DORA & NIS2: Key considerations for senior management

In our increasingly digital world, safeguarding the digital infrastructure and information systems that uphold financial companies is now critical. Two key regulatory frameworks, DORA and NIS2, have emerged as essential regulations designed to enhance the protection of financial companies’ operations and systems.

My first blog of the four-part DORA and NIS2 blog series introduced the new financial regulations in-depth. In the second blog, I explained how these new regulations will impact UK financial companies. This blog will explore the key considerations around DORA and NIS2 for senior management.

In light of DORA and NIS2 taking effect, it is integral that senior stakeholders within financial companies are aware of the considerations that must be taken to effectively comply with these regulations and adhere to them accordingly. A few of the key considerations for senior management to be aware of are as follows:  

Navigate the cost of compliance 

It is important for senior management within certain financial companies to consider that complying with regulations may accrue significant financial costs. This is particularly likely in small and medium-sized enterprises (SMEs). Becoming digitally resilient and implementing the necessary measures to meet DORA requirements may require a hefty investment in technology, resources and expertise. This may, however, prove small in comparison to the cost of a breach, incoming fine, loss of reputation or even customers.  

Carefully assess maturity and capabilities 

The maturity and complexity of a financial company’s governance and internal practices will affect the challenges it faces in complying with DORA. Companies with lower maturity profiles may need to invest more resources and effort to meet DORA’s requirements. At every maturity level, it is vital for senior management to conduct thorough evaluations of the current state, identify any existing gaps and allocate the appropriate resources for compliance.  

Turning requirements into actions can be complicated

DORA introduces new compliance obligations and expectations for financial companies. It requires them to embed digital resilience throughout their operations, develop a Digital Resilience Strategy, implement a Digital Resilience Framework and address areas such as operational resilience testing, threat intelligence sharing and third-party risk management. Senior management must prepare themselves for the likely challenging undertaking of understanding the specific requirements and translating them into actionable steps across the wider business.  

Ensure third-party service providers’ compliance

Financial companies often rely on third-party ICT service providers to support their operations. DORA also applies to these service providers, imposing additional compliance obligations and oversight requirements. Therefore, it is critical for senior management to verify that third-party providers adhere to the prescribed standards and align with DORA’s requirements, which may involve renegotiating contracts or conducting due diligence to ensure compliance.  

Adhere to the compliance timeline 

While the European Parliament has approved DORA, it is only set to enter into force in 2025. Conducting a thorough gap assessment, developing a roadmap and implementing the necessary changes can be time-intensive, particularly due to the complexity of the requirements and potential need for significant operational adjustments. Therefore, senior management must plan compliance efforts and resources accordingly to align with the designated timeframe. 

How can CACI help? 

With over 20 years’ experience in helping deliver effective IT and security strategies to financial companies, CACI can help you navigate the changes and challenges brought on by DORA. Our experienced security and compliance experts can bolster your understanding of your network assets, help you conduct maturity assessments, address compliance gaps regarding the fulfilment of DORA implementation requirements, and much more.  

For more information, please read our recent whitepaper “Compliance with DORA and NIS2: Essential steps for UK financial companies”, which explores the impact of DORA and NIS2 on financial companies in the UK, key considerations for senior management and best practices for achieving compliance. You can also get in touch with the team here.