Common approach on NIS2 Directive – DORA Regulation, webinar held by Safetech in partnership with the Romanian Banking Institute
Starting with January 17, 2025, the DORA (Digital Operational Resilience Act) Regulation will enter into force at the European Union level, which introduces new cybersecurity rules for entities operating in the financial-banking sector. However, the regulation will be preceded by the transposition of the NIS 2 Directive into national legislation, with a deadline of October 17, 2024. In this context, Safetech Innovations organized, on September 26, 2024, the webinar “NIS2 Directive and DORA Regulation – purpose, requirements and solutions to achieve compliance”. The event aimed to clarify the measures, obligations and technologies imposed on organizations in the financial-banking sector targeted by these regulations. The representatives of Safetech Innovations, Iulian Alecu – Strategic Business Developer and Cătălin Gherghiceanu – Presales Manager, held presentations in which they analyzed the requirements of NIS 2 and DORA, emphasizing practical implications and concepts, on the actions and technical solutions necessary to achieve compliance.
DORA Regulation, from the perspective of the NIS2 Directive
According to Iulian Alecu, it is essential for organizations to understand exactly how the two European regulations apply, given that both address the financial and banking sectors. From Safetech’s experience, some organizations consider that, with the application of DORA, the NIS 2 Directive is no longer relevant. In reality, both remain valid, but the challenge lies in clarifying the delimitation between the provisions of each, which can generate confusion. Addressing this aspect, Iulian Alecu presented the DORA Regulation from the perspective of NIS 2.
According to NIS 2, DORA is a sectoral legal act of the EU, as far as the financial-banking area is concerned, having priority in terms of the implementation of certain components mentioned in NIS 2 as well. In particular, certain provisions of DORA should apply instead of those laid down in the NIS2 Directive. These are those related to information and communication technology (ICT) risk management, ICT incident management, in particular the reporting of major ICT-related incidents, digital operational resilience testing, information sharing agreements and ICT risks posed by third parties.
In addition, beyond cybersecurity, the DORA regulation insists on the concept of “digital operational resilience”, which implies that financial entities, regardless of the disruptions and the cause affecting the services offered, must continue to provide these services, at the same quality level, and have the capacity to remove the problems that arise, from the point of view of information and communication technology.
Iulian Alecu also presented the main provisions of DORA, including the requirements applicable to financial entities and the scope of application. At the same time, the Safetech specialist specified that, according to DORA, the organization’s governing body, i.e. the management, defines, approves, supervises and is responsible for the implementation of all provisions related to the ICT risk management framework, thus bearing the ultimate responsibility.
Technologies, solutions and services for compliance with the NIS2 Directive and the DORA Regulation
Cătălin Gherghiceanu presented what is, from Safetech Innovations’ point of view, the optimal approach and methodology for implementing and complying with DORA, focusing on technologies, solutions and services.
The Safetech manager has divided the organisations covered by DORA into entities with direct impact (financial entities and essential ICT third-party service providers) and indirect entities (non-essential ICT third-party service providers). As for the first category, most of them are already subject to the rules and regulations of the FSA, the NBR and the NIS 1 Directive, so compliance with DORA will not require major efforts. Although non-essential third-party ICT service providers are not currently supervised by the FSA and the NBR, they will have to be taken into account by financial entities in the risk assessment phase. In order to maintain compliance, financial entities must therefore require third-party providers to meet certain criteria set out in DORA.
If, from Safetech’s perspective, a main benchmark for compliance with NIS 2 is ISO 27001/2, the DORA regulation mentions the fact that the terminology from the aforementioned ISO standards has been used, in order to facilitate communication between the various entities. At the same time, another starting point for compliance with DORA is the NIST CSF framework, because the regulation uses a similar set of functions and principles (Identification, Protection and Prevention, Detection, Response and Recovery, etc.) As a result, those who meet these standards will achieve DORA compliance relatively easily. In this context, the representative of Safetech Innovations analyzed in detail the measures provided for in DORA and presented a guide for preparing compliance with DORA and NIS 2.
At the end of his presentation, Cătălin Gherghiceanu listed a set of cybersecurity technologies, products and services that contribute to achieving compliance with DORA. These include: governance, risk, compliance (GRC) services, SIEM, XDR, BAS, risk management, DiD/Zero Trust architectures, Threat Intelligence services, training and awareness platforms and services (phishing, social engineering, etc.). Safetech Innovations provides customers with the full range of security technologies and solutions for NIS2 and DORA compliance, including network level, data, application and endpoint security.
For more information on how Safetech Innovations’ solutions and services can ensure your compliance with NIS 2 and DORA, our team is at your disposal. Contact us for customized solutions and dedicated cybersecurity consulting, at sales @ safetech.ro or by phone at +40 21 316 0565.