NIS2 & DORA Bring Tough Fines & Stricter Reporting Obligations: A Guide for Financial Services

What are NIS2 & DORA?

Standing for the Network and Information Security Directive, the NIS Directive is an EU Regulation which details a blanket level of cyber security measures required of all Member States and organisations within them, as well as those with or seeking to establish a footprint in Europe. In 2022, the Official Journal of the European Union published their updates to this Directive in NIS2, which made their regulations more stringent while broadening the scope of who it applies to. One of these amendments differentiated between entities deemed ‘important’ and ‘essential’, whereby the latter, which includes Banking and Finance, will be subject to closer scrutiny and greater penalties regarding their compliance with NIS2 – or lack thereof.

This level of regulated scrutiny will also be heightened by a further EU directive, the Digital Operations Resilience Act (DORA). Similar to NIS2, DORA is described as establishing a ‘comprehensive framework for harmonising digital resilience processes and standards’. However, where NIS2 applies to all business entities within the EU, DORA is specifically designed to ‘strengthen the resilience of digital operations in the financial sector’. Thus, though accounting for similar processes and practices, as we shall outline, the emergence of both NIS2 and DORA represent at least two sets of cyber criteria which financial entities must comply with, not only to avoid legal penalty, but to remain robust in an increasingly dangerous digital environment.

NIS2 and DORA are scheduled to become national law on the 17^th October 2024 and 17^th January 2025 respectively, and it is important to understand both in order to ensure that your business is compliant with their requirements.

NIS2 Requirements

Chapter 4 of NIS2 requires that all Member States of the EU ensure that all of their essential and important entities ‘take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems’. By ‘appropriate and proportionate’, NIS2 directs all such entities to adopt an ‘all-hazards approach’, by which they refer to a baseline set of requirements including:

a. Internal Security Policies: Develop and enforce good essential policies that ensure robust internal security practices.

b. Incident Handling: Establish tested protocols to effectively respond to and manage security incidents.

c. Backup Management & Disaster Recovery: Ensure reliable backup solutions and disaster recovery plans to safeguard data integrity, also ensuring continuity.

d. Supply Chain Security: Maintain mutual responsibilities with partners through clear connections and dependencies to avoid the cascade effect of major incidents.

e. Information Security Maintenance: Ensure the security of your network, including vulnerability handling and disclosure.

f. Ongoing Assessment: Continuously update and monitor information security measures to protect against the ever-changing street smarts of evolving threat actors.

g. Cyber Security Hygiene & Training: Regularly assess and adapt security measures to current threat landscapes, which are often basic and repeated.

h. Cryptography & Encryption: Provide continuous cyber security training promoting best practices among employees, and ensuring Quantum-ready cryptography, a subject of other evolving regulations.

i. Human Resources Security: Implement thorough background checks and enforce security protocols for all personnel.

j. Multi-Factor Authentication: Enhance access control through the use of multi-factor authentication, which is always a feature of successful cyber incidents.

DORA Requirements

DORA is considered a Lex Specialis for financial sector entities, meaning that, where it possesses overlapping or shared regulations and principles with NIS2, DORA takes precedence. Thus, though it is still important to remain aware and informed regarding NIS2 and its requirements, it is more important to be equipped with an acute understanding of DORA.

DORA requires that all financial entities be equipped with an ‘internal governance and control framework’ designed to strengthen their cyber defences, particularly in regards to the transfer of data, risk of corruption, confidentiality and loss of data, and protection from human error. In order to ensure this, DORA insists upon the implementation of the following processes:

a. An information security policy with clearly defined rules to protect the availability, authenticity, integrity, and confidentiality of data.

b. A sound infrastructure management structure which makes use of appropriate techniques and mechanisms, such as those which isolate affected assets in the event of a cyber attack.

c. Policies which limit the physical access to information assets and ICT assets to what is legitimate and approved.

d. Protocols for strong authentication mechanisms based on relevant standards and systems, including the use of encryption.

e. Controls for ICT change management in order to ensure that any changes are recorded, tested, assessed, approved, and verified.

f. Appropriate policies for patches and updates.

