The Digital Operations Resilience Act, or DORA for short, is a new EU regulation aimed at improving the cyber resiliency of EU-based financial institutions.

The NIS2 directive is an EU-wide legislation which asserts that ‘essential’ and ‘important’ entities, including financial institutions, implement technical, operational, and organisational measures to mitigate the risk of cyber threats. Rather than enforcing regulations, the NIS2 directive provides guidelines to ensure the consistent adoption of local law across EU member states.

DORA’s requirements are set to come into force on January 17, 2025, while NIS2 is expected to come into play by October 17, 2024. However, each EU member state must apply this to their local legislation so enforcement dates may vary. 

Both of these legislations affect all EU-based financial institutions and any financial institutions that work with EU entities; if it’s not affecting your organisation now, there’s a high chance that it will in the future.

DORA consists of a regulatory framework based upon digital operational resilience in which all financial institutions and their critical IT suppliers must ensure they can withstand, mitigate, and recover from cyber disruptions and threats, while NIS2 applies to a broader range of ‘essential’ and ‘important’ entities across various sectors. 

Within DORA, penalties for financial entities are decided by competent authorities whereas IT suppliers are fined based on a percentage of their global revenue. NIS2 imposes fines based on turnover for both ‘essential’ and ‘important’ entities.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by AiexpertInter. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By AiexpertInter

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Retail Banker International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

What are the requirements for financial institutions? 

Although the main requirements of DORA remain clear, greater details regarding technical standards will be published as part of the final draft in July. Nevertheless, the five regulatory pillars of DORA include:  

• ICT risk management: Financial entities must establish internal governance and control frameworks to effectively identify, assess, and mitigate ICT risks.  
• ICT-related incident reporting: Financial entities must classify and report ICT-related incidents that compromise their security and have adverse impacts on data integrity or service availability. 
• Digital operational resilience testing: All financial entities, except micro-enterprises, must periodically conduct advanced testing, known as ‘Threat Led Penetration Testing’ (TLPT), to prevent incidents. The frequency of testing may vary depending on the size and risk profile of the entity.  
• Management of ICT third-party risk: Financial entities must safeguard against external vulnerabilities by ensuring their third-party providers are secure and compliant.  
• Information and intelligence sharing: Financial entities are encouraged to share informative content about internal and external ICT-related incidents. 

NIS2 expands upon existing requirements from NIS, such as corporate accountability and business continuity. However, it also introduces new obligations for organisations, including risk management and reporting obligations.  

Here’s a closer look at the four overarching areas of NIS2 and what they entail:  

• Corporate accountability: corporate management must supervise, authorise, and undergo training on the entity’s cybersecurity measures.  
• Risk management: organisations must implement measures to mitigate cyber risks, such as incident management, supply chain security, network security enhancement, access control improvement, and encryption deployment. 
• Reporting obligations: ‘essential’ and ‘important’ entities must establish procedures for promptly reporting security incidents that significantly impact their service provision or recipients and adhere to specific notification deadlines.  
• Business continuity: organisations must strategize how to maintain business operations during major cyber incidents, incorporating plans for system recovery and establishing a crisis response team. 

Who is affected?

Although there are many exceptions to the rule, at its base level, DORA primarily affects EU-based financial institutions and their ‘critical’ IT suppliers. This includes:  

• Financial institutions such as banks and credit institutions 
• Credit agencies and account information service providers 
• Pension funds and investment firms 
• Crypto-asset service providers  
• Insurance providers 
• Crowdfunding providers and alternative investment fund managers 
• Intermediaries and ICT service providers

NIS2 applies to entities operating in the EU, regardless of the organisation’s geographical presence. Both ‘essential’ and ‘important’ entities will need to comply with the NIS2 directive. The industries affected by NIS2 include:  

‘Essential’ sectors:  

• Energy  
• Space 
• Transport  
• Banking  
• Public administration  
• Financial market infrastructure  
• Health  
• Drinking water 
• Wastewater  
• Digital infrastructure  
• ICT service management (B2B)  

‘Important’ sectors:  

• Postal and courier services  
• Waste management  
• Manufacturing  
• Digital providers  
• Research  
• Production, processing, and distribution of food  
• Manufacture, production, and distribution of chemicals 

What happens if financial institutions fail to comply? 

Financial institutions that fail to comply with DORA will be subjected to penalties determined by competent authorities. Depending on how each EU Member State decides to implement the penalty, organisations may face criminal and/or financial consequences.  

If an IT supplier fails to comply with DORA, they could risk a penalty of up to 1% of their average daily worldwide turnover in the preceding business year. This is applied every day for up to 6 months.  

It’s worth noting that penalties and fines under DORA will abide by the concept of proportionality. In other words, smaller financial institutions won’t be held to the same standards as larger, multinational companies.  

For ‘essential’ entities, fines for non-compliance can range from 10 million EUR up to 2% of the total worldwide annual turnover. ‘Important’ entities may face fines from 7 million EUR up to 1.4% of the total worldwide annual turnover. 

What steps should financial institutions take to reduce the risk of non-compliance?

Two components of DORA set it apart from other regulations, in that they mandate security testing to ensure both the appropriateness and effectiveness of your security controls. 

A key part of the regulation is to carry out regular ‘Threat Led Penetration Testing’ (TLPT), which is far beyond today’s typical penetration testing regime; this starts by thinking like a real-world attacker, building an attack plan for your environment, and then carrying it out at depth throughout your infrastructure. The TLPT exercise should then fold back into your security program to address the discovered vulnerabilities, whether these are people, process or technology-based. 

Article 25 of DORA mandates that applications and infrastructure are tested after each new deployment or change, therefore a great way to approach this is to move to a model of continuous testing; one where you have capacity on demand, and that can work in step with your SDLC and change management pipelines. 

Asset management is key to compliance. Financial institutions need to know what’s on their estate, what they’re using and interacting with and what the risks and threats are to them, as well as how their third-party suppliers operate. From here, organisations can leverage the frameworks and embed policies and frameworks for evaluating and prioritising risks. This is where deploying tactics like threat-led penetration and cybersecurity testing, instant reporting, and instant management come in.

Risk management within finance and banking is incredibly complex. When it comes to third-party vulnerabilities, there’s much more engagement required with supplier management. Finance institutions need a deep understanding of their contracts with their IT provider and where the roles and responsibilities lie. DORA is really emphasising this point and it’s the area that will carry the biggest penalties – potentially on both sides. Institutions need to be crystal clear on which party is managing what and who is accountable.

 
An example is patching and monitoring: if there were to be a compromise on the third party, how much responsibility falls on the financial institution for spotting it, if any at all? This is a simple example, but it underpins the importance of laying clear roles for responsibility in all cases.

There is still time to address any indistinct gaps in responsibility; approximately 6 months until 17 January 2025. Now is the time to comb through any contracts and clearly outline and tackle any areas of ambiguity to avoid legal implications and potential reputational damage later down the line.

The importance of the regulations

While some may see compliance with the DORA and NIS2 regulations as a check box exercise, it’s become essential given the increase in pace and scale of cyber security attacks, particularly in the finance sector.

Customer trust is so important for financial institutions; if a bank’s customers suspect it’s vulnerable to hackers, the bank is certainly going to lose its customers and receive a damaged reputation. DORA and NIS2 have been developed to build better operational resilience and to bring every institution up to the same standard, making attacks from nefarious actors as difficult as possible.

Author: Ben Stickland, Hive Member at CovertSwarm

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up