Together, the EU’s Digital Operational Resilience Act and its second Network and Information Security Directive look to toughen up the cybersecurity measures of financial institutions and other ‘critical’ organisations. In-House Perspective explores how in-house teams can help ensure compliance.

Two pieces of legislation aimed at beefing up the cybersecurity measures of financial institutions and other ‘critical’ organisations have recently come into force across the EU. Together, they place an increased compliance onus on companies and their boards that’ll require input from in-house legal teams to provide both guidance and assurance.

The EU’s Digital Operational Resilience Act (DORA), which has applied since 17 January, aims to strengthen the defences of financial services companies against potential cyberattacks – as well as organisational responses – so that the sector, and not only individual institutions, remains robust and intact. Previously, financial institutions were mandated to manage the main categories of operational risk primarily through the allocation of capital rather than through any other kind of operational resilience.

The regulation sets rules on information and communication technology (ICT) risk management, incident reporting, operational resilience testing, risk monitoring of ‘critical’ third-party IT suppliers and information and intelligence sharing with regulators. It also makes boards directly responsible and accountable for proper implementation. DORA’s scope is broad and almost all financial entities operating within the EU are in scope – this includes lenders, Fintechs, trading venues, crowdfunders, crypto entities, investment companies, insurers, credit rating agencies and payments providers.

ICT providers deemed ‘critical’ by EU supervisory authorities – which will include several Big Tech companies and major IT outsourcers – will also face a significant level of regulation of a kind they’ve probably not encountered before.

The EU’s second Network and Information Security Directive (NIS2), meanwhile, requires operators of critical infrastructure and essential services – including those in energy and water, transport, banking and financial market infrastructures, healthcare and digital infrastructure – to implement appropriate cybersecurity measures and report any incidents to the relevant authorities. The Directive isn’t just about organisations ensuring their own security and resilience are adequate, but also that of suppliers.

Under NIS2 – which extends to anyone trading in the EU – organisations need to be able to make an initial report of ‘significant incidents’ within 24 hours. This needs to be followed by a detailed assessment within 72 hours and then a final report within 30 days. Organisations covered under the legislation also have a duty to inform authorities of suspected cyberthreats. Furthermore, the Directive makes boards and senior management directly liable for cybersecurity and says they must approve and oversee the risk management measures deployed by their organisation.

‘Significant shift’

The introduction of DORA and NIS2 marks a ‘significant shift’ in cybersecurity and operational resilience expectations for companies operating in the EU, says Domenico​​​​ Colella, Vice-Chair of the Cybersecurity Subcommittee of the IBA Technology Law Committee. While these regulations provide much-needed structure for cyber risk management in a landscape of rising threats, he says, they also introduce complex compliance challenges that many organisations are only beginning to grasp. ‘The overall challenge is not just ensuring legal compliance, but also guiding the organisation through a practical, risk-based approach that aligns with business objectives,’ says Colella, who’s Senior Partner at Italian law firm Orsingher Ortu.

Non-compliance with DORA can result in serious sanctions from EU Member State regulators, including financial penalties up to two per cent of a company’s total annual worldwide turnover, or one per cent of daily global turnover, as well as the removal of authorisations to conduct regulated business. For individuals, penalties can reach up to €1m. Critical third-party ICT providers face even higher fines of up to €5m – or €500,000 for individuals within those companies – if they fail to meet DORA’s standards.

Non-compliance with NIS2, meanwhile, can also result in severe penalties. For a breach of its reporting obligations, an ‘essential’ organisation can receive a maximum fine of €10m or two per cent of worldwide annual turnover for the previous financial year – whichever is higher – while fines for ‘important’ entities can be up to €7m or 1.4 per cent of worldwide annual turnover, whichever is higher. In addition, senior managers and executives at essential entities can be temporarily banned from discharging managerial functions if their organisation doesn’t meet a supervisory authority’s deadlines.

Julian Hamblin, Senior Vice-Chair of the IBA Technology Law Committee, believes DORA and NIS2 add a new level of rigour to cybersecurity risk management. He also believes that in-house legal teams can be of particular help by ensuring boards adequately understand the regulatory and compliance obligations relating to cybersecurity as they apply to the business.

In-house counsel, he says, need to ensure their organisations have a process in place for keeping up to date with these obligations – including communicating with applicable regulatory bodies and staying aware of guidance they may produce – and for regularly updating the board. ‘Regardless of whether the general counsel has a seat at the table, the board should have cybersecurity as a standing agenda item,’ says Hamblin, who’s a partner at law firm Trethowans in the UK.

Working with relevant colleagues, in-house legal departments need to be prepared to help put in place procedures for risk assessments and documenting compliance, says Hamblin, as well as for monitoring third-party relationships and dependencies, including contractual terms that may need strengthening where DORA or NIS2 obligations must be flowed down to subcontractors or into the supply chain. They also may need to assist with incident response plans and with reporting to regulators.

