New requirements for the digitalising financial sector – overview of the DORA regulation and NIS2 directive

EU is placing a stronger focus on the development of technology in the financial sector and this has resulted in a harmonised rules framework that has a strong impact on the sector. The digitalisation of the financial sector has increased security risks, and in order to mitigate the risks, the EU has adopted several new legal acts. Two of the most important legal acts in cyber security are the DORA regulation and NIS2 directive. What do these legal acts regulate and to whom they apply?

The European Union has already drafted regulation No. 2022/2554 (DORA) (available here), which enters into force on 17 January 2025. DORA addresses more specifically the digital operational resilience and establishes rules for the risk management of information and communication technology (ICT), incident reporting, testing of digital operational resilience and risk monitoring of ICT third parties. What makes DORA novel is that until now, the EU had not regulated the ICT risk management of the financial sector on a regulation level but had done it with more general directives, guidelines and standards. Whereas with such legal acts, the EU has tried to harmonise the rules that apply only to some financial institutions.  As a result, different member states regulate ICT risks differently, having different requirements as well as subjecting different financial institutions to the requirements. DORA establishes detailed and comprehensive requirements for the vast majority of financial institutions and these requirements are directly applicable under the regulation. It also provides additional technical standards which financial institutions also need to implement when applying the regulation. This way the ICT risk requirements are harmonised in all member states and for the majority of the financial sector.

EU directive No. 2022/2555 (NIS2 directive) (available here) entered into force on 14 December 2022 and addresses measures for ensuring a uniform level of cyber security in the European Union. The NIS2 directive is based on its predecessor, the NIS1 directive, and it expands the scope of this directive. The NIS2 directive applies to critical and essential service providers in various sectors. NIS2 applies to important companies in the energy, transport, health care, water, digital service, postal and other sectors.

What to keep in mind with the DORA regulation?

A. Scope

DORA applies to most financial sector companies (DORA article 2(1)), including credit institutions, payment institutions, e-money institutions, investment firms, crypto asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, management companies, insurance undertakings and intermediaries, crowdfunding service providers, securitisation repositories. DORA also applies to third-party ICT service providers.

B. Key requirements

1) Requirements for an ICT risk management framework. Under DORA, financial institutions must:

• set-up and maintain resilient ICT systems that minimize the impact of ICT risks in financial institutions,
• ensure the identification of all sources of ICT risk to set up relevant protection and prevention measures,
• establish systems to identify anomalies;
• put in place business continuity policies and disaster and recovery plans in financial institutions;
• put in place mechanisms that allow financial institutions to learn from external and internal incidents.

2) Requirements for ICT incident reporting. Under DORA financial institutions must establish relevant systems and processes to monitor and identify and record ICT incidents according to their classification. Financial institutions must also promptly report ICT incidents to the relevant supervisory authorities. Whereas the reports must include details about the impact of the incident, its root causes and remedial measures. DORA also provides requirements to notifying clients and users.

3) Requirements for digital operational resilience testing. DORA foresees the obligation to carry out regular tests to assess the financial institution’s preparedness for ICT-related incidents and to promptly eliminate the deficiencies identified in the course of the testing or to implement relevant corrective measures to mitigate the deficiencies.

4) Requirements for the use of third-party ICT service providers. In this regard DORA requires financial institutions to:

• put in place strategies to manage ICT risks attached to the use of ICT third-party service providers;
• maintain a register about third-party ICT service providers;
• carry out comprehensive assessments and audits about third-party ICT service providers before the conclusion of agreements;
• conclude relevant agreements with third-party service providers;
• after concluding an agreement with a third-party service provider, carry out regular assessments and audits with regard to this service provider, including cooperate with the relevant competent authorities who are supervising financial entities;
• put in place exit strategies for third-party service providers;
• report to relevant competent authorities which third-party ICT service providers the financial entity is using.

C. Impact

Requirements for ICT systems and security have been common for years already at least for a certain part of the financial sector. The requirements were not uniform and were different in different countries – as such it posed a problem for larger financial sector entities which DORA is bound to alleviate. Meanwhile, imposing the new harmonised rules takes considerable effort. On the other hand, DORA has a special impact on smaller institutions who often introduce very specific technological solutions and for whom the basis of the entire business plan is a specific and innovative solution. For these companies a harmonised and detailed framework is in itself a huge challenge – how to fit their innovation in the legislator’s framework. A third and completely separate impact that DORA has is on companies that provide ICT services for the financial sector. In more detail, the impact could be described as follows:

1) Financial sector entities who were previously not subject to EU law governing ICT risks

Although such legal acts did not ensure full consistency between the financial institutions who were subject to them, it regulated at least to some extent ICT risks in a uniform manner. But the financial institutions who were not subject to EU law governing ICT risks or moreover, were not subject to national law either, now need to significantly improve their ICT risk management and administration. This means that the impact of DORA on credit institutions or payment institutions is not as considerable as it is for crypto asset service providers or fund managers.

2) Third-party ICT service providers

The introduction of DORA will thoroughly regulate the contractual relationships of financial institutions with third-party ICT service providers, both before and after the conclusion of the contract. The third-party ICT service provider must also be ready to subject to the supervision by the competent authority that supervises the financial institution and cooperate fully with this authority. This in turn means that third-party ICT service providers must also pay more attention to the services they provide in order to be compliant with DORA requirements and this increases the administrative burden of these parties in the provision of their services.

What are the key obligations under NIS2?

A. Incident reporting requirements. Under NIS2 the obligated entities must report cyber incidents to the relevant competent supervisory authorities. The purpose of the reporting obligation is to minimise the impact of the incident on the provided essential service.

B. Risk management and security requirements. NIS2 obliges entities to apply relevant security measures to minimise risks on the network and information system security. In Estonia it is possible to apply, for example, E-ITS or ISO standards.

C. Business continuity. NIS2 obliges to devise measures that would ensure business continuity in case of major cyber incidents. Such measures should encompass system recovery plans and action plans for crisis situations.

D. Cooperation and information sharing. The objective of NIS2 is to improve cooperation between member states and facilitate information sharing in order to improve cyber resilience.

In order to achieve the main described objective, NIS2 requires the implementation of several security measures. The various security measures include:

• application of relevant security measures to prevent and resolve cyber incidents or minimise its impact;
• mandatory assessment of risks attached to cyber incidents and carrying out a system risk analysis,
• adoption of cyber security policies and procedures;
• establishment of multi-level authentication;
• training of personnel etc.

What are the main differences between NIS2 and DORA?

Although DORA and NIS2 are both related to ensuring cyber security, they serve different purposes. The purpose of NIS2 is to harmonise more broadly the level of cyber security in EU. The purpose of DORA is to protect the financial sector – ensure the operational resilience of the financial sector, reliability of the digital systems of the financial sector and the availability and integrity of financial services. According to DORA, NIS2 still applies to the subjects of DORA but the overlap of NIS2 and DORA is prevented with the lex specialis provision in DORA, which means DORA prevails over NIS2. Meaning that financial institutions need to be well informed about the requirements under both legal acts.