Wed, Oct 30, 2024

DORA vs. NIS2 vs. PSD2: Navigating the Evolving Regulatory Landscape

The legal and regulatory landscape is constantly evolving, continually intensifying the demands placed on organizations. As well as meeting the requirements of existing regulations such as the Payment Services Directive 2 (PSD2), companies must contend with the upcoming introduction of the Network and Information Security Directive or NIS2 (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA).

DORA, NIS2 and the PSD2 share a common goal: to strengthen security in organizations across the EU. However, while they all aim to advance consumer security and cyber resilience, they differ in important ways. In this article, we outline the main differences between DORA, NIS2 and the PSD2, with key recommendations to help your organization prepare for them.

DORA: An Overview

DORA comes into full effect on January 17, 2025, with the aim of preventing and mitigating cyber threats by establishing a comprehensive Information Communications and Technology (ICT) risk management framework for the EU financial industry. The new EU regulation seeks to ensure that financial institutions and critical ICT providers advance their cybersecurity and operational processes to safeguard their key systems and enhance the industry’s operational resilience.

Under the regulation, all companies across EU member states must ensure that they understand the potential ICT risks they face. They must then take steps to ensure they are able to monitor, detect, withstand, respond to and recover from ICT-related threats and disruptions. These measures must be proportional to the potential risks.
Read Preparing for DORA: A Guide for Financial Institutions

NIS2: An Overview

The Network and Information Security (NIS2) Directive (Directive (EU) 2022/2555) seeks to enhance cybersecurity across the EU. NIS2 provides legal measures to boost the overall level of cybersecurity in the EU by ensuring member states’ preparedness, cooperation among the member states, and a culture of security across sectors that rely on ICTs and are vital for society and the economy. NIS2 sets out cybersecurity standardization goals that must be achieved by organizations in all EU countries, with each country required to transpose the NIS2 directive into national laws.

The NIS2 Directive came into force in 2023 to update the EU cybersecurity rules that were introduced in 2016. Its aim is to keep up with increased digitization and enhance the resilience and incident response capacities of public and private entities. With NIS2 going much further than the first NIS Directive in terms of the level of security mandated, relevant organizations must now meet cybersecurity obligations around governance, risk management measures and incident notification, vulnerability disclosure, threat detection, and training.

PSD2: An Overview

The PSD2 is a European regulation that supports a more open, secure and competitive payments landscape in Europe. Its main goal is to provide a legal foundation for the further development of electronic payments within the EU. The PSD2 was a significant evolution of existing regulations for the payments industry, providing the legal framework within which all payment service providers must operate. The PSD2 provides the legal framework within which all payment service providers must operate. It is the next step on from the PSD1, which was introduced in 2007 to create a single market for payments in the EU.

An update to the PSD2 is in development. PSD3 will remain a directive and focus mainly on licensing and the operation of payment service providers. The rest of what was previously under the PSD2 will be addressed in the Payment Services Regulation (PSR), which covers most of the banks’ responsibilities and automatically becomes law for all EU member states.

DORA vs. NIS2 vs. PSD2: The Key Differences

Implementation Date

The October 17, 2024, deadline for implementing NIS2 has passed, but organizations have a little longer to comply with DORA because the date for implementation is January 17, 2025. The PSD2 is active throughout the EU, but proposed changes to the regulation are likely to come in within the next few years.

Regulation Type

NIS2 is a directive that allows countries to develop rules based on their particular requirements, while DORA is a sector-specific regulation that allows no discretion at the member state level. Although there will be an exact copy of DORA in all EU member states, each EU country will be able to transpose the NIS2 directive into specific national laws at different times and via a range of legislation. Although NIS2 is part of the broader cybersecurity regulatory framework, DORA takes precedence where sector-specific rules apply, through what is known as a lex specialis exemption.

The PSD2 is a regulatory framework, with each EU member state able to individually adopt PSD2 regulations and implement them under their own laws.

Organizations Impacted

NIS2 applies to organizations operating in the EU that are defined as either “essential entities” or “important entities.” Essential entities include companies that are categorized as large enterprises and provide essential services to customers, in one of the 11 critical sectors, including trust service providers, domain name system (DNS) service providers, public electronic communication networks, public administration entities, any critical entity defined by the Critical Entities Resilience (CER) Directive ((EU) 2022/2557), and other entities specified by member states.

