How do DORA and NIS2 impact UK financial companies

In our increasingly digital world, safeguarding the digital infrastructure and information systems that uphold financial companies is now critical. Two key regulatory frameworks, DORA and NIS2, have emerged as essential regulations designed to enhance the protection of financial companies’ operations and systems.

In the first of our series of blogs, we introduced the topic of DORA and NIS2 and explained the new financial regulations. Here I will be exploring how these regulations will impact UK financial companies.

DORA applies to a range of financial institutions including banks, investment companies, payment service providers and critical third-party service providers that operate within the EU. UK-based operators that service the EU market must therefore comply with DORA and NIS2.  

Companies that fall under this scope will be impacted in the following ways: 

Broader compliance requirements 

UK-based financial companies that service the EU must comply with the new requirements set out by DORA and NIS2 that intend to improve operational resilience and cybersecurity. These requirements include third-party security management, supply chain risk, vulnerability disclosure practices, risk management measures, incident reporting and more. The stiffened regulatory oversight and supervision as a result of this causes UK companies to have to reassess their operational processes and reporting mechanisms and develop a risk management framework.  

Harmonising cybersecurity measures

NIS2 aims to harmonise cybersecurity measures across the EU, including UK operators that service the EU market, to maintain a consistent level of cybersecurity and resilience. This harmonisation will align UK companies with the cybersecurity standards and practices of other EU member states. UK financial companies may need to create incident response plans or revisit their existing reporting mechanisms to adhere to this.  

Standardising and strengthening operational resilience DORA prioritises the maturity of cyber, operational and technology resiliency in financial companies. It consolidates regulatory initiatives and aligns with the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements, strengthening operational resilience in the financial services sector. UK financial companies will need to create extensive testing programmes to guarantee the resilience of their systems and perform gap analyses to align with DORA’s latest requirements.  

Varying impact on distinct types of firms 

DORA’s impact will vary based on the size and maturity of financial companies. For example, established multinational banks with existing operational resilience strategies may face minor impact. On the other hand, smaller banks, fintech companies, insurance firms, fund management firms and wealth management firms may require substantial strategy changes and a redistribution of resources to meet DORA’s requirements.  

Promote information sharing 

DORA encourages a collaborative culture among financial companies by promoting the exchange of cyber-threat information and intelligence. This proactive approach strengthens the overall resilience of the financial sector.  

Impact on ICT third-party service providers

DORA not only applies to regulated financial companies, but also has implications for the ICT third-party service providers that support them. Providers of cloud computing services, software, data analytics and data centres must comply with DORA, ensuring a level playing field for all. UK financial companies must align with each ICT service partner to assess and document any potential associated risk and ensure their contracts include all key elements.  

Incident reporting & response management

DORA mandates UK financial companies to report any major ICT-related incidents to local authorities. It also stipulates the reporting of any cyber threats on a voluntary basis, and to inform customers of incidents. With this in mind, UK financial companies will need to revisit their supplier contracts to ensure they meet all incident response requirements including identifying and recording all incidents, reporting to regulators within designated timeframes and pursuing remediation action.  

Impact of NIS2 on US financial companies 

While NIS2 is a regulation specific to EU member states, its impact can still be felt in financial companies across the US. Compliance with regulations in the US is overseen by agencies including the Securities and Exchange Commission (SEC), the Consumer Financial Protection Bureau (CFPB) and more. NIS2’s implementation means that certain US companies operating within the EU or that conduct business with EU member states will need to align their cybersecurity and information security practices to ensure NIS2 compliance is maintained. Compliance is not only mandatory, but is strongly encouraged for financial companies that wish to retain their customers’ and investors’ trust. 

How can CACI help?

With over 20 years’ experience in helping deliver effective IT and security strategies to financial companies, CACI can help you navigate the changes and challenges brought on by DORA. Our experienced security and compliance experts can bolster your understanding of your network assets, help you conduct maturity assessments, address compliance gaps regarding the fulfilment of DORA implementation requirements, and much more.  

For further insight into the impact of DORA and NIS2 on financial companies in the UK, key considerations for senior management and best practices for achieving compliance, please read our whitepaper “Compliance with DORA and NIS2: Essential steps for UK financial companies”. You can also get in touch with the team here.