AI Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NL·EN·DE
Analysis

DORA or NIS2: which one applies to my (logistics) organisation?

Adopted 2026-06-16 · ≈ 2 min read · Dirk Baaijen

A logistics organisation generally falls under NIS2 (transport is an essential sector), not DORA. DORA applies to financial entities. If you are both, DORA takes precedence as lex specialis.

Short answer: For a logistics organisation, NIS2 is almost always the relevant framework, not DORA. NIS2 explicitly lists transport (air, rail, road, water) as an essential sector. DORA applies only to financial entities. If you are both at once — for example a carrier holding a payment licence — DORA takes precedence for that part as the more specific rule.

Two frameworks with different scope

DORA (Regulation (EU) 2022/2554) and NIS2 (Directive (EU) 2022/2555) both govern digital resilience, but for different audiences. DORA targets an exhaustively listed set of financial entities: banks, insurers, investment firms, payment institutions, electronic money institutions and their critical ICT third-party providers. The regulation has applied since 17 January 2025. A logistics company is not on that list and therefore falls outside DORA — unless it itself carries out a regulated financial activity.

NIS2 takes a sectoral and size-based approach. The directive covers eighteen sectors, including transport, which is designated an essential sector. For a logistics organisation the question is therefore not whether the sector is in scope, but whether the company is large enough. Medium and large companies (generally from around 50 employees) are typically in scope; micro and small companies usually are not, with exceptions for critical parties.

What if both seem to apply?

An organisation can in principle fall under both frameworks, for instance when a logistics group operates its own payment or financing entity. NIS2 anticipates this. The directive provides that where a sector-specific Union act imposes requirements at least equivalent to those of NIS2, that more specific act takes precedence. DORA is expressly treated as such a lex specialis for the financial sector. For the financial part, the DORA obligations on ICT risk management, incident reporting and oversight of ICT third-party providers then apply; for the non-financial parts, the NIS2 obligations remain the starting point. Assess this per entity and per activity, because the boundary follows the regulated activity, not the group name.

National transposition sets the details

DORA is a regulation and applies directly in all Member States with uniform obligations. NIS2 is a directive and must be transposed into national law; in the Netherlands this is done through the Cyberbeveiligingswet. The transposition deadline was 17 October 2024 and implementation differs by Member State. The exact thresholds, sector boundaries and exceptions for your situation are therefore set out in the national legislation of the country where you operate. First determine your entity type and activity, then consult the applicable national law for the precise obligations and deadlines.

Read more: Transport & Logistics. Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), authentic text; applies since 17 January 2025; scope limited to financial entities.
  2. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): transport as an essential sector; relationship with sector-specific Union acts.
  3. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission — NIS2: scope (18 sectors, including transport) and entity categories.

Share on LinkedIn

Read next

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

U

Does NIS2 apply to my transport or logistics company?

Transport is an essential sector under NIS2, so the question is mainly your size. Medium and large companies (from ~50 employees) are generally in scope; micro and small usually are not. National transposition sets the details. Here's how to check.

W

NIS2: the guide to cybersecurity and management duties

NIS2 makes cybersecurity a board-level responsibility for essential and important entities — including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted — with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.