What DORA & NIS2 means for financial institutions

By Ben Stickland, Hive Member at CovertSwarm

The Digital Operations Resilience Act, or DORA for short, is a new EU regulation aimed at improving the cyber resiliency of EU-based financial institutions.

The NIS2 directive is an EU-wide legislation which asserts that ‘essential’ and ‘important’ entities, including financial institutions, implement technical, operational, and organisational measures to mitigate the risk of cyber threats. Rather than enforcing regulations, the NIS2 directive provides guidelines to ensure the consistent adoption of local law across EU member states.

DORA’s requirements are set to come into force on January 17, 2025, while NIS2 is expected to come into play by October 17, 2024. However, each EU member state must apply this to their local legislation so enforcement dates may vary.

Both of these legislations affect all EU-based financial institutions and any financial institutions that work with EU entities; if it’s not affecting your organisation now, there’s a high chance that it will in the future.

DORA consists of a regulatory framework based upon digital operational resilience in which all financial institutions and their critical IT suppliers must ensure they can withstand, mitigate, and recover from cyber disruptions and threats, while NIS2 applies to a broader range of ‘essential’ and ‘important’ entities across various sectors.

Within DORA, penalties for financial entities are decided by competent authorities whereas IT suppliers are fined based on a percentage of their global revenue. NIS2 imposes fines based on turnover for both ‘essential’ and ‘important’ entities.

What are the requirements for financial institutions? 

Although the main requirements of DORA remain clear, greater details regarding technical standards will be published as part of the final draft in July. Nevertheless, the five regulatory pillars of DORA include:

  • ICT risk management: Financial entities must establish internal governance and control frameworks to effectively identify, assess, and mitigate ICT risks.

  • ICT-related incident reporting: Financial entities must classify and report ICT-related incidents that compromise their security and have adverse impacts on data integrity or service availability.

  • Digital operational resilience testing: All financial entities, except micro-enterprises, must periodically conduct advanced testing, known as ‘Threat Led Penetration Testing’ (TLPT), to prevent incidents. The frequency of testing may vary depending on the size and risk profile of the entity.

  • Management of ICT third-party risk: Financial entities must safeguard against external vulnerabilities by ensuring their third-party providers are secure and compliant.

  • Information and intelligence sharing: Financial entities are encouraged to share informative content about internal and external ICT-related incidents.

NIS2 expands upon existing requirements from NIS, such as corporate accountability and business continuity. However, it also introduces new obligations for organisations, including risk management and reporting obligations.

Here’s a closer look at the four overarching areas of NIS2 and what they entail:

  • Corporate accountability: corporate management must supervise, authorise, and undergo training on the entity’s cybersecurity measures.

  • Risk management: organisations must implement measures to mitigate cyber risks, such as incident management, supply chain security, network security enhancement, access control improvement, and encryption deployment.

  • Reporting obligations: ‘essential’ and ‘important’ entities must establish procedures for promptly reporting security incidents that significantly impact their service provision or recipients and adhere to specific notification deadlines.

  • Business continuity: organisations must strategize how to maintain business operations during major cyber incidents, incorporating plans for system recovery and establishing a crisis response team.

Who is affected?

Although there are many exceptions to the rule, at its base level, DORA primarily affects EU-based financial institutions and their ‘critical’ IT suppliers. This includes:

  • Financial institutions such as banks and credit institutions

  • Credit agencies and account information service providers

  • Pension funds and investment firms

  • Crypto-asset service providers

  • Insurance providers

  • Crowdfunding providers and alternative investment fund managers

  • Intermediaries and ICT service providers

NIS2 applies to entities operating in the EU, regardless of the organisation’s geographical presence. Both ‘essential’ and ‘important’ entities will need to comply with the NIS2 directive. The industries affected by NIS2 include:

‘Essential’ sectors:

‘Important’ sectors:

  • Postal and courier services

  • Waste management

  • Manufacturing

  • Digital providers

  • Research

  • Production, processing, and distribution of food

  • Manufacture, production, and distribution of chemicals

What happens if financial institutions fail to comply? 

Financial institutions that fail to comply with DORA will be subjected to penalties determined by competent authorities. Depending on how each EU Member State decides to implement the penalty, organisations may face criminal and/or financial consequences.

If an IT supplier fails to comply with DORA, they could risk a penalty of up to 1% of their average daily worldwide turnover in the preceding business year. This is applied every day for up to 6 months.

It’s worth noting that penalties and fines under DORA will abide by the concept of proportionality. In other words, smaller financial institutions won’t be held to the same standards as larger, multinational companies.

For ‘essential’ entities, fines for non-compliance can range from 10 million EUR up to 2% of the total worldwide annual turnover. ‘Important’ entities may face fines from 7 million EUR up to 1.4% of the total worldwide annual turnover.

What steps should financial institutions take to reduce the risk of non-compliance?

Two components of DORA set it apart from other regulations, in that they mandate security testing to ensure both the appropriateness and effectiveness of your security controls.

A key part of the regulation is to carry out regular ‘Threat Led Penetration Testing’ (TLPT), which is far beyond today’s typical penetration testing regime; this starts by thinking like a real-world attacker, building an attack plan for your environment, and then carrying it out at depth throughout your infrastructure. The TLPT exercise should then fold back into your security program to address the discovered vulnerabilities, whether these are people, process or technology-based.

Article 25 of DORA mandates that applications and infrastructure are tested after each new deployment or change, therefore a great way to approach this is to move to a model of continuous testing; one where you have capacity on demand, and that can work in step with your SDLC and change management pipelines.

Asset management is key to compliance. Financial institutions need to know what’s on their estate, what they’re using and interacting with and what the risks and threats are to them, as well as how their third-party suppliers operate. From here, organisations can leverage the frameworks and embed policies and frameworks for evaluating and prioritising risks. This is where deploying tactics like threat-led penetration and cybersecurity testing, instant reporting, and instant management come in.

Risk management within finance and banking is incredibly complex. When it comes to third-party vulnerabilities, there’s much more engagement required with supplier management. Finance institutions need a deep understanding of their contracts with their IT provider and where the roles and responsibilities lie. DORA is really emphasising this point and it’s the area that will carry the biggest penalties – potentially on both sides. Institutions need to be crystal clear on which party is managing what and who is accountable.

An example is patching and monitoring: if there were to be a compromise on the third party, how much responsibility falls on the financial institution for spotting it, if any at all? This is a simple example, but it underpins the importance of laying clear roles for responsibility in all cases.

There is still time to address any indistinct gaps in responsibility; approximately 6 months until 17 January 2025. Now is the time to comb through any contracts and clearly outline and tackle any areas of ambiguity to avoid legal implications and potential reputational damage later down the line.

The importance of the regulations

While some may see compliance with the DORA and NIS2 regulations as a check box exercise, it’s become essential given the increase in pace and scale of cyber security attacks, particularly in the finance sector.

Customer trust is so important for financial institutions; if a bank’s customers suspect it’s vulnerable to hackers, the bank is certainly going to lose its customers and receive a damaged reputation. DORA and NIS2 have been developed to build better operational resilience and to bring every institution up to the same standard, making attacks from nefarious actors as difficult as possible.