DORA vs. NIS2 vs. PSD2: The Key Differences
Implementation Date
The October 17, 2024, deadline for implementing NIS2 has passed, but organizations have a little longer to comply with DORA because the date for implementation is January 17, 2025. The PSD2 is active throughout the EU, but proposed changes to the regulation are likely to come in within the next few years.
Regulation Type
NIS2 is a directive that allows countries to develop rules based on their particular requirements, while DORA is a sector-specific regulation that allows no discretion at the member state level. Although there will be an exact copy of DORA in all EU member states, each EU country will be able to transpose the NIS2 directive into specific national laws at different times and via a range of legislation. Although NIS2 is part of the broader cybersecurity regulatory framework, DORA takes precedence where sector-specific rules apply, through what is known as a lex specialis exemption.
The PSD2 is a regulatory framework, with each EU member state able to individually adopt PSD2 regulations and implement them under their own laws.
Organizations Impacted
NIS2 applies to organizations operating in the EU that are defined as either “essential entities” or “important entities.” Essential entities include companies that are categorized as large enterprises and provide essential services to customers, in one of the 11 critical sectors, including trust service providers, domain name system (DNS) service providers, public electronic communication networks, public administration entities, any critical entity defined by the Critical Entities Resilience (CER) Directive ((EU) 2022/2557), and other entities specified by member states.
Important entities under NIS2 are all other organizations that are not categorized as essential entities. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will also have to comply with the security and notification requirements under the directive.
DORA applies to most financial entities and to ICT service providers that European regulators and authorities deem critical, such as cloud service providers (CSPs), as well as providers to the CSPs and financial entities.
All member states have adopted the PSD2, which applies to banks, financial institutions and other organizations involved in retail payments or providing financial services in the EU. Its primary focus is on EU financial institutions, including payment processors, banks, brokerages and fintech companies. Organizations headquartered outside Europe may still be subject to PSD2 compliance requirements if they have customers or users in the region.
Cybersecurity Compliance
NIS2 compliance focuses on strengthening overall cybersecurity and incident reporting requirements, and managing cyber risk using “appropriate and proportionate technical and organizational measures.” It covers aspects such risk analysis, information security policies, thorough incident handling, business continuity and supply chain security.
DORA compliance is more prescriptive than NIS2, in that its aim is to introduce more rigorous requirements around ICT risk management and ICT-related incident reporting than those agreed to in NIS2. As a result, it has specific provisions regarding ICT frameworks, incident response and third-party ICT contracts. This means that DORA constitutes lex specialis to or overrides NIS2 in terms of overlap, such as reporting requirements, if an organization is in the scope of both.
To comply with DORA, organizations are required to demonstrate that they are conducting an appropriate set of security testing on “critical” systems and applications at least annually and also fully addressing any vulnerabilities identified by the testing process.
Testing requirements for NIS2 compliance vary by country, but DORA requires threat-led penetration testing every three years and a range of yearly assessments and tests, including annual penetration testing for critical applications and systems.
The PSD2 sets out security requirements designed to reduce fraud risk and prevent the risk of cyberattacks and information security threats in the financial industry. To achieve this, it includes five key areas of compliance: open banking APIs, Strong Customer Authentication (SCA), customer transparency, rapid complaint resolution and surcharge bans. The SCA requirement means that all payment processors and digital banking providers must use multifactor authentication to enable user login. Other aspects of the required compliance relate to the secure access and sharing of consumer data. Identifying API vulnerabilities and mitigating API security risks demands additional security measures, mainly those that involve the use of third-party vendors to offer API access to consumers. The use of third parties to provide services also puts demands on organizations to develop strong third-party risk management (TPRM) procedures to better identify and address risks throughout their supply chain.
Incident Reporting Requirements
DORA, NIS2 and the PSD2 all put exact security incident reporting demands on organizations in terms of administrative burden, pace and follow-up. While NIS2 incident reporting requirements include an early warning within 24 hours, an incident notification within 72 hours and a final report within one month, DORA’s requirements around what are classified as “major” incidents are subject to an initial notification within 24 hours, an intermediate notification within 72 hours and a final report within one month.
DORA’s incident reporting schedule is inspired by the corresponding rules under the PSD2, which requires payment service providers to make an initial report to the FCA within two hours of detection. DORA requires that if an incident is initially classified as non-major but then is reclassified as major, the initial report must be made as soon as the change in status has been identified. Intermediate reports to the FCA are also required every time the situation changes significantly or if new causes or new action is taken. The minimum requirement is that payment service providers must report every three business days until the specific cause of the incident is understood and specific numbers are available, with the final report required within two weeks of the service returning to normal.
The PSD2 requires payments firms to have security controls and policies that cover the software and IT systems they use. These security measures can also be used for DORA compliance.
Penalties for Noncompliance
Essential entities that fail to comply with NIS2 are subject to fines of up to €10 million (or 2% of the total worldwide annual turnover, whichever is higher), and important entities are subject to fines of up to €7 million (or 1.4% of annual turnover). NIS2 also allows for the banning of C-level executives from future roles in cases of noncompliance.
Organizations that fail to comply with DORA will receive corporate fines of up to 2% of annual turnover, fines for employees of up to €1 million, plus fines of up to €500,000 for critical third parties.
Institutions failing to meet the requirements of the PSD2 can be charged with financial penalties of up to 4% of their annual returns.