A Guide To NIS2 and DORA Compliance for Your Financial Services in the UK

In the financial services industry, there’s little room for error when it comes to cyber behaviours. Amidst the AI boom, there’s of course huge opportunity for businesses to streamline efficiencies and supercharge productivity, but in equal measure, AI has brought a tidal wave of advancing threats. 

In response to an increasingly risky landscape, recent regulation - specific to the financial sector - has been introduced or updated as a way for financial institutions to keep up and stay protected. 

In this guide, we’ll walk you through the European Union’s NIS2 Directive and Digital Operational Resilience Act (DORA), covering exactly what they are and what you need to do to keep your business compliant and protected. 

What is the NIS2? 

​The Network and Information Systems Directive (NIS2) is the European Union's new and updated cyber security framework, aiming to enhance cyber security across critical sectors (such as finance)  by establishing a high common level of security for network and information systems. 

In a post-Brexit UK, NIS2 will continue to impact UK businesses, especially those operating within or providing services to the EU. Understanding NIS2's implications is crucial for UK financial services firms aiming to protect their customers, keep robust cyber protocols and comply with the latest regulations. 

What’s its purpose? 

NIS2 has replaced the previous NIS Directive, in response to the onslaught of new cyber threats. It supersedes the original NIS Directive of 2016, broadening its scope to include additional sectors and imposing stricter cyber security requirements. The directive mandates that both essential and important entities implement comprehensive cyber security measures, report significant incidents, and ensure the resilience of their network and information systems. 

For financial services, this encompasses banks, insurance companies, payment service providers, and investment firms operating within the EU.

Is it mandatory for financial service businesses? 

NIS2 is mandatory for financial services businesses operating within the EU. It applies toentities that provide essential and important services (such as those mentioned above), including those in the financial sector. These businesses are required to comply with the cyber security risk management and incident reporting obligations outlined in the directive. ​

Your NIS2 checklist

To support your compliance with NIS2, we’ve put together a handy checklist:

Action: If you don’t have in-house cyber security expertise, hire a cyber security consultant to first audit your organisation’s cyber security posture. It’s also crucial to assign clear roles and responsibilities for all of the necessary NIS2 compliance tasks.

Action: Ensure you have robust identity governance so you can block unauthorised access to systems and users to prevent a data breach. Centralise user management to have complete visibility and control over who has access to what.

Action: Decide who reports what and how timely reporting will be carried out in the event of a significant cyber security breach.

Action: Debilitating ransomware attacks has been one of the biggest motivations of NIS2. Implement endpoint privilege management to proactively defend against ransomware.

Action: Incorporate modern training that embeds Zero Trust cyber principles into your workplace culture. RedFlags by ThinkCyber is a revolutionary response to prevent employees’ risky behaviour in real-time using in the moment “nudges” and relevant awareness training.

Action: Always be prepared if the worst happens through a diligent disaster recovery and business continuity plan that includes Recovery Time Objectives. Develop and regularly test these plans to ensure critical business functions can continue during and after a cyber security incident. This includes data backups, alternative communication channels, and predefined roles and responsibilities.

Action: Assess the cyber security posture of third-party vendors and integrate security requirements into contractual agreements. Regularly review and monitor third-party access to your systems to ensure complete security from end to end. 

Action: As well as understanding the difference between the original NIS Directive and NIS2, ensure your strategies align with SOX compliance (which is relevant to the finance sector). 

Postures and standards such as NIST SP 800 series, ISO/IEC 27001, CIS Controls, and Mitre

Att&ck are robust and recognised frameworks that will be beneficial to review.

Action: Does your security technology have the capability to defend against even the most advanced threats? Implement solutions such as SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), and UEBA (User and Entity Behaviour Analytics) tools to ensure your financial services are as protected and defended as possible. 

Action: Keeping open channels of communication with the relevant authorities will help you stay informed about the latest developments and need-to-know information. 

What is DORA?

