP by the ESAs comes under direct EU oversight. The November 2025 designation of AWS, Microsoft Azure, and Google Cloud made that principle concrete.
SEC rules apply only to entities that file with the Commission — domestic registrants on Form 8-K and 10-K, foreign private issuers on Form 6-K and 20-F. A privately held U.S. company with a billion in revenue is outside scope. A small-cap listed firm is inside it. Smaller reporting companies had until 15 June 2024 to begin filing Form 8-K cyber disclosures, and all registrants have been required to tag these disclosures in Inline XBRL since 18 December 2024.
The overlap zone is messy. A European bank listed in New York is a financial entity under DORA, almost certainly an essential entity under NIS2 (though DORA supersedes NIS2 for financial-sector cybersecurity risk management per NIS2 Recital 28 and Article 4), and an SEC registrant. The same cyber incident can trigger three separate filings, to three separate regulators, with three separate content standards and clocks.
How the Reporting Clocks Actually Work
The timeline mechanics differ more than the headlines suggest.
NIS2 installs a three-stage reporting cascade to the competent national CSIRT or authority. Entities have 24 hours from awareness of a significant incident to submit an early warning indicating whether the incident is suspected to be caused by unlawful or malicious action or whether it could have cross-border impact. Within 72 hours, they file an incident notification including an initial assessment of severity and indicators of compromise. A final report is due within one month. Progress reports are required if the incident is still ongoing at the one-month mark. The trigger for all this is a “significant incident” — one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
DORA is stricter at the front and more granular throughout. Financial entities must classify an incident as “major” based on criteria in the Commission Delegated Regulation — clients or financial counterparts affected, data losses, duration and service downtime, geographical spread, economic impact, criticality of services affected, and reputational impact. Once classified as major, the entity submits an initial notification to its competent authority within tight deadlines, followed by an intermediate report and a final report. “Significant cyber threats” — incidents that didn’t materialize but could have — can also be voluntarily reported.
The SEC rule is the outlier. Its four-business-day clock is tied neither to incident discovery nor to a severity classification, but to a materiality determination. The registrant must make that determination “without unreasonable delay” after discovery, and once it concludes an incident is material, Form 8-K Item 1.05 must be filed within four business days. The SEC’s Division of Corporation Finance clarified in May 2024 that Item 1.05 is only for cybersecurity incidents with a material effect on the company — voluntary or precautionary disclosures belong under Item 8.01. Between December 2023 and early 2025, 54 companies filed 80 cyber-related Form 8-Ks: 26 under Item 1.05 and the remainder under voluntary items.
The Materiality Problem
“Material,” “significant,” and “major” are the load-bearing words across these three frameworks, and they mean different things.
SEC materiality is a securities-law concept with decades of case law behind it. The TSC Industries v. Northway standard — whether a reasonable investor would consider the information important in making an investment decision — maps onto cyber incidents awkwardly. The SEC has been explicit that materiality isn’t reducible to quantitative thresholds; qualitative factors (reputational harm, regulatory exposure, strategic impact) matter as much as dollars. The Change Healthcare Form 8-K filed on 21 February 2024 is the canonical example: UnitedHealth’s subsidiary disclosed a suspected nation-state actor had accessed its IT systems, triggering sectoral disruption across U.S. healthcare payments. The filing cited no specific financial number at the time but treated the incident as material on qualitative grounds.
DORA’s “major ICT-related incident” classification is the opposite — heavily quantified. The Commission Delegated Regulation specifies criteria and thresholds: number of clients affected, duration, geographical spread, economic impact measured as direct and indirect costs. If the thresholds are met, the incident is major. Judgment plays a role at the edges, but the framework is mechanical by design.
NIS2’s “significant incident” sits between the two. The directive’s Article 23 definition is qualitative — severe operational disruption, considerable damage to other persons — but the NIS Cooperation Group and national authorities have issued sector-specific guidance operationalizing it. The assessment is more judgment-driven than DORA but more structured than SEC materiality.
The practical consequence: an incident that’s “major” under DORA may not be “material” under SEC rules (because the financial impact, while significant to operations, isn’t investor-relevant) and may be “significant” under NIS2 (because of the cross-border dimension). The same incident in the opposite configuration is also possible.
Penalties and Personal Liability
All three frameworks push accountability up to management. How they do it differs sharply.
NIS2 caps administrative fines at the greater of €10 million or 2% of total worldwide annual turnover for essential entities, and €7 million or 1.4% of turnover for important entities. Beyond fines, national authorities can issue binding instructions, order security audits, suspend certifications, and — most aggressively — temporarily prohibit individuals from exercising managerial functions at essential entities for non-compliance. Article 20 requires management bodies to approve cybersecurity risk-management measures and oversee their implementation. Germany’s BSI Act Section 38 arguably goes further, requiring management bodies to “implement” such measures, though this appears to be an editorial drafting choice rather than a substantive deviation.
DORA caps are similar in structure — up to 2% of total annual worldwide turnover for financial entities, up to €1 million for individuals, and up to 1% of average daily worldwide turnover for critical ICT third-party providers, applied daily until compliance is achieved. Senior management can be personally sanctioned. The difference from NIS2 is that DORA enforcement runs through the existing financial-sector supervisory apparatus — national competent authorities coordinating with the ESAs — which is more practiced at imposing large fines than many national cybersecurity regulators are.
