Understanding DORA: NIS2’s Complementary Law for Financial Institutions

As organizations gear up to comply with the new NIS2 directive, let’s take a moment to highlight its complementary law for financial institutions, DORA.

What is DORA?

DORA is short for The Digital Operational Resilience Act. While NIS2 covers a broad range of sectors including new sectors not covered in the original NIS directive from 2016, DORA specifically applies to banks, insurers, and other financial institutions. The goal of both the NIS2 directive and DORA, however, are essentially the same. They both aim to harmonize and strengthen cybersecurity requirements within the EU, ensuring that the organizations that fall within their scope can withstand, respond to, and quickly recover from cyber incidents. This, in turn, better protects organizational and personal information and data. 

Like NIS2, DORA places a strong emphasis on risk management, incident reporting and the testing of ICT systems, but its requirements are even stricter. This means that financial institutions will be required to implement robust cybersecurity measures, regularly assess their ICT risks, and report significant cyber incidents to the relevant authorities.

Interested in learning more about what’s new in NIS2 from the original NIS directive? Read more on the blog.

How do the DORA requirements differ from NIS2?

Although DORA specifically targets the financial sector, some financial organizations, including banks, already fall under the scope of NIS2. Others, such as insurance companies and crypto exchanges, are not. DORA bridges that gap by widening the scope and covering a larger range of financial services industries. Organizations that fall under both directives will need to ensure compliance with both sets of requirements and leverage the synergies between the two to create a comprehensive cybersecurity framework.

Along with NIS2, DORA also puts a strong emphasis on incident response reporting and the testing of operational resilience, meaning organizations will need to have a strong plan in place.

3rd party risk management

In addition to the emphasis on supply chain security with NIS2, DORA introduces the concept of third-party risk management. Financial institutions will need to ensure that their ICT (Information and Communication Technology) service providers adhere to strict cybersecurity standards as well. 

This highlights the importance of supply chain security and the need for organizations to care about the cybersecurity posture of their partners and vendors. On the flip side, it also means that partners and vendors working with those institutions must build their cybersecurity resilience in order to stay in the game.

Best practices to ensure compliance

With new regulations comes new challenges, but we believe compliance to also be an opportunity to strengthen your cybersecurity prowess. And the right strategy and action plan will set you up for success.

Here are a few best practices to ensure compliance, while simultaneously increasing your security resilience:

• Conduct risk assessments: Understanding your external attack surface is the best way to understand the risk of a security incident. By identifying potential vulnerabilities through dynamic and continuous scanning, you’ll get a good idea of your organization’s digital footprint.
• Implement mitigation strategies: Once you fully understand your attack surface, you can take the steps to mitigate the risk of an attack. It’s important to assess and address any weaknesses found in your digital assets. 
• Invest in security awareness training: Your organization is only as secure as the people working there. Investing in awareness training for all employees and getting them engaged in cybersecurity is critical to any security strategy.
• Establish an incident response plan: No matter how secure your organization is, breaches can always happen. To be both compliant and protect brand reputation, organizations need to be prepared for the worst by ensuring they can respond swiftly and meaningfully to a potential breach. 

Work with industry experts

Many organizations simply don’t have the resources to build out a robust cybersecurity strategy, conduct training, and establish a solid incident response plan. Unless your organization has an in-house security and compliance team, we recommend working with consultants who specialize in cybersecurity and compliance. 

Our sister-company, Syndis, specializes in helping organizations with security management including compliance, prevention, and post-incident mitigation. 

Get the full NIS2 guide

Interested in learning more about DORA and NIS2 compliance? Download our full guide, which is all about navigating compliance and your action plan for success. 

Get the guide.