Achieving regulatory harmony

One of the key challenges for companies under the scope of both sets of legislation, says Colella, is that DORA and NIS2 aren’t standalone regulations – they must be harmonised with existing laws, such as the EU General Data Protection Regulation, financial rules and national cybersecurity legislation, as well as industry standards, such as ISO 27001 on information security management, which often overlap. ‘This is where legal teams must take the lead,’ says Colella. ‘On the one hand, they must navigate regulatory complexity by clearly explaining all associated risks so that the board can make informed decisions. On the other hand, they should help companies leverage existing compliance frameworks (whether legally required or voluntarily adopted), making the compliance effort more efficient and reducing duplication of work,’ he says.

Since both regulations make boards accountable for compliance failures, Colella believes in-house counsel can use this as an opportunity to show management that they can provide deeper assurance in areas where executives may typically feel the legal function lacks resource or expertise. ‘Rather than viewing these regulations as merely another layer of burdensome compliance, forward-thinking legal teams can use them to add tangible value,’ he says. ‘Notably, corporate counsel should act as a bridge between the CISO [chief information security officer] and the board, ensuring cybersecurity is not just an IT concern but a strategic business priority. In my view, this would result in legal teams being regarded as trusted board partners, helping to close the gap between regulatory demands, operational resilience, and business objectives.’

Colella says conducting thorough gap analysis is crucial to find areas where assurance may be lacking. ‘Companies must assess where their existing cybersecurity policies, reporting processes and resilience measures fall short, with particular attention to vulnerabilities in governance and incident response frameworks,’ he says.

Tight reporting deadlines require companies to establish real-time threat detection, escalation protocols and internal reporting workflows, says Colella, while examining supply chain security is also critical. ‘Contractual due diligence is a priority as companies must oversee vendors, ICT providers, and critical infrastructure partners. DORA, in particular, details mandatory provisions for ICT contracts with vendors and suppliers. As a result, in-scope companies must update their standard agreements and review existing contracts through an addendum to ensure compliance with the updated legislation,’ he explains.

First steps to compliance

Complying with NIS2, however, ‘starts with figuring out if your company is considered “essential” or “important,”’ says Julian Brownlow Davies, Global Vice President of advanced services at cybersecurity company Bugcrowd. While the emphasis is on ‘large’ organisations in ‘critical’ sectors, the Directive probably applies to more organisations than would first appear.

He warns that it’s better for companies to believe they’re covered under the rules, even if indirectly, rather than think they’re not. Even businesses that don’t consider themselves part of ‘critical infrastructure’ may find themselves indirectly impacted if they supply or partner with a regulated entity. The distinction between ‘essential’ and ‘important’ might seem narrow at first glance, says Brownlow Davies, but by the time they parse the definitions and exemptions, companies may find it easier to simply assume they need to comply ‘rather than risk falling through the cracks’.

Commentators generally agree that the first step for businesses in their NIS2 compliance efforts is to gain a comprehensive understanding of their current supply chain security posture. This involves mapping out and tiering all suppliers, assessing their cybersecurity measures and identifying potential points of vulnerability. By prioritising the highest-risk areas, organisations can then focus their efforts where they’ll have the greatest impact.

Beyond this, companies will need to develop and implement robust cybersecurity policies and procedures. Tailored cybersecurity requirements for suppliers, building security into contract negotiations and ensuring that both parties are held accountable for compliance are key. Similarly, regular penetration testing, real-time monitoring and detailed incident response plans are all critical in mitigating the impact of a cyberattack. Training and awareness are also essential.

Joost Schmaal, Chair of the Outsourcing and Managed Services Subcommittee of the IBA Technology Law Committee, says companies in ‘direct scope’ of both NIS2 and DORA – while admittedly, this comprises a small group of some types of financial services institutions – could, and should, focus on DORA only, ‘as DORA is a lex specialis to NIS2 and overrules the ICT risk management requirements and incident reporting obligations set out in NIS2’.

His advice is for organisations to ‘identify which act is applicable and to what extent’. After knowing which to focus on, he says, companies should conduct a gap analysis to identify any missing elements in respect of ICT risk management, incident reporting processes and, where relevant, third-party risk management. ‘Even though the total set of requirements are extensive, most companies will not have to start from scratch in ensuring ICT operational resilience and addressing cybersecurity risks,’ says Schmaal, who’s a partner at Dutch law firm Kennedy Van der Laan. ‘The outcome of the gap analysis will show what is needed to achieve DORA or NIS2 compliance.’

In Schmaal’s view, there’s a valuable opportunity for the in-house legal function to gain a solid understanding of the legal requirements contained in DORA and NIS2. By doing so, he says, ‘they can bridge the gap between management and specialists that are engaged for implementing these requirements’. In-house teams can also provide the board with assurance on DORA and NIS2 compliance by maintaining the overview and reporting on the level of compliance. Additionally, they can help the board by translating complex legal requirements into clear and concise policies, further contributing to the company’s compliance, says Schmaal.