​The Digital Operational Resilience Act (DORA) is another European Union regulation to consider. It came into force on January 16, 2023, with compliance required by early 2025. 

DORA has been put in place to enhance the digital operational resilience of financial entities within the EU by establishing uniform requirements for: 

• ICT risk management
• Incident reporting
• Digital resilience testing
• Oversight of critical third-party providers

Is it a requirement for financial service businesses to be DORA compliant? 

Like with NIS2, DORA is another compliance requirement for businesses operating within the EU. 

DORA’s requirements are stringent, ensuring you have robust operational resilience across ICT-related disruptions and cyber threats. 

Your DORA checklist 

1. Determine DORA applicability
Action: Assess whether your organisation falls within DORA's scope, including various financial entities and critical third-party ICT service providers.​ You can use Scope 2 to assess this.

Action: Evaluate your current ICT risk management frameworks against DORA's standards to identify areas needing improvement.​

Action: Create a detailed plan to address identified gaps, prioritising actions based on risk assessment and resource availability.​ What security measures and technologies will you implement to address these gaps? 

Action: Like with the NIS2 regulations, it’s important to determine which third-party providers are essential to your operations and ensure they comply with DORA's requirements too.​

Action: Conduct TLPT at least every two years to simulate real-world cyberattacks and assess how robust  your defences are 

Action: Develop clear procedures for detecting, managing, and reporting ICT-related incidents, including communication protocols with regulators.​

Action: Regularly monitor and assess risks within your ICT systems, keeping an updated inventory of information assets (as instructed by Article 8).

Action: Ensure your board oversees security policies and approves digital resilience strategies, aligning them with overall business objectives.​

Action: Keep thorough records of risk assessments, incident reports, testing results, and training materials to support audits and demonstrate compliance.​ You never know when you may need them; if you do, you’ll need access to them quickly. 

Action: Possibly the most important action: Educate employees on cyber security risks and best practices, fostering a culture of security within your organisation.

By systematically addressing each of these areas, your organisation can enhance its digital operational resilience and ensure compliance with DORA.

What if you only operate within the UK?

While NIS2 and DORA are EU regulations, their impact extends beyond EU borders. UK financial institutions operating in the EU or providing services to EU clients must comply with these regulations too. 

However, the UK government has recently developed its own cyber security framework -  the Cyber Security and Resilience Bill (CS&R) - which aligns closely with the EU’s updated regulations. 

Announced in the summer of 2024, the new post-Brexit bill is an updated version of the existing Network and Information Security Regulations Act 2018. Ultimately, the Bill’s goal is to enhance the UK’s cyber defences and resilience against hostile attacks.

The CS&R Bill has introduced compulsory ransomware reporting and extended the regulatory remit to include a broader range of entities, aligning more closely with EU standards. For example, both the CS&R Bill and the NIS2 emphasise timely reporting of significant cyber security breaches: an initial report is to be sent within the first 24hrs, and detailed reports within 72hrs.

What happens if you fail to comply with the new regulations? 

Cyber defences in the financial services industry are arguably more important than any other. One breach can have disastrous impacts from all angles: your current customers, your business, legalities, and your reputation. 

If you’re operating within the EU, you could face fines of up to €2 million or 2% of annual turnover for DORA non-compliance. For NIS2 compliance, fines are much steeper at €10m+ or 2% of global annual revenue.  On top of this, legal sanctions can be ordered, such as top management being held personally liable for gross negligence.

How can RedFlags by ThinkCyber help you stay compliant? 

Your employees are the biggest risk to your business. And as stark as that sounds, research shows that risky behaviours taken by uninformed employees cost businesses millions each year. 

Active measuring by ThinkCyber represents a much more proactive, dynamic, and modern way to tackle cybersecurity, which is why leading businesses like Dr Martens have adopted our solutions into their everyday work.

To find out how active measuring and modern cyber awareness training can transform your organisation’s security, book a free demo today.