Important entities under NIS2 are all other organizations that are not categorized as essential entities. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will also have to comply with the security and notification requirements under the directive.

DORA applies to most financial entities and to ICT service providers that European regulators and authorities deem critical, such as cloud service providers (CSPs), as well as providers to the CSPs and financial entities.

All member states have adopted the PSD2, which applies to banks, financial institutions and other organizations involved in retail payments or providing financial services in the EU. Its primary focus is on EU financial institutions, including payment processors, banks, brokerages and fintech companies. Organizations headquartered outside Europe may still be subject to PSD2 compliance requirements if they have customers or users in the region.

Cybersecurity Compliance

NIS2 compliance focuses on strengthening overall cybersecurity and incident reporting requirements, and managing cyber risk using “appropriate and proportionate technical and organizational measures.” It covers aspects such risk analysis, information security policies, thorough incident handling, business continuity and supply chain security.

DORA compliance is more prescriptive than NIS2, in that its aim is to introduce more rigorous requirements around ICT risk management and ICT-related incident reporting than those agreed to in NIS2. As a result, it has specific provisions regarding ICT frameworks, incident response and third-party ICT contracts. This means that DORA constitutes lex specialis to or overrides NIS2 in terms of overlap, such as reporting requirements, if an organization is in the scope of both.

To comply with DORA, organizations are required to demonstrate that they are conducting an appropriate set of security testing on “critical” systems and applications at least annually and also fully addressing any vulnerabilities identified by the testing process. 
Testing requirements for NIS2 compliance vary by country, but DORA requires threat-led penetration testing every three years and a range of yearly assessments and tests, including annual penetration testing for critical applications and systems.

The PSD2 sets out security requirements designed to reduce fraud risk and prevent the risk of cyberattacks and information security threats in the financial industry. To achieve this, it includes five key areas of compliance: open banking APIs, Strong Customer Authentication (SCA), customer transparency, rapid complaint resolution and surcharge bans. The SCA requirement means that all payment processors and digital banking providers must use multifactor authentication to enable user login. Other aspects of the required compliance relate to the secure access and sharing of consumer data. Identifying API vulnerabilities and mitigating API security risks demands additional security measures, mainly those that involve the use of third-party vendors to offer API access to consumers. The use of third parties to provide services also puts demands on organizations to develop strong third-party risk management (TPRM) procedures to better identify and address risks throughout their supply chain.

Incident Reporting Requirements

DORA, NIS2 and the PSD2 all put exact security incident reporting demands on organizations in terms of administrative burden, pace and follow-up. While NIS2 incident reporting requirements include an early warning within 24 hours, an incident notification within 72 hours and a final report within one month, DORA’s requirements around what are classified as “major” incidents are subject to an initial notification within 24 hours, an intermediate notification within 72 hours and a final report within one month.

DORA’s incident reporting schedule is inspired by the corresponding rules under the PSD2, which requires payment service providers to make an initial report to the FCA within two hours of detection. DORA requires that if an incident is initially classified as non-major but then is reclassified as major, the initial report must be made as soon as the change in status has been identified. Intermediate reports to the FCA are also required every time the situation changes significantly or if new causes or new action is taken. The minimum requirement is that payment service providers must report every three business days until the specific cause of the incident is understood and specific numbers are available, with the final report required within two weeks of the service returning to normal.

The PSD2 requires payments firms to have security controls and policies that cover the software and IT systems they use. These security measures can also be used for DORA compliance.

Penalties for Noncompliance

Essential entities that fail to comply with NIS2 are subject to fines of up to €10 million (or 2% of the total worldwide annual turnover, whichever is higher), and important entities are subject to fines of up to €7 million (or 1.4% of annual turnover). NIS2 also allows for the banning of C-level executives from future roles in cases of noncompliance.

Organizations that fail to comply with DORA will receive corporate fines of up to 2% of annual turnover, fines for employees of up to €1 million, plus fines of up to €500,000 for critical third parties.

Institutions failing to meet the requirements of the PSD2 can be charged with financial penalties of up to 4% of their annual returns.

