The financial sector is increasingly dependent on technology and technology companies for the provision of financial services, but this makes financial services vulnerable to problems with underlying technology, including disruption caused by cyberattacks.
While these risks are partially addressed at an European Union (EU) level through general rules and financial services rules, European legislators believed that a dedicated framework to promote operational resilience in the financial sector was necessary, and the result is the Digital Operational Resilience Act (DORA), which introduces a comprehensive framework for effective risk management, cybersecurity capabilities, and third-party risk management to ensure the uninterrupted delivery of financial services.
The Network and Information Systems Directive 2 (NIS2) is the general legal framework aimed at ensuring a high common level of cybersecurity by imposing obligations on organizations to manage cyber risks, report incidents, and cooperate with authorities to improve incident response capabilities.
However, NIS2 has only partial application to finance and has been unevenly implemented in the sector across EU member states. The DORA, therefore, seeks to improve and harmonize operational resilience requirements for all EU financial entities by amending several regulations as well as overriding and extending core provisions of the NIS2 directive that cover cybersecurity measures for the protection of critical infrastructure, with specific and additional provisions for the financial sector to ensure the resilience of financial services.
In addition to addressing the five main areas of compliance required by the regulation, KuppingerCole Analysts recommends that organizations adopt the concept of a security fabric to support a consistent approach to cybersecurity and compliance with multiple laws and regulations, including the DORA.