NIS2 & DORA Bring Tough Fines & Stricter Reporting Obligations: A Guide for Financial Services

John Madelin
Subscribe Contact us
Nigel Meacham

What are NIS2 & DORA?


Standing for the Network and Information Security Directive, the NIS Directive is an EU Regulation which details a blanket level of cyber security measures required of all Member States and organisations within them, as well as those with or seeking to establish a footprint in Europe. In 2022, the Official Journal of the European Union published their updates to this Directive in NIS2, which made their regulations more stringent while broadening the scope of who it applies to. One of these amendments differentiated between entities deemed ‘important’ and ‘essential’, whereby the latter, which includes Banking and Finance, will be subject to closer scrutiny and greater penalties regarding their compliance with NIS2 – or lack thereof.


This level of regulated scrutiny will also be heightened by a further EU directive, the Digital Operations Resilience Act (DORA). Similar to NIS2, DORA is described as establishing a ‘comprehensive framework for harmonising digital resilience processes and standards’. However, where NIS2 applies to all business entities within the EU, DORA is specifically designed to ‘strengthen the resilience of digital operations in the financial sector’. Thus, though accounting for similar processes and practices, as we shall outline, the emergence of both NIS2 and DORA represent at least two sets of cyber criteria which financial entities must comply with, not only to avoid legal penalty, but to remain robust in an increasingly dangerous digital environment.


NIS2 and DORA are scheduled to become national law on the 17th October 2024 and 17th January 2025 respectively, and it is important to understand both in order to ensure that your business is compliant with their requirements.


NIS2 Requirements


Chapter 4 of NIS2 requires that all Member States of the EU ensure that all of their essential and important entities ‘take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems’. By ‘appropriate and proportionate’, NIS2 directs all such entities to adopt an ‘all-hazards approach’, by which they refer to a baseline set of requirements including:


a. Internal Security Policies: Develop and enforce good essential policies that ensure robust internal security practices.


b. Incident Handling: Establish tested protocols to effectively respond to and manage security incidents.


c. Backup Management & Disaster Recovery: Ensure reliable backup solutions and disaster recovery plans to safeguard data integrity, also ensuring continuity.


d. Supply Chain Security: Maintain mutual responsibilities with partners through clear connections and dependencies to avoid the cascade effect of major incidents.


e. Information Security Maintenance: Ensure the security of your network, including vulnerability handling and disclosure.


f. Ongoing Assessment: Continuously update and monitor information security measures to protect against the ever-changing street smarts of evolving threat actors.


g. Cyber Security Hygiene & Training: Regularly assess and adapt security measures to current threat landscapes, which are often basic and repeated.


h. Cryptography & Encryption: Provide continuous cyber security training promoting best practices among employees, and ensuring Quantum-ready cryptography, a subject of other evolving regulations.


i. Human Resources Security: Implement thorough background checks and enforce security protocols for all personnel.


j. Multi-Factor Authentication: Enhance access control through the use of multi-factor authentication, which is always a feature of successful cyber incidents.


DORA Requirements


DORA is considered a Lex Specialis for financial sector entities, meaning that, where it possesses overlapping or shared regulations and principles with NIS2, DORA takes precedence. Thus, though it is still important to remain aware and informed regarding NIS2 and its requirements, it is more important to be equipped with an acute understanding of DORA.


DORA requires that all financial entities be equipped with an ‘internal governance and control framework’ designed to strengthen their cyber defences, particularly in regards to the transfer of data, risk of corruption, confidentiality and loss of data, and protection from human error. In order to ensure this, DORA insists upon the implementation of the following processes:


a. An information security policy with clearly defined rules to protect the availability, authenticity, integrity, and confidentiality of data.

 

b. A sound infrastructure management structure which makes use of appropriate techniques and mechanisms, such as those which isolate affected assets in the event of a cyber attack.

 

c. Policies which limit the physical access to information assets and ICT assets to what is legitimate and approved.

 

d. Protocols for strong authentication mechanisms based on relevant standards and systems, including the use of encryption.

 

e. Controls for ICT change management in order to ensure that any changes are recorded, tested, assessed, approved, and verified.

 

f. Appropriate policies for patches and updates.


