Skip to main content
← Back to Insights
Financial Services 13 min read

Financial Services Cybersecurity: DORA & NIS2 Guide

Financial services cybersecurity guide covering DORA compliance, financial sector NIS2 requirements, and PSD2 obligations. Practical implementation strategies for EU financial entities.

TI
Tom Isgren

Key Takeaways

  • DORA (Digital Operational Resilience Act) creates comprehensive ICT risk requirements for financial entities
  • Third-party concentration risk is now a regulatory concern, pushing toward diversification
  • Incident reporting timelines are strict, requiring prepared response procedures
  • Regular resilience testing, including threat-led penetration testing, is mandatory

The Regulatory Framework

Financial services firms in the EU face an increasingly complex regulatory environment for technology and cybersecurity. Understanding how different regulations interact is essential for building compliant infrastructure.

DORA: Digital Operational Resilience Act

DORA, applicable from January 2025, is the most significant cybersecurity regulation specifically targeting financial services. It applies to:

  • Credit institutions (banks)
  • Payment institutions and electronic money institutions
  • Investment firms and fund managers
  • Insurance and reinsurance undertakings
  • Credit rating agencies and crypto-asset service providers
  • Critical ICT third-party service providers

The scope is broad, covering entities from major banks to smaller fintechs. The proportionality principle applies, with requirements scaled to entity size and complexity, but core obligations apply to all. Financial services firms subject to NIS2 should also review our step-by-step NIS2 compliance checklist for concrete implementation actions.

Five Pillars of DORA

  1. 1. ICT Risk Management: Comprehensive framework for identifying, protecting, detecting, responding, and recovering from ICT risks
  2. 2. Incident Reporting: Classification and notification of ICT-related incidents to competent authorities
  3. 3. Resilience Testing: Regular testing including threat-led penetration testing (TLPT) for significant entities
  4. 4. Third-Party Risk: Due diligence, contractual requirements, and monitoring of ICT service providers
  5. 5. Information Sharing: Participation in threat intelligence sharing arrangements

ICT Risk Management Framework

Governance

DORA places ICT risk firmly in the boardroom. Management bodies must:

  • Define and approve the ICT risk management framework
  • Set and oversee implementation of digital operational resilience strategy
  • Approve and periodically review ICT policies
  • Allocate sufficient budget and resources for ICT
  • Maintain appropriate knowledge and skills on ICT matters

This isn't checkbox compliance. Regulators expect genuine board engagement with technology risk, demonstrated through informed decision-making and appropriate challenge.

Risk Identification and Protection

The framework must address:

  • Asset management: Complete inventory of ICT assets, including dependencies
  • Risk assessment: Regular identification and evaluation of ICT risks
  • Protection measures: Controls proportionate to identified risks
  • Change management: Controlled processes for system changes
  • Business continuity: Plans and capabilities for maintaining operations

Incident Reporting Requirements

DORA defines criteria for classifying incidents, including number of clients affected, duration, geographic spread, economic impact, data losses, and critical services affected.

Incident Notification Timeline

  • Initial notification: Within 4 hours of classification as major incident, or 24 hours from detection
  • Intermediate report: Within 72 hours, with updates on handling and impact
  • Final report: Within one month, with root cause analysis and remediation measures

These timelines are demanding. You cannot meet them without prepared templates, clear escalation paths, and practiced procedures.

Third-Party Risk Management

Due Diligence Requirements

Before engaging ICT service providers, entities must:

  • Assess the provider's ability to comply with applicable requirements
  • Evaluate concentration risk and substitutability
  • Review the provider's sub-contractor arrangements
  • Consider the geographic location of service provision and data storage

Concentration Risk

DORA explicitly addresses concentration risk from over-reliance on single providers. Entities must:

  • Identify critical or important functions outsourced to third parties
  • Assess dependencies and potential failure points
  • Develop exit strategies for critical providers
  • Consider multi-provider or hybrid approaches

This creates a strong case for diversifying infrastructure and avoiding lock-in to single cloud providers or technology platforms.

Digital Operational Resilience Testing

All covered entities must conduct regular testing, including vulnerability assessments, network security assessments, gap analyses, physical security reviews, source code reviews, scenario-based testing, and performance testing.

Threat-Led Penetration Testing (TLPT)

Significant entities must conduct TLPT at least every three years:

  • Testing based on realistic threat scenarios
  • Coverage of critical and important functions
  • Use of qualified external testers
  • Coordination with competent authorities

TLPT is based on the TIBER-EU framework, requiring sophisticated red team exercises that simulate real adversaries.

Infrastructure Recommendations

Architecture Principles

For financial services, infrastructure should prioritize:

Self-Hosted Benefits

  • Complete control over data location
  • Reduced concentration risk
  • Simplified regulatory audits
  • No cloud provider exit challenges
  • Clear accountability chain

Cloud Considerations

  • Major providers may become "critical" under DORA
  • Exit strategies required in contracts
  • Sub-processor chains to manage
  • Audit rights often limited
  • Cross-border data concerns

Many financial entities are adopting hybrid approaches: critical processing on controlled infrastructure with cloud for less sensitive workloads, ensuring provider diversification and maintaining exit options.

Recommended Technology Stack

  • Identity & Access: Authentik or Keycloak with hardware token support
  • Secrets Management: HashiCorp Vault for credential storage
  • Monitoring: Prometheus/Grafana for metrics, centralized logging with retention
  • Automation: n8n for workflow automation with full audit trails
  • Communication: Mattermost with compliance features enabled

Implementation Roadmap

1

Assessment

Gap analysis against DORA requirements, third-party provider inventory and risk assessment, current state documentation of ICT systems and dependencies, governance structure review.

2

Framework Development

ICT risk management policy and procedures, incident classification and reporting procedures, third-party risk management framework, testing strategy and schedule.

3

Implementation

Technical controls deployment, monitoring and detection capabilities, business continuity and disaster recovery, training and awareness programs.

4

Validation

Internal testing and exercises, independent assessments, remediation of identified gaps, regulatory engagement as needed.

Common Compliance Gaps

In working with financial services clients, we frequently encounter:

  • Incomplete asset inventories: Unknown systems and dependencies
  • Inadequate third-party oversight: Contracts without required provisions
  • Untested recovery: Backup systems that have never been validated
  • Missing detection capabilities: No visibility into security events
  • Informal incident response: No documented, practiced procedures
  • Board disconnect: Governance without genuine oversight

Need help? We help financial services firms implement infrastructure that meets DORA, NIS2, and PSD2 requirements while enabling efficient operations. Get in touch →