Efforts to strengthen digital security in the EU are ongoing. Shortly after adopting the NIS 2 Directive, further measures to enhance the Union's cybersecurity were decided upon. Regulation (EU) 2022/2554, more commonly known as the DORA regulation (Digital Operational Resilience Act), entered into force on January 16, 2023, and will be applicable starting January 17, 2025. This means that affected organizations have less than 17 months to comply with the regulation's requirements.
The DORA regulation targets businesses in the financial sector, such as banks, other credit institutions, insurance companies, and investment firms. The development and increasing use of Information and Communication Technologies (ICT) have led to fundamental changes in how these businesses operate. However, this progress comes with a downside: the increased reliance on ICT services makes the financial sector particularly vulnerable to cyber threats and technical issues. Furthermore, there are significant gaps in the management of ICT risks at both the European and national levels. As a result, ICT security in the financial sector requires more specialized regulation than what the NIS 2 Directive can offer.
DORA or NIS 2?
On the surface, having two EU acts that seem to serve the same purpose might appear redundant. However, important distinctions exist between them. The NIS 2 Directive is just that—a directive, which serves as a guiding act that must be implemented into national law. DORA, in contrast, is a regulation—an act that is immediately binding and applies across all Member States as soon as it enters into force. While NIS 2 focuses on general cybersecurity, DORA specifically addresses the stability of the financial sector and sets higher standards for security testing. These two pieces of legislation are therefore complementary; if your business falls within the scope of DORA's regulatory framework, that regulation takes precedence.
What Does DORA Require?
DORA instigates changes in risk management and intensifies the pressure on company management to understand and mitigate risks. Financial firms are required to comply with DORA, scaled according to their size and risk profile. While smaller organizations may employ simpler risk management approaches, they are nonetheless expected to maintain robust ICT risk management. The regulation's requirements can be categorized into the following main areas:
1. ICT Risk Management:
Financial institutions should establish an internal ICT risk management framework. Management should be accountable for both security and control. This framework must be integrated into the company's overall risk management strategy and undergo regular reviews. It should also encompass business continuity and incident management plans.
2. Reporting and Information Sharing:
Financial firms must implement systems for managing and reporting ICT incidents to safeguard customers. Incidents should be categorized, and serious cases must be reported to both authorities and affected customers.
3. Digital Resilience Testing:
Financial firms are expected to have a program for testing IT security, which should include regular penetration tests. Any identified deficiencies must be addressed, and the results should be reported to the authorities, who will then issue certificates.
4. Management of Third-Party Risks and Supplier Contract Requirements:
Financial institutions are obligated to integrate ICT third-party risks into their overall risk strategy. This obligation extends to compliance with the regulation's requirements, even when services are outsourced. An annual report and a registry of all ICT third-party contracts are mandatory. Risk assessments must be conducted before entering into contracts, and suppliers are expected to meet specific security standards. Contracts should be explicit and detailed, including predefined exit strategies for critical services.
European regulators are currently working on establishing technical ICT security standards, test monitoring standards, and criteria for classifying ICT incidents, as well as identifying critical ICT third-party providers.
DORA - What is Nimblr's Opinion?
From a cybersecurity standpoint, both the NIS 2 Directive and DORA are essential regulations. Cyber threats are a global issue that can't be addressed solely at the national or regional level and not without concerted effort. Our online presence needs to become a bit more 'cumbersome', and we all need to heighten our awareness of security.
Article 13(6) of the DORA Regulation states:
“Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entities shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i).”
Security Awareness Training is a method for preparing both individuals and organizations to face cyber threats, enhancing their ability to assess cybersecurity risks. Nimblr offers this type of training, along with education, information, and feedback. We also provide customers with the opportunity to gauge the effectiveness of our service and track user progress through our 'Awareness Level'.
In addition to these existing services, we are exploring avenues to develop offerings that support our 'DORA-rated' customers in their security efforts, such as reporting support and testing capabilities. Suggestions for additional services are highly welcome. You know your organizations; we know cybersecurity.
The DORA Regulation applies to the following entities:
(For further details, refer to Regulation (EU) 2022/2554, Article 2).
Payment and transaction:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
Investments firms and trading:
- Investment firms
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
Investment and fund management:
- Managers of alternative investment funds
- Management companies
(Exceptions for managers of alternative investment funds under Article 3(2) of Directive 2011/61/EU).
Credit and financing:
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
Insurance:
- Insurance and reinsurance undertakings
- Insurance intermediaries
- Reinsurance intermediaries
(Exemptions for insurance and reinsurance undertakings as defined in Article 4 of Directive 2009/138/EC, insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises).
Pension and social security:
- Institutions for occupational retirement provision
(Exceptions for institutions for occupational retirement provision that operate pension schemes which together do not have more than 15 members in total).
Data and technology:
- Data reporting service providers
- ICT third-party service providers
Other financial actors:
- Securitisation repositories
- Administrators of critical benchmarks
(Exemption for natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU, and for post office giro institutions as referred to in Article 2(5)(3) of Directive 2013/36/EU).