DORA is lex specialis for EU financial entities — it supersedes most NIS2 Article 21 obligations for the sector it applies to. Cybsis 2.0 ships DORA with the ICT risk-management framework, incident classification and reporting workflow, third-party register, and the threat-led penetration testing scope.
CTPSPs (Critical Third-Party Service Providers, e.g. cloud providers) come under direct ESA oversight — a category modelled in the Service Provider Registry.