Understanding NIS2 and DORA – What Financial Business Leaders Need to Know

1. What is the EU Digital Operational Resilience Act (DORA)?

DORA is part of the European Commission’s Digital Finance Package and will become directly applicable as an EU regulation in January 2025. Its goal is to ensure financial institutions can withstand, respond to, and recover from all ICT-related disruptions and cyber threats.

2. What are the critical requirements of DORA?

DORA mandates specific actions for financial institutions in the following areas: 

• ICT Risk Management: Implement robust frameworks covering the entire lifecycle of digital systems and processes. 

• Incident Reporting: Ensure detailed reporting of ICT-related incidents to regulators. 

• Operational Resilience Testing: Regular scenario-based testing to assess resilience against cyberattacks. 

• Third-Party Risk Management: Monitor and manage risks associated with ICT service providers, including cloud services.

3. What is the NIS2 Directive?

NIS2 is an update to the original Network and Information Security (NIS) Directive, adopted in December 2022. It enhances security measures for networks and information systems across the EU, imposing stricter obligations on a broader range of sectors, including financial services. Member states must implement it into national law by October 2024.

4. What are the main requirements of NIS2?

NIS2 introduces several essential requirements: 

• Enhanced Risk Management: Organizations must adopt comprehensive cybersecurity measures proportional to their risks. 

• Incident Reporting: Stricter deadlines for reporting significant incidents to authorities. 

• Supply Chain Security: Emphasizes securing the entire supply chain from vulnerabilities. 

• Harmonized Sanctions: Penalties up to 2% of an organization’s global turnover for non-compliance. 

5. How do NIS2 and DORA impact businesses?

Both regulations impose stricter cybersecurity, risk management, and reporting requirements. Businesses must implement robust frameworks to ensure compliance, protect their digital infrastructure, and mitigate risks associated with cyber threats. The harmonization of penalties also means stricter enforcement and higher financial consequences for non-compliance. 

6. What are the implications for supply chain management?

Both DORA and NIS2 highlight the importance of securing the entire supply chain. To avoid disruptions or vulnerabilities, businesses must closely monitor third-party vendors and service providers, ensuring they meet stringent security and risk management standards. 

7. What role does incident reporting play in both regulations?

Incident reporting is a crucial element in both DORA and NIS2. Organizations are required to report ICT-related incidents or cyberattacks to regulatory bodies quickly. This allows authorities to take timely action and reduces the potential damage caused by security breaches. 

8. How can businesses ensure compliance with DORA and NIS2?

Businesses must implement robust risk management frameworks, conduct regular resilience testing, and closely monitor third-party service providers. Additionally, organizations should stay updated on the latest regulatory guidelines and ensure that their incident reporting mechanisms meet the required standards. 

9. How can Swisscom Trust Services help businesses become compliant?

Swisscom Trust Services offers expertise in helping businesses navigate the complexities of DORA and NIS2 compliance. From implementing digital trust services and managing secure digital signatures to ensuring robust third-party risk management, Swisscom helps streamline compliance while improving operational resilience and business potential. 

10. What should businesses consider when implementing measures under NIS2 and DORA?

Key considerations include: 

• Cybersecurity Readiness: Ensuring systems and processes are equipped to handle potential cyber threats. 

• Compliance Monitoring: Regularly reviewing frameworks and policies to meet the new regulations. 

• Third-Party Risk: Establishing clear protocols for monitoring and managing service providers. 

• Digital Trust: Partnering with reliable trust service providers to ensure security and compliance while enhancing business efficiency. 

11. Why is digital trust crucial in light of these regulations?

Building digital trust is vital for maintaining customer confidence and ensuring operational resilience as cybersecurity risks grow. Partnering with a trusted service provider like Swisscom Trust Services helps businesses safeguard their operations, ensure compliance, and unlock new growth opportunities in a secure digital landscape. 

12. Where can I learn more about DORA and NIS2 and how to prepare my business?

Swisscom Trust Services provides a detailed whitepaper on DORA and NIS2, offering insights into the regulations, best practices for compliance, and how businesses can leverage these changes to grow securely. Download the whitepaper from our website to explore more. 

Stay ahead of the curve: Turn compliance into a competitive advantage 

NIS2 and DORA represent a significant shift in how businesses, especially those in the financial sector, manage cybersecurity and operational resilience. As regulatory requirements become stricter, organizations must adopt proactive measures to secure their systems, manage third-party risks, and ensure compliance with reporting standards. Partnering with a trusted provider like Swisscom Trust Services can help businesses meet these challenges head-on and leverage these changes as opportunities to enhance security, operational efficiency, and digital trust. Your organization can thrive in an increasingly regulated and digital world by staying ahead of the curve. 

To learn more about how to navigate these regulations and secure your business, download our comprehensive whitepaper today.