The importance of cybersecurity and operational resilience in the financial sector has never been more pronounced. The European Union (EU) has been at the forefront of addressing these critical issues, enacting comprehensive legislations to safeguard the digital infrastructure and ensure the continuity of financial services. Two pivotal pieces of legislation in this domain are the Directive on Security of Network and Information Systems 2 (NIS 2 Directive) and the Digital Operational Resilience Act (DORA). While both aim to bolster the security and resilience of the financial sector, they approach the goal from different angles, creating a complementary framework that addresses a broad spectrum of challenges.
Understanding NIS 2 and DORA
NIS 2 Directive: A Broader Scope for Enhanced Security
The NIS 2 Directive, succeeding its predecessor NIS 1, represents a significant step forward in enhancing the security of network and information systems across the EU. It extends the scope of its application beyond critical sectors to include medium and large entities in important sectors like banking and financial market infrastructures, digital providers, and public administrations, among others. The directive mandates these entities to adopt risk management measures and report significant cyber incidents. NIS 2’s broader applicability reflects the EU’s recognition of the interconnected nature of cybersecurity threats and the need for a unified response across all sectors.
DORA: Specialized Focus on Financial Sector Resilience
DORA, however, is tailored to increase the digital operational resilience of the financial sector. It sets forth requirements for all entities operating within the financial services sector, including banks, insurance companies, investment firms, and even critical third-party service providers, such as cloud computing services. DORA emphasizes the need for a comprehensive approach to risk management, requiring entities to establish and maintain resilient digital operations. This includes the ability to withstand, respond to, and recover from all types of ICT (Information and Communication Technology) related disruptions and threats.
Key differences between NIS 2 and DORA
While NIS 2 and DORA share the common goal of enhancing the security and resilience of the EU’s digital infrastructure, there are several key differences between the two directives:
Scope and Application
NIS 2: Applies to a wide range of sectors deemed essential for the economy and society, extending beyond the financial services to include energy, transport, health, and digital infrastructure, among others.
DORA: Specifically targets entities within the financial sector, focusing on the unique challenges and requirements of financial services operations.
Regulatory Requirements
NIS 2: Emphasizes the need for entities to take appropriate and proportionate technical and organizational measures to manage cyber risks. It also mandates incident reporting within a specific timeframe.
DORA: Goes further in detailing the requirements for ICT risk management, including the need for a dedicated risk management framework, incident reporting, digital operational resilience testing, and management of third-party ICT service providers.
Third-Party Risk Management
NIS 2: While NIS 2 addresses the security of supply chains and service provider relationships, its requirements are generally broader and less specific than those in DORA.
DORA: Provides detailed expectations for managing third-party risk, including the need for contractual arrangements that ensure access, audit, and information-sharing rights. It also introduces an oversight framework for critical third-party service providers.
Testing and Audits
NIS 2: Requires entities to take necessary measures to prevent and minimize the impact of incidents but is less prescriptive about the nature of these measures.
DORA: Specifies the need for regular ICT-related testing, including digital operational resilience tests for significant entities. It also outlines requirements for internal audit capabilities to assess ICT risk management frameworks.
Reporting Obligations
NIS 2 and DORA both require incident reporting but differ in their specifics, such as the timelines for reporting and the threshold for what constitutes a reportable incident. DORA’s requirements are more tailored to the operational realities of financial services.
Complementary nature of NIS 2 and DORA
Despite their differences, NIS2 and DORA are not mutually exclusive; rather, they complement each other, creating a robust framework for cybersecurity and operational resilience across different sectors. For financial services, adhering to both sets of regulations means not only meeting specific sectoral requirements under DORA but also aligning with broader cybersecurity standards set forth in NIS 2. This dual compliance ensures that financial entities not only contribute to the overall resilience of the EU’s financial market infrastructures but also align with wider efforts to secure the EU’s digital economy.
Implementation challenges and considerations
The implementation of NIS 2 and DORA presents a unique set of challenges for financial services entities, especially in terms of resource allocation, compliance costs, and the complexity of managing third-party risks. Entities must navigate these challenges by developing comprehensive risk management strategies that align with both directives, investing in technology and talent, and fostering a culture of resilience and continuous improvement.
How Aqua helps you meet the requirements of DORA
Aqua is committed to the highest standards of cybersecurity, aligning with the critical requirements of both the NIS 2 Directive and the Digital Operational Resilience Act (DORA). Our approach, strengthened by our own solutions, not only ensures the security of our Software-as-a-Service (SaaS) platform but also supports our customers in meeting their regulatory obligations under these frameworks.
Aqua’s Cloud Native Application Protection Platform (CNAPP) helps organizations meet the necessary cybersecurity and operational resilience standards set forth by both regulations, with a strong focus on managing risks associated with third-party dependencies. One of the key features of Aqua is its ability to generate a comprehensive Software Bill of Materials (SBOM) for applications. Aqua’s SBOM provides a detailed inventory of all the components used in an application, enabling organizations to identify and assess the risks associated with each package.
In addition to SBOM generation, Aqua aligns with the key pillars of DORA, providing financial institutions with the necessary capabilities to identify, protect, detect, respond, and recover from ICT risks. With Aqua’s comprehensive Cloud Native Security Platform, organizations can proactively manage their ICT risk landscape, ensure prompt reporting of significant incidents, conduct regular resilience testing, and maintain oversight of the software supply chain for third-party ICT providers. Aqua’s Platform ensures robust security across the entire software development lifecycle—from the initial stages of the software supply chain through runtime.
Conclusion
In conclusion, while NIS 2 and DORA serve different purposes and target different aspects of the digital ecosystem, their goal is the same: to create a safer, more resilient digital environment for the EU’s economy and society.
DORA specifically targets the financial sector to bolster ICT risk management through five key pillars. The aim is to create a harmonized set of rules across European Union member states, ensuring a consistent approach to managing ICT risks. As cyber threats continue to evolve, the collaborative framework provided by NIS 2, and DORA will be instrumental in protecting the financial sector and ensuring its ability to withstand and recover from digital disruptions.
For financial services, understanding the nuances of each directive and how they complement each other is crucial for achieving compliance and fostering operational resilience. We invite you to download our whitepaper that further details the five key pillars of DORA, and how Aqua helps meet the requirements.