Contractual matters

There’s some evidence to suggest that some companies have struggled with implementing DORA’s requirements within the two-year timeframe provided. For instance, research by Orange Cyberdefense, a specialist cybersecurity business, found that 43 per cent of the UK financial services industry has probably missed the deadline. This has led some commentators to believe that some financial services companies are keen for a majority of the compliance work to sit with the IT companies they contract with. For example, some financial institutions are trying to push DORA compliance obligations – and costs – onto IT providers by renegotiating contracts so the tech services they provide are categorised as ‘critical’ or ‘important’, even if they’re not.

By doing so, these financial companies are effectively passing some of the compliance ‘burden’ onto third parties who are then obligated to provide more assurance. Organisations may also be using DORA as an opportunity to renegotiate vendor relationships more broadly, demanding enhanced transparency, data-sharing capabilities and resilience reporting.

But while tightening contractual clauses may enhance compliance, it doesn’t absolve companies of their responsibility under DORA as boards remain ultimately accountable. Further, pushing DORA’s compliance requirements back on to IT services providers could backfire as it may lead to strained relationships with third-party providers, as well as even greater reliance upon them because they’re responsible for elements of DORA compliance. Ultimately, the result also might be reduced internal preparedness through a lack of in-house expertise.

Duncan McMeekin, a legal director at law firm Browne Jacobson in London, says one of the key challenges facing EU financial entities is the potentially significant work required to fulfil DORA’s third-party risk management requirements, in particular the remediation of a financial entity’s contractual arrangements with ICT third-party service providers (‘ICT TPPs’).

Contract remediation programmes can often involve a large volume of contracts and be a time-consuming and resource-intensive exercise, particularly given the reliance on an ICT TPP’s willingness to engage in meaningful negotiations. As a result, says McMeekin, financial entities should consider a ‘pragmatic and proportionate approach’ tailored to their business to achieve compliance in the most efficient way possible. For example, financial entities may wish to adopt a ‘deemed acceptance’ approach to the contract remediation process, for example, issuing a contract addendum on a non-negotiable basis. Further, engaging within ICT TPPs in a collaborative way increases the likelihood of eliciting better engagement from them, as they’ll be inundated with similar remediation requests from other financial entities, he says.

‘An understanding of an organisation’s ICT contract landscape and the use of standard terms and conditions is key for an in-house counsel to assess the scope of work required to comply with DORA,’ says McMeekin. ‘In-house counsel can ensure that an efficient approach is taken which circumvents the need to include or negotiate all of the DORA contractual requirements as many of them will already be covered.’

From a contractual remediation perspective, says McMeekin, financial entities should identify and map ICT TPPs and contractual arrangements – including intra-group – to each financial entity, categorising those which support critical or important functions. They should also collate existing contracts and engage with ICT TPPs and amend relevant agreements in line with DORA requirements. Although there are a few ‘new’ contractual requirements, says McMeekin, many of DORA’s contractual requirements should already be contained in comprehensive ICT contracts and are broadly in line with existing financial services regulations, such as the European Banking Association’s (EBA) guidelines on outsourcing and the European Securities and Markets Authority’s (ESMA) document on outsourcing to cloud service providers.

Board strategy

McMeekin says the fact that there’s personal liability for board members and substantial penalties for non-compliance ‘means there will be vigorous scrutiny from board members’. Consequently, he adds, there will probably ‘be a greater reliance on in-house counsel to provide practical advice to the board and the business as a whole.’ Being ICT resilient has significant business and commercial benefits, he says, and will ‘allow financial entities to better mitigate and manage any future ICT-related disruptions’.

In-house counsel should also consider being central in providing training to board members on key DORA topics and risks. ‘If managed properly, these sessions would provide comfort to the board that the in-house team has the credibility and expertise to manage ICT risks from a legal perspective,’ says McMeekin. And since DORA will probably touch most of the key functions of the business, he adds that it’s key that in-house counsel understand and build relationships across the organisation in order to understand the risks at an enterprise level. This will allow in-house counsel to ‘assess risk at a more holistic level which will be key to building trust with the board,’ he says.

In theory, enforcement of both sets of rules should be uniform across the EU. But many don’t expect it to be. Instead, enforcement will probably vary between Member States, reflecting differences in regulatory culture, resources and expertise. With regards to DORA, countries with more mature regulatory frameworks and strong financial sectors, such France, Germany and the Netherlands, will probably take a lead, while others might allow some time for the new regime to settle before considering enforcement.

NIS2 may also be enforced unevenly. EU Member States were required to transpose NIS2 into their national legislation by 17 October 2024. However, at the time of writing only four countries – Belgium, Croatia, Italy and Lithuania – had done so. At the end of 2024 the European Commission had initiated infringement proceedings against the remaining 23 Member States.

The IBA’s Legal Policy & Research Unit has a dedicated page, including guidelines and reports, on cybersecurity at https://www.ibanet.org/LPRU/Cybersecurity