Finance
What DORA & NIS2 means for financial institutions
Global Banking & Finance Review®
Company
By Ben Stickland, Hive Member at CovertSwarm
The Digital Operations Resilience Act, or DORA for short, is a new EU regulation aimed at improving the cyber resiliency of EU-based financial institutions.
The NIS2 directive is an EU-wide legislation which asserts that ‘essential’ and ‘important’ entities, including financial institutions, implement technical, operational, and organisational measures to mitigate the risk of cyber threats. Rather than enforcing regulations, the NIS2 directive provides guidelines to ensure the consistent adoption of local law across EU member states.
DORA’s requirements are set to come into force on January 17, 2025, while NIS2 is expected to come into play by October 17, 2024. However, each EU member state must apply this to their local legislation so enforcement dates may vary.
Both of these legislations affect all EU-based financial institutions and any financial institutions that work with EU entities; if it’s not affecting your organisation now, there’s a high chance that it will in the future.
DORA consists of a regulatory framework based upon digital operational resilience in which all financial institutions and their critical IT suppliers must ensure they can withstand, mitigate, and recover from cyber disruptions and threats, while NIS2 applies to a broader range of ‘essential’ and ‘important’ entities across various sectors.
Within DORA, penalties for financial entities are decided by competent authorities whereas IT suppliers are fined based on a percentage of their global revenue. NIS2 imposes fines based on turnover for both ‘essential’ and ‘important’ entities.
What are the requirements for financial institutions?
Although the main requirements of DORA remain clear, greater details regarding technical standards will be published as part of the final draft in July. Nevertheless, the five regulatory pillars of DORA include:
NIS2 expands upon existing requirements from NIS, such as corporate accountability and business continuity. However, it also introduces new obligations for organisations, including risk management and reporting obligations.
Here’s a closer look at the four overarching areas of NIS2 and what they entail:
Although there are many exceptions to the rule, at its base level, DORA primarily affects EU-based financial institutions and their ‘critical’ IT suppliers. This includes:
NIS2 applies to entities operating in the EU, regardless of the organisation’s geographical presence. Both ‘essential’ and ‘important’ entities will need to comply with the NIS2 directive. The industries affected by NIS2 include:
‘Essential’ sectors:
‘Important’ sectors:
Financial institutions that fail to comply with DORA will be subjected to penalties determined by competent authorities. Depending on how each EU Member State decides to implement the penalty, organisations may face criminal and/or financial consequences.
If an IT supplier fails to comply with DORA, they could risk a penalty of up to 1% of their average daily worldwide turnover in the preceding business year. This is applied every day for up to 6 months.
It’s worth noting that penalties and fines under DORA will abide by the concept of proportionality. In other words, smaller financial institutions won’t be held to the same standards as larger, multinational companies.
For ‘essential’ entities, fines for non-compliance can range from 10 million EUR up to 2% of the total worldwide annual turnover. ‘Important’ entities may face fines from 7 million EUR up to 1.4% of the total worldwide annual turnover.
What steps should financial institutions take to reduce the risk of non-compliance?
Two components of DORA set it apart from other regulations, in that they mandate security testing to ensure both the appropriateness and effectiveness of your security controls.
A key part of the regulation is to carry out regular ‘Threat Led Penetration Testing’ (TLPT), which is far beyond today’s typical penetration testing regime; this starts by thinking like a real-world attacker, building an attack plan for your environment, and then carrying it out at depth throughout your infrastructure. The TLPT exercise should then fold back into your security program to address the discovered vulnerabilities, whether these are people, process or technology-based.
Article 25 of DORA mandates that applications and infrastructure are tested after each new deployment or change, therefore a great way to approach this is to move to a model of continuous testing; one where you have capacity on demand, and that can work in step with your SDLC and change management pipelines.
Asset management is key to compliance. Financial institutions need to know what’s on their estate, what they’re using and interacting with and what the risks and threats are to them, as well as how their third-party suppliers operate. From here, organisations can leverage the frameworks and embed policies and frameworks for evaluating and prioritising risks. This is where deploying tactics like threat-led penetration and cybersecurity testing, instant reporting, and instant management come in.
Risk management within finance and banking is incredibly complex. When it comes to third-party vulnerabilities, there’s much more engagement required with supplier management. Finance institutions need a deep understanding of their contracts with their IT provider and where the roles and responsibilities lie. DORA is really emphasising this point and it’s the area that will carry the biggest penalties – potentially on both sides. Institutions need to be crystal clear on which party is managing what and who is accountable.
An example is patching and monitoring: if there were to be a compromise on the third party, how much responsibility falls on the financial institution for spotting it, if any at all? This is a simple example, but it underpins the importance of laying clear roles for responsibility in all cases.
There is still time to address any indistinct gaps in responsibility; approximately 6 months until 17 January 2025. Now is the time to comb through any contracts and clearly outline and tackle any areas of ambiguity to avoid legal implications and potential reputational damage later down the line.
While some may see compliance with the DORA and NIS2 regulations as a check box exercise, it’s become essential given the increase in pace and scale of cyber security attacks, particularly in the finance sector.
Customer trust is so important for financial institutions; if a bank’s customers suspect it’s vulnerable to hackers, the bank is certainly going to lose its customers and receive a damaged reputation. DORA and NIS2 have been developed to build better operational resilience and to bring every institution up to the same standard, making attacks from nefarious actors as difficult as possible.
The Digital Operations Resilience Act (DORA) is an EU regulation aimed at enhancing the cyber resilience of financial institutions by requiring them to manage and mitigate ICT risks.
The NIS2 directive is an EU legislation that mandates essential and important entities to implement measures to manage cybersecurity risks and report incidents effectively.
ICT risks refer to potential threats to information and communication technology systems, which can impact the integrity, availability, and confidentiality of data.
Penalties for non-compliance with DORA can include fines based on a percentage of global revenue, while NIS2 imposes fines based on turnover for affected entities.
Risk management in finance involves identifying, assessing, and prioritizing risks followed by coordinated efforts to minimize, monitor, and control the probability or impact of unfortunate events.
Explore more articles in the Finance category
