At Enzure, we are actively engaged in the ongoing efforts to fortify digital security within the European Union. In the wake of adopting the NIS 2 Directive, we have embraced the subsequent measures aimed at enhancing the Union’s cybersecurity posture. The DORA regulation (Digital Operational Resilience Act), or Regulation (EU) 2022/2554, came into effect on January 16, 2023, and will be applicable from January 17, 2025. Organizations impacted by this regulation now have less than 12 months to align with its requirements.
The DORA regulation specifically targets entities within the financial sector, including banks, credit institutions, insurance companies, and investment firms. The rapid development and adoption of Information and Communication Technologies (ICT) have revolutionized operational methods within these businesses. However, this progress also introduces heightened vulnerability to cyber threats and technical disruptions. The DORA regulation aims to address these vulnerabilities by providing a more specialized framework for managing ICT risks than what is outlined in the NIS 2 Directive.
DORA or NIS 2?
On the surface, having two EU acts that seem to serve the same purpose might appear redundant. However, important distinctions exist between them. The NIS 2 Directive is just that—a directive, which serves as a guiding act that must be implemented into national law. DORA, in contrast, is a regulation—an act that is immediately binding and applies across all Member States as soon as it enters into force. While NIS 2 focuses on general cybersecurity, DORA specifically addresses the stability of the financial sector and sets higher standards for security testing. These two pieces of legislation are therefore complementary; if your business falls within the scope of DORA’s regulatory framework, that regulation takes precedence.
What Does DORA Require?
DORA instigates changes in risk management and intensifies the pressure on company management to understand and mitigate risks. Financial firms are required to comply with DORA, scaled according to their size and risk profile. While smaller organizations may employ simpler risk management approaches, they are nonetheless expected to maintain robust ICT risk management.
While the NIS 2 Directive offers a general approach to cybersecurity, DORA zeroes in on the financial sector’s stability, mandating higher standards for security testing. These two legislative acts complement each other; DORA takes precedence for businesses within its regulatory scope.
DORA mandates a comprehensive approach to risk management, placing increased responsibility on company management to understand and mitigate risks. Financial firms, scaled according to their size and risk profile, must maintain robust ICT risk management practices. The regulation’s requirements span several key areas:
1. ICT Risk Management:
Financial institutions must establish and be accountable for an internal ICT risk management framework, integrated into the overall risk management strategy.
2. Reporting and Information Sharing:
Firms must have systems in place for managing and reporting ICT incidents, ensuring customer protection.
3. Digital Resilience Testing:
Regular IT security testing, including penetration tests, is expected, with deficiencies addressed and reported to authorities.
4. Management of Third-Party Risks and Supplier Contract Requirements:
Financial institutions must integrate ICT third-party risks into their risk strategy and comply with the regulation’s requirements, even when outsourcing services.
European regulators are in the process of establishing technical ICT security standards and criteria for classifying ICT incidents, as well as identifying critical ICT third-party providers.
What Does Enzure do?
At Enzure, we recognize the importance of both the NIS 2 Directive and DORA in the cybersecurity landscape. Cyber threats are a global challenge that requires a concerted, multi-level approach. As part of our commitment to cybersecurity, we utilize Nimblr’s system to cover the training and awareness aspects mandated by DORA. Nimblr offers security awareness training to enhance individuals’ and organizations’ ability to assess cybersecurity risks. We also provide tools to measure the effectiveness of our service and track user progress.
In response to DORA’s requirements, we are exploring new services to support our ‘DORA-rated’ customers, including reporting support and testing capabilities. With our expertise in cybersecurity and Nimblr’s comprehensive training solutions, we are well-equipped to assist organizations in navigating the DORA regulation and enhancing their digital operational resilience.
Enzure is here to help your organization comply with DORA and strengthen your cybersecurity defenses.
Article 13(6) of the DORA Regulation states:
“Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions. Where appropriate, financial entities shall also include ICT third-party service providers in their relevant training schemes in accordance with Article 30(2), point (i).”
Security Awareness Training is a method for preparing both individuals and organizations to face cyber threats, enhancing their ability to assess cybersecurity risks. Nimblr offers this type of training, along with education, information, and feedback. We also provide customers with the opportunity to gauge the effectiveness of our service and track user progress through our ‘Awareness Level’.
In addition to these existing services, we are exploring avenues to develop offerings that support our ‘DORA-rated’ customers in their security efforts, such as reporting support and testing capabilities. Suggestions for additional services are highly welcome. You know your organizations; we know cybersecurity.
The DORA Regulation applies to the following entities:
(For further details, refer to Regulation (EU) 2022/2554, Article 2).
Payment and transaction:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
Investments firms and trading:
- Investment firms
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
Investment and fund management:
- Managers of alternative investment funds
- Management companies
(Exceptions for managers of alternative investment funds under Article 3(2) of Directive 2011/61/EU).
Credit and financing:
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
Insurance:
- Insurance and reinsurance undertakings
- Insurance intermediaries
- Reinsurance intermediaries
(Exemptions for insurance and reinsurance undertakings as defined in Article 4 of Directive 2009/138/EC, insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises).
Pension and social security:
- Institutions for occupational retirement provision
(Exceptions for institutions for occupational retirement provision that operate pension schemes which together do not have more than 15 members in total).
Data and technology:
- Data reporting service providers
- ICT third-party service providers
Other financial actors:
- Securitisation repositories
- Administrators of critical benchmarks
(Exemption for natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU, and for post office giro institutions as referred to in Article 2(5)(3) of Directive 2013/36/EU).