What are DORA and NIS2?

This blog is the first of a four-blog series which will be exploring many aspects of the newly implemented DORA and NIS2 financial regulations.

In our increasingly digital world, safeguarding the digital infrastructure and information systems that uphold financial companies is now critical. Two key regulatory frameworks, DORA and NIS2, have emerged as essential regulations designed to enhance the protection of financial companies’ operations and systems.

What is DORA? 

DORA, or the Digital Operational Resilience Act, aims to enhance the operational resilience of the financial sector in the context of digitalisation. It is part of the Digital Finance package, which includes measures to enable and support digital finance while mitigating associated risks.1 Effective from 16th January 2023, the regulation applies to all financial services companies and their external vendors within the EU Market, mandating compliance by 17th January 2025.  

DORA is underpinned by five pillars that address various aspects of digital operational resilience, including:  

1. ICT risk management: Effectively managing ICT and security risks, including establishing resilient ICT systems, identifying risks, implementing protection measures, promptly detecting anomalies and having robust business continuity plans in line with recognised standards and best practices.

2. ICT-related incident reporting: Establishing and implementing a management process to monitor and log ICT-related incidents. It involves classifying incidents based on regulation-defined criteria and reporting major incidents to competent authorities.
    
3. Digital operational resilience testing: Financial entities periodically testing ICT risk management capabilities and functions for preparedness and identification of weaknesses, deficiencies or gaps and the prompt implementation of corrective measures.
    
4. ICT third-party risk: Managing risks associated with third-party service providers, including assessing the criticality of third-party providers, outlining key elements in contracts, conducting due diligence and managing risks.
   
   
5. Information sharing: Emphasising the exchange of cyber threat information and intelligence between entities within trusted financial communities. The objective is to raise awareness of new cyber threats, share reliable data protection solutions and optimise operational resilience tactics. 

What is NIS2? 

Network and Information Security Directive 2 (NIS2) aims to establish a higher level of cybersecurity and resilience within the EU, strengthen incident response capabilities and eliminate divergences in cybersecurity. It entered into force on 16th January 2023, and EU members must transpose its measures into national law by 17th October 2024.  

With the company’s maturity and current market conditions taken into consideration, companies must prioritise the following areas to safeguard their infrastructure and effectively comply with NIS2 regulations:  

1. Providing sufficient training and resources: Employees must be up to date on their cybersecurity knowledge by receiving adequate training and resources that will promote a security-conscious culture across the organisation.

2. Streamlining incident reporting: Efficient processes for reporting and managing security incidents must be established, including prevention, detection and response measures.

3. Strengthening overall security posture: Companies can improve their security posture by carrying out proper security controls, technologies and best practices.
    
4. Funding for cybersecurity: Companies can enhance their cybersecurity measures and protect critical assets by supplying sufficient resources and funding. 

How can CACI help? 

With over 20 years’ experience in helping deliver effective IT and security strategies to financial companies, CACI can help you navigate the changes and challenges brought on by DORA. Our experienced security and compliance experts can bolster your understanding of your network assets, help you conduct maturity assessments, address compliance gaps regarding the fulfilment of DORA implementation requirements, and much more. 

To learn more about the impact of DORA and NIS2 on financial companies in the UK, key considerations for senior management and best practices for achieving compliance, please read our whitepaper “Compliance with DORA and NIS2: Essential steps for UK financial companies”. You can also get in touch with the team here.