NIS2, DORA, and TIBER-EU: A Comparative Overview

NIS2, DORA, and TIBER-EU: A Comparative Overview from Cyber Tzar

With growing threats to cyber resilience in the digital age, Europe has implemented several frameworks to enhance cybersecurity, financial resilience, and operational robustness across different sectors. This article provides an overview and comparison of three key regulatory initiatives: the Network and Information Security Directive (NIS2), the Digital Operational Resilience Act (DORA), and the Threat Intelligence-based Ethical Red Teaming (TIBER-EU) framework.

1. Overview and History

NIS2 (Network and Information Security Directive 2)

History: NIS2, adopted in 2022, is a revision of the original NIS Directive from 2016. It aims to bolster the security of critical infrastructure across the European Union by addressing gaps in cybersecurity risk management, expanding the scope of regulated sectors, and enhancing cooperation between Member States.
Focus: NIS2 focuses on improving the cybersecurity of critical infrastructures such as energy, transport, healthcare, and financial services.
Good For: NIS2 is highly effective at improving baseline security across a wide range of essential sectors, especially in industries not traditionally considered part of cybersecurity but vital to societal functioning.
Not Good For: NIS2 is less focused on the financial services sector and operational resilience for financial entities, where DORA has a more specific mandate.

DORA (Digital Operational Resilience Act)

History: Introduced in 2022 and coming into full force in 2024, DORA aims to improve the resilience of the EU’s financial sector by creating a harmonised framework for operational resilience across financial entities. It covers ICT risk management, incident reporting, testing, and oversight of third-party providers.
Focus: DORA focuses primarily on the financial sector, addressing the specific challenges posed by digital operations in financial services.
Good For: DORA is particularly effective for financial institutions needing clear guidelines on how to manage cyber risk, operational continuity, and third-party vendor risks.
Not Good For: DORA’s scope is narrow, focusing only on financial services. It does not address broader critical infrastructure concerns covered by NIS2.

TIBER-EU (Threat Intelligence-based Ethical Red Teaming)

History: Launched in 2018 by the European Central Bank, TIBER-EU is a framework designed for controlled ethical hacking of financial institutions to test their cyber resilience under real-world conditions. It is a voluntary framework that involves cooperation between regulators, ethical hackers, and financial institutions.
Focus: TIBER-EU is a cybersecurity testing framework for financial entities, specifically focused on red teaming to identify vulnerabilities.
Good For: TIBER-EU excels in creating realistic threat scenarios to test the effectiveness of financial entities’ cybersecurity defences, providing insights into gaps and areas for improvement.
Not Good For: TIBER-EU is not suitable for industries outside the financial sector and does not provide a broad regulatory or operational framework like NIS2 or DORA.

2. Comparison: NIS2 vs. DORA vs. TIBER-EU

Criteria	NIS2	DORA	TIBER-EU
Scope	Broad (all critical infrastructure)	Narrow (financial sector)	Narrow (financial sector testing)
Focus	Cybersecurity and risk management	Digital resilience in finance	Cyber resilience testing for finance
Type of Regulation	Mandatory	Mandatory	Voluntary
Main Approach	Baseline security requirements	Comprehensive digital resilience	Realistic red-team penetration tests
Sector Coverage	Energy, transport, health, etc.	Financial institutions	Financial institutions
Third-Party Risk Management	Yes, general provisions	Strong focus on ICT third-party risk	Not specifically covered
Incident Reporting	Yes	Yes	No, testing-oriented
Testing and Simulation	No	Yes, through periodic tests	Yes, in-depth red teaming
Geographical Scope	EU-wide	EU-wide	EU-wide

3. Overlaps and Similarities

Cybersecurity Focus: All three frameworks are designed to strengthen cybersecurity, though their focus and sectoral reach differ.
Operational Resilience: Both DORA and TIBER-EU highlight the importance of maintaining operational resilience under cyber threats. NIS2 also addresses resilience, but more from a cybersecurity and critical infrastructure viewpoint.
Incident Reporting: Both NIS2 and DORA mandate incident reporting, ensuring that cyber incidents are quickly escalated to the appropriate authorities. TIBER-EU, being a testing framework, does not impose this requirement but focuses on exposing vulnerabilities through simulations.

4. Key Differences

Sectoral Coverage: NIS2 applies to multiple critical sectors beyond finance, while DORA and TIBER-EU are focused exclusively on the financial sector.
Regulatory vs. Testing: NIS2 and DORA are regulatory frameworks designed to impose rules on organisations. TIBER-EU, however, is a voluntary testing framework, used by institutions to assess their real-world cyber defence capabilities.
Third-Party Oversight: DORA places a strong emphasis on managing third-party ICT risk within the financial sector, including third-party oversight. NIS2 also addresses this, but its provisions are more general. TIBER-EU focuses on red teaming within the institution itself and does not specifically address third-party risk.

5. What They Are Good At and Not Good At

NIS2 is excellent at covering a wide range of critical infrastructures but does not delve deeply into financial-specific cybersecurity concerns.
DORA is strong on operational resilience for financial institutions, including digital systems and third-party risks, but lacks broader applicability outside financial services.
TIBER-EU is invaluable for simulating real-world cyberattacks on financial institutions but does not offer a regulatory framework or mandatory requirements, making it less suitable as a broad security guideline.

Conclusion

While all three frameworks aim to improve cybersecurity and resilience, they differ in their sector focus, approach, and requirements. NIS2 provides broad protections for critical infrastructure, DORA focuses on operational resilience in the financial sector, and TIBER-EU offers in-depth testing for financial institutions to expose vulnerabilities. Organisations must understand the specific scope and requirements of each framework to comply effectively and improve their overall cyber resilience.

Call to Action

Looking to align your organisation with NIS2, DORA, or TIBER-EU? Cyber Tzar can help! With our Cyber Risk Management platform, you can:

Display your organisation’s risk management results in NIS2, DORA, or TIBER-EU formats.
Complete a gap analysis by manually adding your responses and comments to assess your alignment with these standards.
Submit your existing ISO/IEC 27001, CAF, CMMC, or NIST CSF responses and receive an instant mapping to the new standards, identifying any gaps and the steps needed for full compliance.

Get in touch with Cyber Tzar to optimise your cyber resilience today.

View more resources

Blogs & News

Managing Concentration Risk in the Supply Chain with Cyber Tzar
Managing Concentration Risk with Cyber Tzar: Building a Resilient Supply Chain As the financial sector prepares for the implementation of […]

Continue reading
Blogs & News, Partnerships

Cyber Tzar Partners with Confex to Strengthen Cybersecurity for UK Wholesalers
Cyber Tzar Partners with Confex to Strengthen Cybersecurity for UK Wholesalers Cyber Tzar is proud to announce a strategic partnership […]

Continue reading
Blogs & News

NIS2, DORA, and TIBER-EU: A Comparative Overview
NIS2, DORA, and TIBER-EU: A Comparative Overview from Cyber Tzar With growing threats to cyber resilience in the digital age, […]

Continue reading

View all resources