Implications for the Finance Sector

Both NIS2 and DORA may appear to establish relatively basic levels of cyber security awareness and defence, however it is important that they are properly implemented and strengthened within your operations.

This is partly due to the financial and reputational losses that can and will impact your organisation in the event of a cyber security breach. In considering financial entities to be essential, NIS2 makes them liable to a fine of up to €10m or 2% of their annual turnover, whichever is higher. Similarly, DORA penalises any instance of non-compliance with a daily fine of up to 1% of the average daily worldwide turnover of the financial entity until compliance is reimposed.

Furthermore, the reporting obligations of both Acts pose significant and specific considerations to financial entities, based on how and when an organisation should bring awareness to a potential or recent cyber security breach. 

• DORA’s Article 10: Detection imposes that financial entities shall ‘have in place mechanisms to promptly detect anomalous activities’, and expands the reporting process in Article 17: ICT-related incident management process to ensure that ‘major’ cyber security incidents are reported to the appropriate management bodies in order to enact mitigation and prevention procedures.

• Similarly, NIS2’s Article 23: Reporting Obligations requires that all essential and important entities promptly identify and report any ‘significant’ cyber security breach or incident to their representative computer security incident response teams (CSIRTs).

There are two main indicators which make an incident ‘significant’ under NIS2: one is that it has affected or caused damage to other entities or persons; the second is that ‘it has caused or is capable of causing severe […] financial loss for the entity concerned’. This is particularly emphatic for organisations which by nature and definition handle and advertise the possession of large amounts of money, a consideration which DORA highlights as an Act specific to the financial sector.

In their classifications of ICT-related incidents which financial entities should use to determine their impact, DORA specifies ‘the criticality of services affects, including the financial entity’s transactions’ as well as ‘the economic impact, in particular direct and indirect costs and losses’. Thus, it is crucial for financial organisations to ensure that their operations are properly barricaded against cyber threats, and that they have airtight contingencies and reporting protocols in place in case they are breached.

Finally, it is important to internalise clear accountability within your organisation. NIS2 makes it clear that the responsibility for the approval, delivery, and maintenance of an essential entity’s cyber security risk-management measure rests with the management bodies of the entity. This includes coordinating cyber security training and the provision of ‘sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices’. DORA is even clearer in this regard, specifying that the management body of the financial entity shall ‘bear the ultimate responsibility for managing the financial entity’s ICT risk’. Thus, the stakes are higher for executives and C-suite professionals to ensure compliance, as they will be the ones held accountable for breaches and attacks.

How Cambridge MC can Help

Whether your company is based primarily inside or outside the EU, it is crucial that your organisation complies with NIS2 and DORA by the end of the year if you have any entities or subsidiaries, or currently/plan to conduct work in any EU Member States. In any case, NIS2 and DORA represent aspirational sets of guidelines pertaining to the cyber hygiene of your organisation that would only strengthen it to internalise.



This is particularly salient in a regulatory culture which is increasingly prioritising and scrutinising cyber security. As of April this year, the UK Government implemented minimum security standards to protect consumers and businesses from cyber attacks. These include the banning of easily guessable default passwords; regulations which, like NIS2 and DORA, are seemingly basic yet possess higher stakes for non-compliance.

At Cambridge Management Consulting, we have a team of experienced Cyber Security professionals with decades of combined practical experience in the field, as well as detailed and up-to-date knowledge on all relevant regulations and principles.

To avoid your organisation from being left behind or penalised for a lack of cyber maturity, contact our cyber team to understand your pain points and vulnerabilities—we will work with you to construct, assess, and deliver a comprehensive strategy to resolve them.

Contact John Madelin, our Managing Partner for Cyber Security, or learn more about our Cyber Security capability here.