NIS 2 Directive: Relation to DORA Regulation

In an effort to clarify the interactions between the NIS 2 Directive, the Critical Entities Resilience (CER) Directive, and the Digital Operational Resilience Act (DORA) regulation in the financial industry, the Association of Swedish Banks is actively participating in a debate. This program is a component of a larger, deliberate reaction to the legislative actions taken by the European Union with the goal of improving cybersecurity standards and bolstering the operational resilience of essential financial services.

A high common degree of cybersecurity among member states is intended to be provided by the NIS 2 Directive, an extension of its predecessor, which focuses on strengthening the security of network and information systems. On the other hand, the goal of the Critical Entities Resilience (CER) Directive is to create a framework that guarantees European critical entities are resilient enough to endure and resist disturbances. Crucial to the EU's cybersecurity strategy are both directives.

But the DORA legislation, which was introduced and went into effect on January 16, 2023, has added a new facet to the regulatory environment. A complete set of standards for ICT risk management, incident handling procedures, thorough incident reporting systems, frequent security testing, and strict control of ICT third-party risk are all required by DORA, which is especially designed with the financial sector in mind.

In light of the DORA regulation's precision and scope, the Association of Swedish Banks is in favor of a more simplified regulatory framework. The worry is that, although important, DORA's mandates may conflict with the NIS 2 and CER directives, creating regulatory duplication for banks. The group asserts that DORA's comprehensive guidelines should be the primary regulatory framework for financial institutions because they currently cover the cybersecurity and resilience objectives of the NIS 2 and CER directives.

Clarity is needed to ensure that banks can deploy resources efficiently and are not burdened by possibly redundant regulatory demands, in addition to improving compliance efficiency. The DORA law should be the cornerstone for digital operational resilience in the banking industry, according to the Association of Swedish Banks, with the NIS 2 and CER directives complementing it without needlessly overlapping.

The Association of Swedish Banks is likewise emphasizing the significance of a harmonized European regulatory framework in the context of this regulatory discourse. It guarantees fair competition for banks, promoting a safe and robust digital infrastructure throughout the whole European banking sector.

The EU and its member states are committed to protecting the financial industry from cyber risks and operational disruptions, as evidenced by the continuing inquiry into the implementation of EU directives. The results of this inquiry will be shaped in large part by the Association of Swedish Banks, which will make sure that rules like NIS 2, CER, and DORA are implemented in a way that supports cybersecurity, operational resilience, and the efficient running of the financial market.

The financial industry is eagerly awaiting additional instructions from regulatory organizations as the conversation continues. The conclusion of this explanation will definitely have a big influence on how banks in Sweden and the EU as a whole handle the intricate web of requirements pertaining to operational resilience and cybersecurity.

EU Financial Regulatory Framework: NIS2, CER, and DORA

The European Union has made a clear appeal for increased cybersecurity in all of its vital sectors, including the banking sector, via the NIS 2 Directive. Because of the directive's broad scope, banks must strengthen their digital defenses to make sure they can withstand the increasing wave of transnational cyberattacks.

• Scope and Significance of NIS2:

The directive advocates for a unified cybersecurity strategy by extending the scope of its predecessor to include a larger range of sectors. It is required of banks in particular to improve their cyber defenses in order to comply with this ambitious continental plan. Their complex challenge is integrating the NIS2 standards into their current systems, which calls for both careful planning and smart execution.

• Operational Impacts on Banks:

Banks must adapt these rules to their operations, which might differ greatly throughout institutions, as they interpret the broad language of NIS 2. Due to the directive's broad scope, financial institutions are required to assess their cybersecurity policies thoroughly, look for any gaps, and put in place solutions that meet the strict requirements of the European Union.

The DORA Regulation: ICT Risk for Financial Institutions

The DORA rule has been crafted with the precision of a tailor creating a custom suit to meet the ICT risk landscape of the banking sector. It is a regulatory body set up specifically to protect digital operations in the financial sector.

• DORA's Directives for Banks:

DORA lays out certain requirements for financial organizations, including the requirement for a robust infrastructure that can resist disruptions connected to ICT. It provides a guide for incident response plans, making sure banks have the ability to anticipate and mitigate ICT risks as well as the flexibility to act quickly and decisively in the event that they arise.

• DORA’s Detailed Requirements:

The rule requires banks to conduct frequent security assessments and to keep a close eye on outside service suppliers. This is a crucial element since the activities of a modern bank are becoming more and more entwined with a network of outside ICT services, such as fintech collaborations and cloud storage options.

Navigating Compliance: The Interplay of DORA Regulation and NIS 2

Similar to a dance between partners, the interaction between the DORA regulation and the NIS 2 Directive requires rhythm and coordination to avoid a mistake that could result in regulatory non-compliance.

• Potential Overlaps and Gaps:

Banks need to be aware of the subtle differences between the two sets of legislation. They have to make sure that their adherence to DORA's particular standards is in line with the broader cybersecurity goals outlined by NIS2. It's a balancing act that calls for in-depth knowledge of the regulatory environment as well as the capacity to put effective and efficient systems in place.

The Implications of Regulatory Redundancy on Resource Efficiency

Concerns regarding redundancy between the DORA legislation and the NIS 2 Directive raised by the Swedish Banking Association draw attention to the possibility of an ineffective use of resources that might be better used to improve customer service or bolster cyber defenses.

• Strategies to Eliminate Redundant Efforts:

It is recommended that banks adopt a strategic strategy that combines the goals of DORA and NIS2, leveraging the advantages of each regulation to construct a comprehensive framework for operational resilience and cybersecurity. By optimizing the bank's cybersecurity expenditure, this strategy not only guarantees compliance but also makes sure that every euro invested strengthens the institution's resilience.

Regulatory Directives: The Future of EU Banking Compliance

The Swedish Banking Association's drive for a unified approach to the NIS 2 Directive and the DORA legislation reflects a larger need for coherence and clarity in the EU regulatory framework.

• Creating a Level Playing Field:

By ensuring that all EU banks follow the same strict guidelines, harmonization will promote a fair, competitive, and secure market in addition to a safe and secure banking environment. Banks would be able to plan and carry out compliance procedures knowing that they are meeting standards across the EU and strengthening the stability of the EU financial system.

NIS 2 & DORA regulation: Shaping the Regulatory Landscape for EU Banks

The results of the conversations between the Swedish Banking Association and regulatory agencies will influence compliance and cybersecurity going forward for banks throughout the European Union.

• Setting Industry Precedents:

Beyond the financial industry, the EU's approach to resolving the intricate interactions between the NIS2 Directive and the DORA legislation could establish a standard for other sectors facing comparable regulatory obstacles. The experiences and solutions that the banking industry has to offer can provide important insights into striking a balance between industry-specific and general regulatory requirements.

The ongoing conversation is a deliberate effort to promote a safe, robust, and competitive financial market throughout the European Union; it is not just a procedural discussion. The rules that oversee the financial sector must be flexible, unambiguous, and supportive of the ultimate objective of a strong financial ecosystem as the sector continues to change.

Read More

The State of Security in the European Union: NIS2, CER and DORA - RHEA Group

Discover how the European Union NIS2 and CER Directives and DORA Regulation will affect the cybersecurity of critical infrastructures of EU Member States.

RHEA GroupKaren Packham