Skip to main content

DORA & NIS 2 Deloitte Can Help

As digital transformation accelerates, the need for robust cybersecurity frameworks within the financial sector has never been more critical. Both the Digital Operational Resilience Act (DORA) and the NIS2 Directive are key regulations that aim to elevate the cybersecurity posture of organizations across the European Union. With these regulations, businesses must implement effective measures to reduce cyber risks, ensure operational continuity, and safeguard critical services from disruptions.

What is DORA?

The Digital Operational Resilience Act (DORA) is a comprehensive EU regulation designed to strengthen the digital resilience and cybersecurity of financial institutions across Europe. DORA unifies cybersecurity expectations for the financial sector, ensuring that organizations are prepared to handle and recover from operational disruptions, such as cyberattacks or system failures.

DORA introduces a framework to reduce cybersecurity risks and improve operational resilience, covering all sectors of the financial industry. It applies to a wide range of entities, including:

  • Financial Institutions: Banks, investment firms, insurance companies, and other regulated financial entities must align with DORA’s requirements to safeguard operations and comply with regulatory standards.
  • Fintech Companies: With the rise of technology-driven financial services, fintech companies are also required to adopt the same cybersecurity measures, ensuring that digital innovation doesn’t come at the cost of operational resilience.
  • Critical Third-Parties: Organizations that provide essential services to financial institutions, such as cloud providers or IT support firms, must meet the stringent cybersecurity expectations set by DORA, as their failures could have far-reaching consequences.

Effective Dates:

  • Valid from: January 16, 2023
  • Full compliance required by: January 17, 2025

Implications of DORA:

  • Increasing Cybersecurity Maturity: Institutions must enhance their cybersecurity practices to meet DORA’s standards.
  • Reducing Risks: Implementing measures to identify, mitigate, and recover from digital disruptions.
  • Avoiding Fines: Ensuring compliance to avoid penalties and safeguard organizational reputation.

Red Flags to Watch:

  • The wide scope of DORA may present challenges in meeting the required standards within the timeline, particularly for smaller firms or those with less mature cybersecurity practices.

Key Requirements for Cyber Resilience

The Digital Operational Resilience Act (DORA) outlines several critical requirements aimed at ensuring that financial institutions can effectively manage ICT risks, report incidents, and maintain operational continuity in the face of digital disruptions. These requirements focus on risk management, incident handling, resilience testing, third-party risk management, and collaborative information sharing.

ICT Risk Management Requirements

DORA introduces a set of core principles that form the foundation of an ICT risk management framework. These principles guide organizations in managing and mitigating digital risks at every stage, including:

  • Identification: Identifying potential risks and vulnerabilities within the ICT systems.
  • Protection and Prevention: Developing strategies to protect systems and prevent threats from materializing.
  • Detection: Establishing processes to quickly detect and assess security incidents.
  • Response and Recovery: Creating actionable response plans to mitigate damage and ensure rapid recovery.
  • Training and Development: Regularly training staff to stay ahead of emerging risks and ensure operational readiness.
  • Communication: Effective communication strategies to manage incidents internally and externally.

ICT Incident Reporting Requirements

DORA sets clear guidelines for reporting ICT incidents, aiming to standardize the process of incident management across financial institutions. This harmonized approach ensures that organizations can quickly identify, manage, and report incidents, allowing for a consistent and integrated handling of cybersecurity breaches and disruptions.

Digital Operational Resilience Testing

To ensure continuous resilience, ICT systems and tools must be regularly tested by all entities. This includes:

  • Testing for All Entities: All organizations must regularly test their digital resilience capabilities to ensure they can withstand potential disruptions.
  • Penetration Testing for Significant Entities: For entities classified as significant, additional penetration testing is required to proactively identify vulnerabilities in systems.

Information Sharing Agreements

DORA encourages information sharing agreements between entities within trusted financial communities. By exchanging information about new and emerging cyber threats, financial institutions can raise awareness and better prepare for potential risks. This collaborative approach strengthens the sector’s collective resilience to cyber threats.

ICT Third-Party Risk Management

DORA establishes general principles for managing third-party ICT risks, highlighting the importance of assessing and mitigating risks from external vendors and service providers. Key requirements include:

  • Obligations for Financial Entities: Financial institutions are required to reflect these principles in their outsourcing and vendor contracts, ensuring that third-party providers also adhere to DORA’s cybersecurity standards.
  • Contractual Adjustments: From the moment DORA comes into force, entities must revise contracts with third-party providers to reflect these regulations and manage the associated risks effectively.

