Author: Geraldine Critchley

DORA and NIS2 - Is there a new audit chaos in the financial sector?

The two European legal acts are intended to strengthen cyber security in the EU's financial industry. However, the coexistence of two regulations could also lead to unnecessary bureaucracy. Ingolf Rauh, Head of Product and Innovation Management at Swisscom Trust Services, suggests harmonizing audit procedures and consolidating responsibilities.

Cyber attacks pose a significant threat to companies across all industries. As the risks continue to grow, the EU has introduced new regulations, directives, and rules to address the issue. Financial institutions are particularly interested in NIS2 and DORA. While these regulations do enhance resilience, banks and their software suppliers often desire more collaboration among the parties responsible for drafting the laws and directives and increased coordination among the individual member states of the European Union.


What is the difference between the two regulations?

NIS2 (Network and Information Security 2) harmonizes cybersecurity requirements for many areas of the EU's basic services and vital infrastructure. It encompasses comprehensive requirements, introduces high penalties to the management level, establishes reporting channels, and promotes cybersecurity capabilities. EU member states must transpose this directive into national law by October 2024. However, potential variations in implementation across different countries can create challenges for multinational companies like banks and lead to an uneven competitive landscape among the EU countries.

DORA (Digital Operational Resilience Act) is a regulation, which means it is a directly applicable European law that will affect the member states in 2025. While NIS2 still emphasizes risk management, DORA focuses on operational stability in the financial sector. The aim is to ensure that the sector can withstand cyberattacks and that financial services remain accessible. The determination of penalties is left to the national authorities.

Both regulations prioritize the supply chain, requiring software suppliers to actively participate in risk management and the assessment of operational stability. DORA specifically highlights the importance of conducting pen tests and security checks every three years, whereas NIS2 mandates a security audit at least once every two years in Germany.


Too many responsibilities

However, challenges arise when it comes to responsibilities. In the case of NIS2, the audit competence in Germany lies with the BSI or BaFin. Similarly, Article 46 of DORA involves multiple authorities, such as the ECB and BaFin, responsible for ensuring compliance with the regulations.

In the field of trust services, the European Telecommunications Standards Institute (ETSI) is presently developing requirements encompassing NIS2. This approach aims to maintain the consistency of the audit scheme and reporting chain for trust services. A similar approach would also be beneficial in the financial sector. It is crucial to avoid situations where incidents are lost amidst the complexities of different official responsibilities, leading companies to maintain extensive reporting organizations solely for responding to breaches. The costs associated with achieving the necessary cyber resilience will ultimately be passed on to customers by financial institutions and other entities impacted by NIS2. Therefore, it is in the best interests of consumers to consolidate and simplify responsibilities, as well as harmonize audits and certifications.