Short answer: banks and financial services are technically in NIS2's scope, but in practice DORA, not NIS2, is your binding obligation. Here is why.
NIS2 lists banking, then steps aside
Banking and financial market infrastructure both appear in Annex I of the NIS2 Directive (Directive (EU) 2022/2555). On the face of it, that puts credit institutions in scope as potential Essential Entities.
But NIS2 contains a deliberate carve-out. Art. 4 says that where a sector-specific EU act imposes cybersecurity requirements at least equivalent to NIS2, that act applies instead. For the financial sector, that act is DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), which has applied since 17 January 2025.
Who follows DORA instead of NIS2
DORA covers, among others: credit institutions, payment and e-money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and many of their critical ICT third-party providers. If you are a regulated financial entity, your ICT risk management, incident reporting, resilience testing and third-party rules come from DORA, not NIS2 Art. 21.
Why people still search "does NIS2 apply to banks"
Because the annex lists banking, the assumption is natural. The practical answer for almost every regulated financial firm is: comply with DORA. Where NIS2 can still touch you is indirectly, for example as a non-financial ICT provider in another covered sector.
Confirm your status
-> Run the NIS2 Applicability Checker to confirm whether NIS2 or a sector-specific regime applies to your entity.
-> Read the full NIS2 scope guide.
Source
Directive (EU) 2022/2555 (NIS2) | Regulation (EU) 2022/2554 (DORA)
Last verified: 21 June 2026.