Martin Maas CISO
28 November 2023

Preparing for DORA (and NIS2) – what are we going to do?

IT security within the ecosystem becomes a policy and strategic cornerstone for financial institutions.

Digital resilience and cybersecurity. We talk about it a lot at Solvinity. In fact, we have IT security at the forefront of everything we do. With the imminent introduction of the Digital Operations Resilience Act (DORA), financial organizations are now compelled to take a proactive stance in managing IT risks and fortifying their defenses against cyber threats. This article delves into what sets DORA apart, its implications, and how to effectively prepare for compliance.

Understanding DORA: Mandatory Compliance by 2025​

Come January 17, 2025, businesses must adhere to the provisions set forth by DORA, an extension of NIS2 and GDPR. DORA aims to empower financial organizations to enhance their IT risk management and resilience against cyber threats. This directive establishes uniform standards for delivering digital financial services, streamlines existing cybersecurity regulations within the sector, and mandates consistent reporting for financial service providers and their ecosystem partners.

DORA applies to 21 different types of businesses in the financial sector, spanning credit institutions, payment service providers, crypto asset service providers, insurers, pension funds, investment firms, and trading platforms among others. Partners in this ecosystem are for instance software suppliers, FinTech/InsurTech companies and cloud service providers such as Solvinity.

Yes – the entire financial ecosystem.

The focus on the entire chain makes this regulation different. DORA explicitly targets this ecosystem, understanding that the whole is only as strong as its weakest link. There is no bank, insurer, pension fund, or investment fund – to name a few – that has its IT provision 100% in-house. In fact, the average insurer (> 1000 employees) uses an average of 100 different software applications. Since the beginning of 2023, the FinTech market in the Netherlands consists of 861 companies. Additionally, there are various cloud providers and IT service providers playing a role in facilitating digital (money and information) flows.

Financial institutions need to map their entire IT landscape to understand the risks. Fortunately, all participants in the ecosystem share a common interest: protecting their reputation and continuity.

"Organizations must establish and monitor specific agreements and risk management practices for third parties in the financial ecosystem, including cloud providers and software vendors."

Are we talking about five or six pillars?

While officially comprising five pillars, DORA introduces an additional layer of “Governance” within the “ICT Risk Management” pillar, making it the de facto sixth pillar. This emphasis on governance is pivotal as it delineates clear responsibilities. Those overseeing ICT risk management must actively assume this role and be held accountable by regulators. Consequently, this puts an burden on executives to upskill in IT matters, transforming IT security into a board-level concern and potentially bridging the gap between business and security.

The five pillars are:

  1. ICT Risk Management (including Governance): This involves proactively establishing risk management with IT systems, akin to the NIST model. Governance plays a crucial role, ensuring active involvement of executives with the requisite knowledge and skills.
  2. Management, Classification, and Reporting of ICT-Related Incidents: Focused on incident response and minimizing their impact, organizations must have a structured process for monitoring, addressing, and documenting ICT-related incidents.
  3. Tests for Digital Operational Resilience: Digital systems require regular testing to ensure resilience, encompassing standard vulnerability scans and “threat-led penetration tests.” Crucial systems must undergo at least annual testing with frequent vulnerability and threat assessments.
  4. Monitoring ICT Risk from Third-Party Providers: Organizations must establish and monitor specific agreements and risk management practices for third parties in the financial ecosystem, including cloud providers and software vendors.
  5. Information Exchange: Facilitating the exchange of information about cyber attacks and vulnerabilities among organizations, authorities, and networks to enhance collective cybersecurity.
"The care obligations under NIS2 include system monitoring and implementing adequate security measures to prevent and mitigate cyber threats."

A Security Gap Analysis for a better roadmap

A proactive approach is imperative for DORA compliance. Organizations must compare their current IT measures against DORA requirements to formulate a roadmap leading up to January 2025. Solvinity, in collaboration with Securify, offers Security Gap Assessments based on CIS controls, providing organizations with structured insights to enhance their resilience systematically.

In the field of IT security, Solvinity not only possesses expertise and experience but also holds certifications and provides SOC 1 and SOC 2 assurance reports. On top of that, we also have a SOC 2 assurance for managed Microsoft Azure environments, and we assist financial institutions with hybrid cloud platforms in bolstering their resilience. Collaborating with Securify, our partner in prevention, we adopt a unique risk-based approach through continuous reality checks, crafting and implementing a prevention roadmap to fortify resilience across code, apps, infrastructure, and organization levels.

Curious about how we can help you assess your resilience? Reach out to us for a consultation.

Navigating NIS2 and DORA

A Coordinated Approach

Understanding the relationship between NIS2 and DORA is crucial. NIS2 aims to safeguard the continuity and integrity of vital sectors, including financial institutions. DORA, as a ‘lex specialis’ in comparison to NIS2, introduces more detailed rules and takes precedence where specificity is concerned. Both directives impose reporting obligations, with NIS2 also encompassing reporting of ransomware attacks and vulnerability abuse.

The care obligations under NIS2 include system monitoring and implementing adequate security measures to prevent and mitigate cyber threats. DORA acts as a more specialized regulation, providing detailed rules, and takes precedence over NIS2 in specific areas.

In conclusion, navigating the complex landscape of DORA and NIS2 demands a strategic and holistic approach. The interconnected nature of the financial ecosystem underscores the need for a coordinated effort to enhance cybersecurity resilience across the entire value chain. Compliance is not merely a regulatory necessity but a strategic imperative to safeguard reputations and ensure operational continuity in an increasingly digitized financial landscape.

Sign up for the Solvinity Newsletter

Receive the latest news, blogs, articles and events.
Subscribe to our newsletter.

Other articles