As the deadline for the implementation of two key European cybersecurity regulations approaches, namely DORA (Digital Operational Resilience Act) and the NIS 2 Directive (Network and Information Systems Directive), a significant legal clarification for the financial sector has become necessary. This clarification is based on the principle of “lex specialis,” which dictates that DORA takes precedence over NIS 2 for all entities subject to both regulations.

What does this mean in practice? Banks, insurance companies, investment firms, and other financial institutions will need to consider DORA as the primary regulation for ensuring their digital operational resilience. The reasoning is clearly outlined: while the NIS 2 Directive sets basic security requirements applicable to various critical sectors, DORA is specifically designed to address the particular and systemic risks of the financial sector. Consequently, DORA includes significantly more detailed and prescriptive requirements compared to NIS 2.

This distinction represents a major advantage for financial institutions, particularly for compliance teams and Chief Information Security Officers (CISOs). In fact, this clarification removes the need to manage two potentially overlapping frameworks, allowing these professionals to focus solely on implementing the detailed controls required by DORA. These controls include, among other things, the management of information and communication technology (ICT) risks, detailed incident reporting, advanced resilience testing, such as Threat-Led Penetration Tests (TLPT), and third-party vendor management.

However, it is essential to emphasize that NIS 2 does not completely disappear from the landscape for financial institutions. Some entities within a financial group may not fall under the scope of DORA but remain subject to NIS 2. This means that compliance with both regulations may be necessary in certain contexts. Additionally, many service providers to banks that are not classified as “critical” under DORA will fall under the NIS 2 requirements, which could have an indirect impact on the cybersecurity of the entire supply chain.

Clarity regarding the relationship between DORA and NIS 2 is therefore crucial for fostering more effective cybersecurity management in financial institutions. This approach not only simplifies regulatory compliance but also enhances protection against cyber risks, contributing to more robust operational resilience. It represents a significant step toward a safer European financial environment, where institutions can operate with greater confidence and preparedness against increasingly sophisticated cyber threats.

Finally, we invite all readers to stay updated and follow us on our social media profiles for further insights and news in the field of cybersecurity and digital resilience. Cybersecurity is a critical issue, and your connection with us could make a difference in staying informed about how to tackle future challenges.