Why the DORA Regulation is not just a ‘financial sector’ version of the NIS2

11 October 2023

“Why after the NIS2, also the DORA Regulation?” It’s a fair question to companies already dealing with a lot of regulatory burden. But there are significant differences between NIS2 and DORA. Although DORA targets the financial sector specifically, these differences extend beyond its scope.

A regulation written for and by the financial sector

Firstly, the origin of the DORA Regulation - the Digital Operations Resilience Act - can be traced back to the Basel Committee on Banking Supervision, rather than the European Union or any of its Member States.

This highlights the fact that the law has been pushed forward from within the financial sector, making discussions about the “real” intentions behind the DORA redundant. One could say it is a regulation written for and by the financial sector.

The DORA Regulation versus the NIS2 Directive

Secondly, there is a notable distinction in terms of harmonization across EU Member States. NIS2 is a directive that allows countries to develop rules based on their specific national needs. In contrast, DORA is a regulation, leaving no room for discretion at the Member State level.

This means we will see an exact copy of DORA in all EU Member States.

This level of legal harmonization not only represents the highest standard within the EU but also demonstrates the Union's recognition of the fragility of the financial market. The memory of the 2008 financial crisis remains vivid, and the interconnectivity of the digital era heightens the priority of cybersecurity. The fear of a potential financial crisis caused by cyberattacks disrupting financial services is certainly very legitimate.

That’s why all Member States must adopt the same rules for their financial sector.

What are the requirements outlined in DORA?

So, what are the requirements outlined in DORA? It follows the same recipe as the NIS2, emphasizing organizational (management frameworks), operational (daily monitoring and incident reporting), and technical measures (penetration testing).

How can Orange Cyberdefense help?

With our extensive experience in cybersecurity, Orange Cyberdefense can be your trusted partner in achieving the necessary level of protection and supporting your compliance efforts with the DORA Regulation.

If you would like to learn more about the specific obligations and recommendations for your company under the DORA Regulation, please contact Jan De Bondt, our Director Audit & Business Consultancy. He is very happy to advise you on this topic.

Talk to an expert

More on regulatory compliance

Security Regulation Compliance

Digital territory and sovereignty

23 January 2024

Cybersecurity
Cybercrime
Cybersecurity
Cybercrime

Forging the Path to a Secure Digital Europe

16 January 2024

Cybersecurity
Cybercrime
Threat

DORA's ICT-risk framework: who's responsible for what?

13 October 2023

What are the key components of the Digital Operational Resilience Act (DORA) that was established by the European Union? And who in your organization is responsible for each component? Find out in this blog.

Cybersecurity
Finance and Insurance
Assess & Advice
Detect & Respond
Compliance
Data Security
Infrastructure Security

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT

Protect your Microsoft environment!

Upgrade from VPN to SASE!

Protecting people when they are most vulnerable: Security for Healthcare

Managed Detection and Response

Manage your compliance: prepare for NIS2!

The best Hackers on your side!

From awareness to hacking: get trained by the best!

Express-Insights for smarter decision-making: Executive Navigator

Cy-Xplorer: Your #1 source for expert insights on cyber extortion.