DORA overview

The Council of the European Union has formally adopted the Digital Operational Resilience Act (DORA), a regulation introduced to ensure that digital infrastructure, including the systems and networks underpinning critical services in the financial sector, is secure and resilient to potential threats.

The objectives of DORA

DORA aims to improve the cybersecurity and operational resilience of all regulated European financial institutions and key third parties providing ICT-based services to these institutions. While cyber attacks cannot be avoided, financial stability in Europe can be achieved if organisations mitigate the impact of cyber threats on information and communication technology (ICT).

Who is responsible?

The overall responsibility for the framework and other governance obligations imposed by DORA rests with the company's management, which is responsible for reviewing, approving, implementing and updating the risk management framework. This requires management to be fully aware of the financial institution's ICT usage, services and risk profile.

Companies may want to review how reporting lines from ICT teams to senior management work in practice. Financial institutions covered by DORA should designate a senior executive responsible for digital operational resilience and report incidents to the appropriate authorities.

The impact of DORA

Although the end of 2024 seems a long way off, compliance can be challenging and time-consuming for these organisations. Compliance will be ensured by the competent authority of the organisation. EU member states will have the right to impose sanctions for non-compliance

Achieving compliance with DORA

Achieving compliance with onerous DORA obligations within the required timeframe will be challenging and time-consuming. Although DORA provides a transition period until 17 January 2025, we recommend that covered organisations start preparing immediately.

We propose the adoption of a phased approach whereby the organisations concerned will draw up a DORA compliance programme, with the aim of achieving compliance with DORA by the end of the transition period. Non-compliance could lead to severe penalties from January 2025.

NIS2

Cyber attacks are increasing rapidly every year in all EU Member States

Attackers' activities are being amplified by the accelerating pace of digital transformation and the continuous development of new advanced technologies

A significant increase in attacks has been seen during the Covid-19 pandemic or the Russian-Ukrainian conflict. Therefore, the European Union has come forward with an amendment to the existing NIS law in the form of a successor to NIS2 to strengthen the overall level of cyber security in all Member States.

What is NIS2?

The NIS2 Regulation is the European Union's response to deepen the existing Network and Information Security (NIS) framework adopted in 2016. NIS2 significantly extends the scope of existing legislation and provides a new solution to strengthen and secure European cyberspace.

The BDO approach

BDO assists your organisation in implementing measures under the NIS2 Regulation

We will prepare a GAP gap analysis of your existing measures and NIS2 requirements, design a project plan for implementation, including prioritisation of individual measures.

Not sure if NIS2 applies to you? We can advise you.