A guide to NIS2 & DORA implementation and compliance

Here, emagine’s cybersecurity expert Trine Øksnebjerg explores the lessons learned since DORA’s introduction in January 2023 and ahead of its roll-out in January 2025.

Navigating the complexities of new regulations can be challenging for any organisation, especially when compliance involves significant operational changes and a re-evaluation of risk at the highest levels.

During a recent webinar hosted by Niall Kitson of TechCentral.ie, industry experts, including Trine Øksnebjerg, Consultant Director at emagine, alongside representatives from the Irish Institute of Directors (IoD), PwC, and Integrity360, explored the intricacies of the Digital Operations Resilience Act (DORA) and the NIS2 directive.

The discussion underscored the crucial role of boardroom decision-making in achieving compliance and building resilience.

The Evolution of DORA

Introduced in January 2023, DORA aims to enhance the digital resilience of the financial sector. Organisations face a critical deadline of January 17, 2025, to achieve compliance. This has spurred a flurry of activity, from recruiting the right talent to refining processes. The recent introduction of the AI Act, with full compliance expected by 2026, adds yet another layer of regulatory complexity.

Progress varies across organisations. During the webinar, a participant poll revealed that:

One-third of organisations are partially compliant.
Another third are in the planning stages.
The remaining third significantly lag behind, raising concerns about their ability to meet deadlines.

While some progress is evident, non-compliance carries significant risks, including financial penalties, of up to 2% of annual worldwide turnover, and heightened vulnerability to cyberattacks.

Managing risk

Compliance with DORA and NIS2 fundamentally revolves around understanding and managing risk. Unfortunately, many executives struggle to grasp the full scope of these regulations, often delegating responsibility to IT or cybersecurity teams. According to Bill McCluggage of the IoD, 84% of executives fall into this category, a strategy that often conflicts with broader business processes.

Successful compliance strategies require a more integrated approach, starting with a shift in the Chief Security Officer (CSO) role. CSOs must bridge the gap between technical jargon and business implications, translating risks into terms the board can understand, such as financial impact or operational disruption.

CSOs must bridge the gap between technical jargon and business implications, translating risks into terms the board can understand, such as financial impact or operational disruption.

The Evolving Role of the Chief Security Officer

As organisations recognise the strategic importance of the CSO, their placement within the corporate hierarchy is shifting. Whether reporting to the Chief Information Officer (CIO), Data Protection Officer (DPO), or directly to the board, the CSO’s role is to align security measures with business objectives.

Effective CSOs focus on:

Communicating the business impact of technical issues in plain language.
Aligning security measures with the organisation’s risk appetite and operational priorities.
Building sustainable compliance frameworks integrated with existing processes.

That leads on to building a sustainable approach to compliance. It’s important to remember that compliance is not a one time task, it’s a process that needs continuous attention. Organisations must:

Tailor compliance strategies to their size, industry, and maturity.
Leverage existing frameworks rather than starting from scratch.
Ensure board members and managers understand the digital landscape to make informed decisions.

Mature organisations, accustomed to regulatory environments, often have a head start. However, others can succeed by balancing risk control with business efficiency and fostering a culture of accountability at the top. Buy in can be a challenge, but it’s extremely important if you want to create organisational synergy.

Collaboration

The journey to compliance extends beyond individual organisations. Engaging with regulators fosters a two-way dialogue, ensuring smoother rollouts and better alignment with regulatory expectations. For example, financial institutions in Denmark exemplify effective collaboration with regulators.

AI compliance presents a similar challenge. While a quarter of businesses have a roadmap, most lack actionable strategies. Regulations like the AI Act aim to create a more secure European digital ecosystem, benefiting organisations, stakeholders, and investors.By understanding and embracing compliance requirements, organisations can turn regulatory challenges into opportunities for growth and resilience.