Why the DORA Regulation is not just a ‘financial sector’ version of the NIS2

“Why after the NIS2, also the DORA Regulation?” It’s a fair question to companies already dealing with a lot of regulatory burden. But there are significant differences between NIS2 and DORA. Although DORA targets the financial sector specifically, these differences extend beyond its scope.

Firstly, the origin of the DORA Regulation - the Digital Operations Resilience Act - can be traced back to the Basel Committee on Banking Supervision, rather than the European Union or any of its Member States.

This highlights the fact that the law has been pushed forward from within the financial sector, making discussions about the “real” intentions behind the DORA redundant. One could say it is a regulation written for and by the financial sector.

Secondly, there is a notable distinction in terms of harmonization across EU Member States. NIS2 is a directive that allows countries to develop rules based on their specific national needs. In contrast, DORA is a regulation, leaving no room for discretion at the Member State level.

This means we will see an exact copy of DORA in all EU Member States.

This level of legal harmonization not only represents the highest standard within the EU but also demonstrates the Union's recognition of the fragility of the financial market. The memory of the 2008 financial crisis remains vivid, and the interconnectivity of the digital era heightens the priority of cybersecurity. The fear of a potential financial crisis caused by cyberattacks disrupting financial services is certainly very legitimate.

That’s why all Member States must adopt the same rules for their financial sector.

So, what are the requirements outlined in DORA? It follows the same recipe as the NIS2, emphasizing organizational (management frameworks), operational (daily monitoring and incident reporting), and technical measures (penetration testing).

With our extensive experience in cybersecurity, Orange Cyberdefense can be your trusted partner in achieving the necessary level of protection and supporting your compliance efforts with the DORA Regulation.

If you would like to learn more about the specific obligations and recommendations for your company under the DORA Regulation, please contact Jan De Bondt, our Director Audit & Business Consultancy. He is very happy to advise you on this topic.