Implications for the Finance Sector


Both NIS2 and DORA may appear to establish relatively basic levels of cyber security awareness and defence, however it is important that they are properly implemented and strengthened within your operations.


This is partly due to the financial and reputational losses that can and will impact your organisation in the event of a cyber security breach. In considering financial entities to be essential, NIS2 makes them liable to a fine of up to €10m or 2% of their annual turnover, whichever is higher. Similarly, DORA penalises any instance of non-compliance with a daily fine of up to 1% of the average daily worldwide turnover of the financial entity until compliance is reimposed.


Furthermore, the reporting obligations of both Acts pose significant and specific considerations to financial entities, based on how and when an organisation should bring awareness to a potential or recent cyber security breach. 


  • DORA’s Article 10: Detection imposes that financial entities shall ‘have in place mechanisms to promptly detect anomalous activities’, and expands the reporting process in Article 17: ICT-related incident management process to ensure that ‘major’ cyber security incidents are reported to the appropriate management bodies in order to enact mitigation and prevention procedures.

 

  • Similarly, NIS2’s Article 23: Reporting Obligations requires that all essential and important entities promptly identify and report any ‘significant’ cyber security breach or incident to their representative computer security incident response teams (CSIRTs).


There are two main indicators which make an incident ‘significant’ under NIS2: one is that it has affected or caused damage to other entities or persons; the second is that ‘it has caused or is capable of causing severe […] financial loss for the entity concerned’. This is particularly emphatic for organisations which by nature and definition handle and advertise the possession of large amounts of money, a consideration which DORA highlights as an Act specific to the financial sector.


In their classifications of ICT-related incidents which financial entities should use to determine their impact, DORA specifies ‘the criticality of services affects, including the financial entity’s transactions’ as well as ‘the economic impact, in particular direct and indirect costs and losses’. Thus, it is crucial for financial organisations to ensure that their operations are properly barricaded against cyber threats, and that they have airtight contingencies and reporting protocols in place in case they are breached.


Finally, it is important to internalise clear accountability within your organisation. NIS2 makes it clear that the responsibility for the approval, delivery, and maintenance of an essential entity’s cyber security risk-management measure rests with the management bodies of the entity. This includes coordinating cyber security training and the provision of ‘sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices’. DORA is even clearer in this regard, specifying that the management body of the financial entity shall ‘bear the ultimate responsibility for managing the financial entity’s ICT risk’. Thus, the stakes are higher for executives and C-suite professionals to ensure compliance, as they will be the ones held accountable for breaches and attacks.

 

How Cambridge MC can Help


Whether your company is based primarily inside or outside the EU, it is crucial that your organisation complies with NIS2 and DORA by the end of the year if you have any entities or subsidiaries, or currently/plan to conduct work in any EU Member States. In any case, NIS2 and DORA represent aspirational sets of guidelines pertaining to the cyber hygiene of your organisation that would only strengthen it to internalise.



This is particularly salient in a regulatory culture which is increasingly prioritising and scrutinising cyber security. As of April this year, the UK Government implemented minimum security standards to protect consumers and businesses from cyber attacks. These include the banning of easily guessable default passwords; regulations which, like NIS2 and DORA, are seemingly basic yet possess higher stakes for non-compliance.


At Cambridge Management Consulting, we have a team of experienced Cyber Security professionals with decades of combined practical experience in the field, as well as detailed and up-to-date knowledge on all relevant regulations and principles.


To avoid your organisation from being left behind or penalised for a lack of cyber maturity, contact our cyber team to understand your pain points and vulnerabilities—we will work with you to construct, assess, and deliver a comprehensive strategy to resolve them.


Contact John Madelin, our Managing Partner for Cyber Security, or learn more about our Cyber Security capability here.

