NIS2 covers obviously critical services (power, water, healthcare etc.), but also the wider ecosystem required to sustain a society in a disaster scenario, such as large-scale food providers. NIS2 explicitly excludes financial institutions. <\/p>\n\n\n\n
The Digital Operational Resilience Act (DORA) is solely focussed on the financial ecosystem, including organisations providing key ICT services to financial organisations. As DORA is a regulation, it does not need EU member states to perform further action to be legally binding.<\/p>\n\n\n\n
\ud835\udde2\ud835\ude01\ud835\uddf5\ud835\uddf2\ud835\uddff \ud835\uddff\ud835\uddf2\ud835\uddf9\ud835\uddf2\ud835\ude03\ud835\uddee\ud835\uddfb\ud835\ude01 \ud835\uddd8\ud835\udde8 \ud835\uddf1\ud835\uddf6\ud835\uddff\ud835\uddf2\ud835\uddf0\ud835\ude01\ud835\uddf6\ud835\ude03\ud835\uddf2\ud835\ude00 \ud835\uddee\ud835\uddfb\ud835\uddf1 \ud835\uddff\ud835\uddf2\ud835\uddf4\ud835\ude02\ud835\uddf9\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb\ud835\ude00<\/strong><\/p>\n\n\n\n These include the Cybersecurity Regulation for EU institutions , the Cyber Solidarity Act for cross-EU collaboration and the Cyber Resilience Act for EU hardware \/ software products.<\/p>\n\n\n\n The General Data Protection Regulation (GDPR) covers data privacy, protecting EU citizen data from misuse. Most advanced countries outside of the EU have based their own privacy laws on GDPR. For example, Switzerland has created the Federal Act on Data Protection (FADP), with notably reduced fines for noncompliance. <\/p>\n\n\n\n Under GDPR, companies can be fined up to 4% of annual turnover. Meta, Amazon and Tik Tok have all been fined in the hundreds of millions of euros. Under FADP, an individual can be fined up to \u20ac250,000 and a company only \u20ac50,000 if an individual cannot be identified.<\/p>\n\n\n\n \ud835\uddd7\ud835\udde2\ud835\udde5\ud835\uddd4 <\/strong>\ud835\uddee\ud835\uddfb\ud835\uddf1 <\/strong>\ud835\uddf2\ud835\ude05\ud835\uddf6\ud835\ude00\ud835\ude01\ud835\uddf6\ud835\uddfb\ud835\uddf4 <\/strong>\ud835\uddd8\ud835\udde8 <\/strong>\ud835\uddf3\ud835\uddf6\ud835\uddfb\ud835\uddee\ud835\uddfb\ud835\uddf0\ud835\uddf6\ud835\uddee\ud835\uddf9 <\/strong>\ud835\ude00\ud835\uddf2\ud835\uddff\ud835\ude03\ud835\uddf6\ud835\uddf0\ud835\uddf2\ud835\ude00 <\/strong>\ud835\uddff\ud835\uddf2\ud835\uddf4\ud835\ude02\ud835\uddf9\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb\ud835\ude00<\/strong><\/p>\n\n\n\n Financial organisations already deal with a significant number of regulations, which can detract from business priorities. If we can get a holistic view of the compliance landscape, we can become efficient in tackling the overlapping compliance requirements only once. Let\u2019s take the Payment Services Directive (PSD2) as an example.<\/p>\n\n\n\n PSD2 is focussed on making electronic payments efficient and secure. Payments is a subset of financial operations, so DORA has a significantly wider scope, however the security requirements are consistent. PSD2 and DORA both treat third parties as risks in end-to-end financial processing and therefore a consistent approach will be efficient. DORA covers reporting of all major ICT incidents, which will include the payment incident requirements of PSD2. As you can see, duplication of efforts to meet separate regulations is a waste of time and resources.<\/p>\n\n\n\n \ud835\uddea\ud835\uddf5\ud835\uddee\ud835\ude01 <\/strong>\ud835\uddfb\ud835\uddf2\ud835\ude05\ud835\ude01?<\/strong><\/p>\n\n\n\n DORA will come into effect in January 2025 and will focus on three areas of cyber security which financial organisations will, no doubt, be performing to some degree: incident response, ICT risk and third-party risk management. Note, the risk management extends beyond cyber and will cover system redundancy and single-vendor risks.<\/p>\n\n\n\n Where DORA goes outside of traditional cyber security boundaries is in the area of operational resilience testing, blurring the lines with business continuity.<\/p>\n\n\n\n In my next post, we will explore what will change with regard to incident response, post January 2025.<\/p>\n\n\n\n #<\/strong>\ud835\uddd7\ud835\udde2\ud835\udde5\ud835\uddd4 #<\/strong>\ud835\uddf3\ud835\uddf6\ud835\uddfb\ud835\uddee\ud835\uddfb\ud835\uddf0\ud835\uddf2 #<\/strong>\ud835\uddff\ud835\uddf2\ud835\uddf4\ud835\ude02\ud835\uddf9\ud835\uddee\ud835\ude01\ud835\uddf6\ud835\uddfc\ud835\uddfb #<\/strong>\ud835\udde1\ud835\udddc\ud835\udde6\ud835\udfee #<\/strong>\ud835\uddf1\ud835\uddf6\ud835\uddff\ud835\uddf2\ud835\uddf0\ud835\ude01\ud835\uddf6\ud835\ude03\ud835\uddf2 #<\/strong>\ud835\uddd8\ud835\udde8 #<\/strong>\ud835\uddf0\ud835\ude06\ud835\uddef\ud835\uddf2\ud835\uddff #<\/strong>\ud835\uddf0\ud835\ude06\ud835\uddef\ud835\uddf2\ud835\uddff\ud835\ude00\ud835\uddf2\ud835\uddf0\ud835\ude02\ud835\uddff\ud835\uddf6\ud835\ude01\ud835\ude06<\/strong><\/p>\n\n\n\n #\ud835\udfee \ud835\uddd4\ud835\uddff\ud835\uddf2 \ud835\ude06\ud835\uddfc\ud835\ude02 \ud835\uddd7\ud835\udde2\ud835\udde5\ud835\uddd4 \ud835\uddfc\ud835\uddff \ud835\udde1\ud835\udddc\ud835\udde6\ud835\udfee? News outlets have widely covered the Network and Information Security Directive (NIS2) recently, as the compliance deadline was on the 17th October 2024. However, only a handful of European Union member states have integrated the NIS2 directive into the national legislature \u2013 so, another soft deadline. NIS2 covers obviously […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[],"class_list":["post-153","post","type-post","status-publish","format-standard","hentry","category-dora-regulation"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/posts\/153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/comments?post=153"}],"version-history":[{"count":2,"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/posts\/153\/revisions"}],"predecessor-version":[{"id":163,"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/posts\/153\/revisions\/163"}],"wp:attachment":[{"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/media?parent=153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/categories?post=153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberriskpartners.net\/en_gb\/wp-json\/wp\/v2\/tags?post=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/i0.wp.com\/cyberriskpartners.net\/wp-content\/uploads\/2024\/11\/dora-finance.jpeg?resize=1024%2C1024&ssl=1\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"