NIS2
DORA

PSD2

Type

Directive

Regulation

Regulatory framework

Implementation Date

October 17, 2024

January 17, 2025

Current

Applies To

Critical sectors (energy, transportation, health, space, internet, etc.), managed service providers and managed security service providers in member states

Financial entities (banks, insurance crypto etc.) and ICT service providers in EU member states

Banks, financial institutions and other organizations involved in retail payments or providing financial services in the EU

Overlap

NIS2 is part of the broader cybersecurity regulatory framework, but DORA takes precedence where sector-specific rules apply, through what is termed the lex specialis exemption.

DORA’s incident reporting schedule is inspired by the corresponding rules under PSD2, which requires payment service providers to make an initial report to the FCA within two hours of detection.

PSD2 requires payments firms to have security controls and policies that cover the software and IT systems they use. These can also be used for complying with DORA.

Areas of Focus

Strengthening overall security and incident reporting requirements

Complements NIS2 by including specific provisions around ICT frameworks, incident response and third-party ICT contracts

Provides a legal foundation for the further development of electronic payments within the EU

Testing Requirements

Variable depending on country

  • A range of assessments and tests every year
  • Threat-led penetration testing every three years

Not specified, but practices must align with security requirements designed to reduce fraud risk and prevent the risks of cyberattacks and information security threats

Incident Reporting

  • An early warning within 24 hours
  • An incident notification within 72 hours
  • A final report within one month

Classification of “major” incidents and subject to the following:

  • An initial notification within 24 hours
  • An intermediate notification within 72 hours
  • A final report within one month

Requires payments firms to have security controls and policies which cover the software and IT systems they use.

For incident reporting requirements, PSD2 is being superseded by DORA for in-scope organizations

Penalties for Noncompliance

  • Essential entities subject to fines of up to €10 million (or 2% of the total worldwide annual turnover, whichever is higher).
  • Important entities subject to fines of up to €7 million (or 1.4% of annual turnover). C-level executives may also be banned from future roles.

Corporate fines of up to 2% of annual turnover, fines for employees of up to €1 million, plus fines of up to €500,000 for critical third parties

Financial penalties of up to 4% of annual returns

Complying With DORA, NIS2 and the PSD2: Key Recommendations

  • Review DORA’s proportionality factors to understand if your organization is exempt from specific requirements in Articles 5 to 15.
  • Gain stakeholder buy-in and ensure appropriate governance and reporting are in place, right up to board level.
  • Work with third-party experts to help independently review compliance gaps but also build a roadmap toward operational resilience with clear timescales and owners.
  • Ensure that your chosen provider can also go one step further and help implement the right solutions, policies, processes and services to not only help with compliance but implement long-term solutions that are sustainable and capable of aligning with other regulations.

DORA, NIS2 and the PSD2: Simplify Regulatory Demands with Kroll

Without the right kind of support in place, regulatory requirements can become a heavy burden for organizations. Whether you’re moving into a new financial market or looking to prepare for DORA or NIS2, it is vital to understand which steps to take first and how to minimize the potential demands on your resources. Kroll’s comprehensive suite of operational resilience services, such as cybersecurity assessments and program design, cyber resilience risk management, incident response, business continuity and disaster recovery planning, and third-party risk management can help you achieve this by providing a one-step approach to addressing your regulatory, compliance and risk concerns.

Our expertise enables organizations to meet the requirements of regulations such as DORA, NIS2, General Data Protection Regulation (GDPR), Service Organization Control 2 (SOC2) and PSD2 more efficiently. We offer solutions across the entire DORA maturity lifecycle, addressing all aspects of DORA compliance and maturity, from assessing possible gaps/weaknesses and advising on remediation to implementing the right controls and providing remote managed services.

With a deep understanding of the legislation and standards affecting your industry, our cybersecurity, operational resilience and regulatory compliance experts are able to deliver real insight and value.

We pride ourselves on our global presence and our reputation for technical and industry expertise in building and implementing custom global operational resilience programs that align with many regulations and industry standards.

Our 700+ skilled and certified cybersecurity professionals across the globe are experienced in not only helping clients comply with multiple regulations but staying resilient amid the changing regulatory and operational landscape.

If you’re a financial institution or service provider, discover how our DORA Compliance Assessment can help you on your journey toward digital operational resilience. Otherwise, learn more about our security advisory services.


Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.


Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.