#𝟮 𝗔𝗿𝗲 𝘆𝗼𝘂 𝗗𝗢𝗥𝗔 𝗼𝗿 𝗡𝗜𝗦𝟮?

News outlets have widely covered the Network and Information Security Directive (NIS2) recently, as the compliance deadline was on the 17^th October 2024.  However, only a handful of European Union member states have integrated the NIS2 directive into the national legislature – so, another soft deadline.

NIS2 covers obviously critical services (power, water, healthcare etc.), but also the wider ecosystem required to sustain a society in a disaster scenario, such as large-scale food providers.  NIS2 explicitly excludes financial institutions. 

The Digital Operational Resilience Act (DORA) is solely focussed on the financial ecosystem, including organisations providing key ICT services to financial organisations.  As DORA is a regulation, it does not need EU member states to perform further action to be legally binding.

𝗢𝘁𝗵𝗲𝗿 𝗿𝗲𝗹𝗲𝘃𝗮𝗻𝘁 𝗘𝗨 𝗱𝗶𝗿𝗲𝗰𝘁𝗶𝘃𝗲𝘀 𝗮𝗻𝗱 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻𝘀

These include the Cybersecurity Regulation for EU institutions , the Cyber Solidarity Act for cross-EU collaboration and the Cyber Resilience Act for EU hardware / software products.

The General Data Protection Regulation (GDPR) covers data privacy, protecting EU citizen data from misuse. Most advanced countries outside of the EU have based their own privacy laws on GDPR.  For example, Switzerland has created the Federal Act on Data Protection (FADP), with notably reduced fines for noncompliance. 

Under GDPR, companies can be fined up to 4% of annual turnover.  Meta, Amazon and Tik Tok have all been fined in the hundreds of millions of euros.  Under FADP, an individual can be fined up to €250,000 and a company only €50,000 if an individual cannot be identified.

𝗗𝗢𝗥𝗔 𝗮𝗻𝗱 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝗘𝗨 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻𝘀

Financial organisations already deal with a significant number of regulations, which can detract from business priorities.  If we can get a holistic view of the compliance landscape, we can become efficient in tackling the overlapping compliance requirements only once.  Let’s take the Payment Services Directive (PSD2) as an example.

PSD2 is focussed on making electronic payments efficient and secure.  Payments is a subset of financial operations, so DORA has a significantly wider scope, however the security requirements are consistent.  PSD2 and DORA both treat third parties as risks in end-to-end financial processing and therefore a consistent approach will be efficient.  DORA covers reporting of all major ICT incidents, which will include the payment incident requirements of PSD2.  As you can see, duplication of efforts to meet separate regulations is a waste of time and resources.

𝗪𝗵𝗮𝘁 𝗻𝗲𝘅𝘁?

DORA will come into effect in January 2025 and will focus on three areas of cyber security which financial organisations will, no doubt, be performing to some degree: incident response, ICT risk and third-party risk management.  Note, the risk management extends beyond cyber and will cover system redundancy and single-vendor risks.

Where DORA goes outside of traditional cyber security boundaries is in the area of operational resilience testing, blurring the lines with business continuity.

In my next post, we will explore what will change with regard to incident response, post January 2025.

#𝗗𝗢𝗥𝗔 #𝗳𝗶𝗻𝗮𝗻𝗰𝗲 #𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻 #𝗡𝗜𝗦𝟮 #𝗱𝗶𝗿𝗲𝗰𝘁𝗶𝘃𝗲 #𝗘𝗨 #𝗰𝘆𝗯𝗲𝗿 #𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