NIS 2 and DORA: Fundamental Differences for the Banking Sector

1. NIS 2 and DORA: A Recap of the Basics

NIS 2, which came into force in 2023 (but must be transposed into the national law of Member States by October 18, 2024), is an evolution of the first NIS Directive of 2016. It aims to strengthen cybersecurity in several sectors deemed critical, including banking, energy, and healthcare infrastructure. For the banking sector, NIS 2 expands its scope to cover a larger number of entities and imposes stricter requirements for managing security risks. Board members are now required to oversee the management of risks related to the security of networks and information systems. Banks must implement robust technical and organizational measures to protect their information systems. A crucial aspect of NIS 2 is the obligation to report any major security incident to the competent authorities within 24 hours. The regulation also underscores the central role of national cybersecurity authorities, such as ANSSI in France, in supervising and monitoring the compliance of banks.

DORA, which will come into force in January 2025 after a 24-month transitional period, specifically focuses on digital resilience in the financial sector. It adopts a holistic approach by enhancing the ability of financial institutions to prevent, withstand, and recover from digital incidents. However, it operates within a more restricted sectoral scope as it specifically targets financial services. DORA integrates the management of ICT (Information and Communication Technology) risks, meaning the risks associated with digital systems and technological infrastructure (networks, software, etc.). DORA aims to ensure the continuity of operations, covering not only cybersecurity but also the management of disruptions to critical systems. Banks are required to adopt a digital resilience strategy encompassing all their operations, systems, and third-party providers. This strategy includes the continuous evaluation of risks, prevention of incidents, and the ability to maintain critical activities in the event of disruptions. DORA also mandates that banks conduct regular tests simulating crisis scenarios to assess the effectiveness of their defense systems and response capabilities. Particular emphasis is placed on managing risks associated with critical third-party providers, notably cloud service providers.

2. What Are the Differences and Similarities Between NIS 2 and DORA for the Banking Sector?

Although NIS 2 and DORA share common goals in terms of security and resilience, their main differences lie in their scope and specific objectives.

NIS 2 covers several critical sectors and focuses primarily on the cybersecurity of networks and information systems. DORA, on the other hand, is exclusively focused on the financial sector and addresses not only cybersecurity but also overall operational resilience. NIS 2 emphasizes the prevention and response to security incidents, while DORA takes a broader approach, requiring financial institutions to ensure the continuity of critical operations in the event of disruptions, with regular testing and strict governance of third-party providers. Consequently, in terms of responsibilities, the two regulations develop distinct approaches. Under NIS 2, compliance officers must ensure the implementation of effective processes for managing cybersecurity risks and reporting incidents. Under DORA, their role is extended to managing overall digital resilience, involving broader supervision of systems, implementing resilience tests, and managing risks associated with third-party providers.

Despite their differences, NIS 2 and DORA share important commonalities. Both regulations aim to promote a preventive approach to managing risks related to information systems and data to secure financial markets and prevent financial and political risks. The objective is clear: to promote economic and political stability within the European space. They also share similar means to achieve this goal, including continuous testing, regular documentation of actions taken to mitigate risks, a governance and accountability framework before, during, and after incidents, and transparent communication with the entities in charge. They also establish a framework of responsibility for banking institutions in the event of a major incident, with clear outcome obligations, continuous means obligations, and a presumption of fault in the event of an incident, which can be reversed through documentation and maintaining justificatory records. Both regulations, therefore, require a review of the organizational framework related to IT, including the main governance bodies within the responsibility framework. Finally, NIS 2 and DORA introduce severe penalties for non-compliance, with fines of up to 10 million euros or 2% of the global annual turnover.

3. What Strategies Should Compliance Officers in the Banking Sector Adopt?

To navigate the complex regulatory framework imposed by NIS 2 and DORA, compliance officers must adopt (i) integrated and proactive strategies. They must first promote effective coordination between cybersecurity teams, risk management teams, and executives. This involves establishing a framework for monitoring ICT risks, both internal and external. Documenting the measures taken and creating an emergency response unit are essential for a relevant and rapid response in the event of an incident, as is maintaining fluid communication with regulatory authorities.

Secondly, (ii) it is crucial for compliance officers to raise awareness among governance bodies about these new regulatory obligations. This can be achieved, for example, by systematically integrating the requirements of NIS 2 and DORA into the institution's overall risk management strategy, as well as into budgets and development plans. Finally, (iii) the last focus area concerns raising awareness among all teams about these issues, in close collaboration with the skills development manager. By focusing on continuous training and employee awareness, compliance officers can promote a culture of compliance throughout their organization.

In a context where cyberattacks cost France 2 billion euros in 2022, with an average cost of 58,600 euros per incident, it is essential that compliance officers can justify their compliance actions to their board of directors. The tense geopolitical situation underscores the urgency of increased vigilance against threats such as espionage and "lawfare." Geoffroy Roux de Bézieux, former president of MEDEF FRANCE, highlights the need to improve economic security by placing digital resilience and awareness at the heart of strategic priorities.