As organisations face critical regulatory deadlines, emagine’s cybersecurity expert Trine Øksnebjerg explores lessons learned since DORA’s introduction in January 2023 and provides essential guidance ahead of its roll-out in January 2025.
Navigating the complexities of new regulations can be challenging for any organisation, especially when compliance involves significant operational changes and a re-evaluation of risk at the highest levels.
During a recent webinar hosted by Niall Kitson of TechCentral.ie, industry experts including Trine Øksnebjerg, Consultant Director at emagine, alongside representatives from the Irish Institute of Directors (IoD), PwC, and Integrity360, explored the intricacies of the Digital Operations Resilience Act (DORA) and the NIS2 directive.
The discussion underscored the crucial role of boardroom decision-making in achieving compliance and building resilience.
Introduced in January 2023, DORA aims to enhance the digital resilience of the financial sector. Organisations face a critical deadline of 17 January 2025 to achieve compliance. This has spurred a flurry of activity, from recruiting the right talent to refining processes. The recent introduction of the AI Act, with full compliance expected by 2026, adds yet another layer of regulatory complexity.
Progress varies significantly across organisations. During the webinar, a participant poll revealed telling statistics:
While some progress is evident, non-compliance carries significant risks, including financial penalties of up to 2% of annual worldwide turnover and heightened vulnerability to cyberattacks.
Compliance with DORA and NIS2 fundamentally revolves around understanding and managing risk. Unfortunately, many executives struggle to grasp the full scope of these regulations, often delegating responsibility to IT or cybersecurity teams. According to Bill McCluggage of the IoD, 84% of executives fall into this category – a strategy that often conflicts with broader business processes.
Successful compliance strategies require a more integrated approach, starting with a shift in the Chief Security Officer (CSO) role. CSOs must bridge the gap between technical jargon and business implications, translating risks into terms the board can understand, such as financial impact or operational disruption.
As organisations recognise the strategic importance of the CSO, their placement within the corporate hierarchy is shifting. Whether reporting to the Chief Information Officer (CIO), Data Protection Officer (DPO), or directly to the board, the CSO’s role is to align security measures with business objectives.
Effective CSOs focus on:
It's important to remember that compliance is not a one-time task – it's a process that needs continuous attention.
Organisations must:
Mature organisations, accustomed to regulatory environments, often have a head start. However, others can succeed by balancing risk control with business efficiency and fostering a culture of accountability at the top. Buy-in can be a challenge, but it’s extremely important if you want to create organisational synergy.
The journey to compliance extends beyond individual organisations. Engaging with regulators fosters a two-way dialogue, ensuring smoother rollouts and better alignment with regulatory expectations. For example, financial institutions in Denmark exemplify effective collaboration with regulators.
AI compliance presents a similar challenge. While a quarter of businesses have a roadmap, most lack actionable strategies. Regulations like the AI Act aim to create a more secure European digital ecosystem, benefiting organisations, stakeholders, and investors.
By understanding and embracing compliance requirements, organisations can turn regulatory challenges into opportunities for growth and resilience.
Compliance with DORA and NIS2 requires strategic boardroom engagement, effective risk communication by CSOs, and a sustainable, integrated approach. With the January 2025 deadline approaching, organisations must act decisively to avoid significant penalties and operational vulnerabilities