The SEC’s approach is structurally different: there is no fixed cyber-specific penalty schedule. Enforcement flows through the general securities-law apparatus — disclosure violations are prosecuted as fraud, materially misleading statements, or internal-controls failures. The SEC settled enforcement actions against four companies in October 2024 regarding cybersecurity disclosure, finding that one had “negligently made materially misleading misstatements” on Form 8-K about a cyberattack. Total settled penalties related to cybersecurity disclosure have exceeded $8 million as of early 2026. In February 2025, the SEC launched the Cyber and Emerging Technologies Unit (CETU), replacing the prior Crypto Assets and Cyber Unit with a broader remit.
Third-Party and Supply Chain Treatment
All three regimes have internalized the lesson of SolarWinds and similar supply-chain compromises, but their mechanisms differ.
NIS2 Article 21 requires essential and important entities to assess supply-chain risk, including the quality and resilience of products and services from direct suppliers. The EU-level ICT Supply Chain Security Toolbox, adopted by the NIS Cooperation Group, provides a structured methodology. Obligations flow contractually — SMEs outside NIS2’s direct scope frequently find themselves subject to effectively equivalent requirements because their customers are in scope and push obligations down through procurement.
DORA is more prescriptive. Article 28 requires financial entities to maintain a Register of Information on all contractual arrangements with ICT third-party service providers, with specific content requirements and standardized contractual clauses for critical or important functions. The registers feed into the ESAs’ designation process for CTPPs. Once designated (as with the 19 providers named on 18 November 2025), CTPPs fall under direct EU supervision — lead overseers can conduct inspections, request information, and ultimately forbid providers from entering contracts with financial firms that don’t comply with DORA-aligned terms.
The SEC rule handles third-party risk indirectly. Regulation S-K Item 106 requires companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats — including, where material, risks associated with third-party service providers. A cyber incident at a vendor that causes material impact to the registrant triggers the same Item 1.05 disclosure obligation as an in-house incident.
Where the Frameworks Collide
For an institution in scope of all three — say, a large EU-headquartered bank with U.S.-listed ADRs — the interactions get intricate.
NIS2 Article 4 and Recital 28 make DORA the lex specialis for financial-sector cybersecurity: the DORA provisions on ICT risk management, incident reporting, resilience testing, information sharing, and ICT third-party risk apply instead of the corresponding NIS2 provisions. Financial entities don’t face duplicate EU cyber obligations; they face DORA’s version. But other NIS2 provisions — cooperation, crisis management frameworks, aspects of supervision — may still apply depending on the member state’s transposition.
The Digital Omnibus package, proposed by the Commission in January 2026, aims to reduce duplicate reporting through a “report once, share many” approach that would establish a single incident reporting flow covering NIS2, GDPR, eIDAS, DORA, and the CER Directive simultaneously. The single reporting point is expected to apply 18 months after the Digital Omnibus is adopted — so no earlier than 2028 in practice. In the meantime, duplicate reporting remains the norm.
The SEC obligation runs entirely in parallel. An incident at an EU bank’s U.S.-listed parent could require: a DORA major-incident notification to the national competent authority within hours; a NIS2 early warning for any non-financial parts of the group; and a Form 8-K Item 1.05 filing within four business days of the U.S. materiality determination. Each has different content expectations. NIS2 and DORA regulators want operational detail that an SEC registrant’s counsel would typically resist putting in a public filing — indicators of compromise, attack vectors, specific systems affected. Item 1.05 explicitly does not require disclosure of technical incident-response details or system vulnerabilities at a level that would impede remediation.
FAQ
Does DORA override NIS2 for a bank? For cybersecurity risk management, incident reporting, resilience testing, information sharing, and ICT third-party risk: yes. NIS2 Recital 28 and Article 4 designate DORA as lex specialis for financial entities. Other NIS2 provisions may still apply depending on national transposition.
Is an SEC registrant required to file Form 8-K for every cyber incident? No. Item 1.05 is triggered only by an incident the registrant determines to be material. The SEC clarified in May 2024 that voluntary or precautionary disclosures should use Item 8.01 rather than Item 1.05 to avoid confusing investors. As of early 2025, companies were roughly splitting cyber 8-Ks between 1.05 (material) and 8.01 (voluntary).
Do these rules apply to SMEs? NIS2: generally not, except for certain size-independent categories (trust services, DNS, TLDs, electronic communications) and SMEs contractually pulled in as suppliers. DORA: applies to all in-scope financial entities regardless of size, with proportionality principles for smaller ones. SEC rules: apply to smaller reporting companies (they got a 180-day extension to begin Form 8-K filings on 15 June 2024).
What happens if I’m a U.S. cloud provider serving EU banks? Potentially a lot. You’re not directly in scope of NIS2 unless you provide services covered by the directive. Under DORA, you can be designated as a Critical ICT Third-Party Provider by the ESAs — which 19 providers including AWS, Microsoft Azure, and Google Cloud were on 18 November 2025 — putting you under direct EU supervisory oversight regardless of where your headquarters sits.
What This Looks Like in Practice
Running three parallel playbooks doesn’t scale. What does: a single incident classification engine that evaluates each event against all three frameworks simultaneously, and routes the resulting obligations to separate notification workflows with separate content templates and separate legal reviewers. The classification logic should assume an incident can hit all three triggers, none of them, or any combination — and it should be designed so that a NIS2 early warning doesn’t accidentally become a public disclosure or contaminate an SEC materiality analysis.
The harder discipline is documentary. NIS2 and DORA auditors will ask for evidence that your risk management framework existed before the incident and was actually operating. SEC staff, in a post-incident enforcement review, will ask whether your disclosure controls gave the materiality decision-maker what they needed to decide on time. The same logs, the same meeting minutes, the same risk registers can satisfy all three — but only if they’re maintained with all three audiences in mind from the start.