Contact - NIS2 Article

Subscribe to our Newsletter

Blog Subscribe

SHARE CONTENT

Case Study: A Rapid Strategy Stress Test to Accelerate a Go-to-Market Strategy

by Mauro Mortali 9 May 2026
We were approached by a global networking systems, services, and software company that specialises in optical and routing solutions. Their technology helps carriers, enterprises, and governments build more efficient and scalable networks, particularly for high-bandwidth applications like 5G, cloud computing, and AI-driven networking. Africa is a key strategic market for this client. They are also playing an active role in advancing outlined 5G technology on the continent, emphasising a focus on routing and switching aggregation components, network slicing, and monetisation. The Opportunity The client engaged Cambridge MC to provide external insight and support to augment and accelerate the progress of their Go-to-Market plans for Africa. We proposed our in-house rapid Strategy Stress Test that delivers key insights across areas of your strategy using a 1–5 health-scoring matrix. The client's aim is to grow market share in the region with a precisely focussed strategy that targets their market with key propositions and solutions. We were engaged to review this strategy and their plans for the region, identifying critical opportunities and gaps with a quick turnaround. Approach We used our Rapid Strategy Stress Test methodology which provides: Target geographies, opportunities, and partners for resource effectiveness and success maximisation Assessment of client's Go-to-Market Strategy including identification and testing of key assumptions Identification of new opportunities and any gaps in the strategy Recommendations on how best to capitalise on the market and accelerate their route to success This included carrying out target addressable and client-addressable market sizing by country for the Optical, Data Centre Interconnect, Routing and Switching portfolios; competitor market share analysis; analysis of current and planned data centre build in the target countries; future trend analysis, including Political, Economic, Social, Technological, Legal and Environmental trends by country. We put their GtM strategy and plans through our Stress Test framework, scoring capabilities against best-in-class – across 11 parameters such as Market Potential, Adaptability to Local Needs, Pricing and Marketing & Demand Generation. Recommendations were made against each of the 11 areas relating to opportunities to accelerate their GtM strategy. In order to support effective targeting of resources into key countries, we developed a country prioritisation framework across 15 parameters, such as GDP growth, energy supply, stability of regulatory environment, and ease of doing business. This quantitative assessment was supplemented with the real world experience of our Africa experts. 
A digital human made of blocks and wires jumping into the air

Your Digital Transformation Isn’t Failing Because of the Tech

by Ruth Redding 23 April 2026
Why digital transformation fails: human adoption. Learn how leaders can reduce change resistance, protect ROI and improve programme success with structured change management | READ FULL ARTICLE
Businessman walks across desert into AI portal

5 AI Use Cases You Can Stand Up in 90 Days

9 April 2026
This article suggests how to pilot AI in 90 days with five practical use cases for operations leaders – from triage and forecasting to summarisation – with clear governance and measurable value | READ FULL ARTICLE
Wind farms and solar panels in the countryside at dawn

Energy, Risk and Competitiveness: The Real Sustainability Conversation

by Scott Armstrong 27 March 2026
Sustainability | Energy, risk and competitiveness – find out why sustainability is no longer just about reporting, but about resilience, cost control and long-term advantage | READ FULL ARTICLE
Yello and turquoise neon lights.

Press Release: Cambridge Management Consulting Acquires The Carrier Club

24 March 2026
International consulting firm, Cambridge Management Consulting has acquired telecommunications cost-reduction specialist, The Carrier Club, strengthening its ability to help organisations reduce their telecoms and network infrastructure costs.
Pembroke College lawn bathed in sunlight

Case Study: A Corporate Partnership Between Pembroke College & Cambridge MC Based on Shared Values

by Tim Passingham 12 March 2026
CAMBRIDGE | See how Cambridge MC and Pembroke College are creating mutual value through a unique corporate partnership spanning student opportunities, academic collaboration and industry events | READ FULL CASE STUDY
Neon sharks made out of code.

Ransomware in 2026: What Boards Actually Need to Know

by Simon Crimp 9 March 2026
Cyber Security | Ransomware in 2026 is a board-level resilience issue. Learn the key risks, weak spots and practical questions boards should ask to improve readiness, recovery and response.
The Top 21.2026 at the awards event in Cambridge, UK.

#21toWatch 2026 Winners Revealed: Deeptech Founders Tackling Society's Toughest Health and Climate Challenges

6 March 2026
The #21toWatch Top21.2026 winners have been announced at an awards ceremony at The Glasshouse innovation hub in Cambridge.
Asian business woman near a long window and looking at a tablet.

IWD 2026: Embracing The Power of Femininity at Work

by Arianna Mortali 6 March 2026
BLOG | A student’s perspective on why women shouldn’t have to ‘play masculine’ to succeed at work – and how valuing empathy, confidence and inclusive leadership can help close gender gaps and build healthier organisations.
More posts