The NIS2 Directive strengthens cybersecurity and resilience of critical infrastructure across the European Union. Building on its predecessor, NIS, the directive focuses on increasing the level of preparedness and coordination between EU Member States while enforcing cybersecurity measures for key sectors.

NIS2 stands on three foundational pillars:

  • National Cybersecurity Strategies: EU Member States must establish clear, coordinated national strategies to enhance cybersecurity across the region.
  • Strategic Cooperation and Information Sharing: NIS2 emphasizes collaboration between Member States and the exchange of cybersecurity information, fostering a collective defense against cyber threats.
  • Key Sectors: NIS2 applies to sectors critical to public life, including energy, healthcare, transport, and digital infrastructure, ensuring they maintain robust cybersecurity defenses.

What Requirements Does NIS2 Bring About?
NIS2 introduces several new requirements to enhance the overall security posture of organizations and sectors. These requirements focus on improving risk management, corporate governance, incident reporting, and business continuity:

  • Risk Management & Security Enhancement: Organizations must adopt measures to minimize cyber risks, including managing incidents, securing the supply chain, and enhancing network security. This ensures proactive defenses against evolving threats.
  • Corporate Accountability: Corporate management must take responsibility for cybersecurity, including overseeing, approving, and being trained on the organization's security measures. This ensures that cybersecurity is prioritized at the highest levels of decision-making.
  • Reporting of Security Incidents: Organizations must have a clear process to report any major security incidents, especially those that could significantly impact service provision or users. Timely reporting is key to mitigating the consequences of cyberattacks.
  • Business Continuity: NIS2 mandates the development and implementation of business continuity plans to ensure that organizations can maintain essential operations and recover quickly from major cyber incidents, minimizing downtime and disruptions.

Entities are treated differently depending on their categorization:

  • While both essential and important entities will have to adhere to the same security requirements and be subject to an ex-post supervisory regime, essential entities will have an ex-ante supervisory regime (e.g., inspections, random checks, audits, requests of information).
  • Administrative fines will be up to €10 million or 2% of the total global annual turnover of the company.
     

There are new requirements that:

  • Oblige entities in scope to adopt specific cyber risk management practices;
  • Introduce a two-stage approach to incident reporting
  • Strengthen supply chain security; and
  • Introduce a two-stage approach to incident reporting.

 

There are differences in the risk ownership per type of entity:

  • Executive Management can be held personally responsible for Essential entities; while;
  • No personal responsibility is envisaged for important ones.

Deloitte offers a full suite of services to help your organization navigate the complexities of DORA and NIS2 compliance. Our team combines industry-leading tools, methodologies, and expertise to guide you from initial gap assessments to full regulatory implementation.

Gap Analysis & Readiness Assessment
We perform thorough gap assessments to analyze your current cybersecurity posture and determine your organization’s level of compliance with DORA and NIS2. This evaluation helps identify areas for improvement and provides a roadmap to meet regulatory requirements.

Implementation Services

  • ICT Risk Management Framework
    We help align your organization’s business strategies with cybersecurity risks, ensuring you maintain a comprehensive and effective ICT Risk Management Framework. Deloitte will guide you in developing ICT strategies, policies, procedures, and methodologies specifically designed for DORA/NIS2 compliance.
  • Incident Reporting
    Our team supports you in adapting to the new EU incident reporting requirements, ensuring your internal processes are aligned to optimize resource allocation and streamline the reporting of significant security events.
  • Sound Operational Resilience
    We assist in establishing a robust business continuity and disaster recovery framework, helping your organization maintain critical operations during disruptions and recover swiftly from cyber incidents.
  • ICT Third-Party Risk Management (TPRM) and Monitoring
    Deloitte’s ICT TPRM framework is designed to address the complexities of managing risks in the third-party ecosystem, ensuring that your vendors and service providers comply with global regulatory requirements and help mitigate potential vulnerabilities.

Vendor Selection Support

  • If streamlining your DORA/NIS2 compliance process is a priority, Deloitte can assist you in selecting the right vendors. Our experts ensure that all your compliance needs are addressed by the best-fit partners, making the implementation process efficient and effective.

Awareness Trainings for DORA/NIS2 Specifics

  • We offer targeted awareness training to help your team understand the specifics of DORA/NIS2 compliance. Ensuring your employees are well-versed in these regulations is key to driving long-term success and maintaining cybersecurity resilience.         

Did you find this useful?

Thanks for your feedback