The entry into force of the Digital Operational Resilience Act (“DORA Regulation”) and of Directive (EU) 2022/2555 (“NIS2 Directive”) represents a major step towards the creation of a harmonised regulatory framework to face cybersecurity-related challenges in the financial industry and beyond.
DORA requires financial entities to guarantee suitable safeguarding mechanisms in case of cyberattacks and to strengthen requirements for the prevention of ICT risks in the financial and insurance sectors, including critical third parties providing ICT services.
This regulation stresses the need to guarantee a digital operational resilience to face cybersecurity threats throughout the lifecycle of business activities.
The DORA regulation entered into force on 17 January 2023. The impacted entities have two years to prepare and implement it, therefore up to 17 January 2025.
The new Regulation will enhance the digital operational resilience of European entities in the financial industry, and will be based on five key pillars:
The NIS2 Directive is aimed at improving the response of EU Member States to cyberattacks, strengthening the cooperation and exchange of information. Its scope of application is thus broader and includes a wide range of industries, not just those businesses operating in sectors of “high criticality”, such as energy, transport, finance, healthcare, but also those in other critical sectors such as digital providers, postal services, waste management and other essential services. The Directive introduces crucial measures for the management of cybersecurity-related risks and reporting obligations of significant incidents.
The NIS2 Directive entered into force on 17 January. EU Member State will have to issue the relevant national implementing regulation by 17 October 2024.
Art. 21 of NIS2 Directive contains the following recommendations with reference to the measures to manage cybersecurity risks:
Faced with these new regulations, it is essential that organisations adopt a proactive approach to guarantee operational compliance and resilience. Here are some key actions:
Getting ready for DORA and NIS2 is not just a regulatory requirement, but also an opportunity to improve operational resilience and protect businesses in an increasingly complex and interconnected digital world.
