DORA vs. NIS2 vs. PSD2: Navigating the Evolving Regulatory Landscape

The legal and regulatory landscape is constantly evolving, continually intensifying the demands placed on organizations. As well as meeting the requirements of existing regulations such as the Payment Services Directive 2 (PSD2), companies must contend with the upcoming introduction of the Network and Information Security Directive or NIS2 (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA).

DORA, NIS2 and the PSD2 share a common goal: to strengthen security in organizations across the EU. However, while they all aim to advance consumer security and cyber resilience, they differ in important ways. In this article, we outline the main differences between DORA, NIS2 and the PSD2, with key recommendations to help your organization prepare for them.

DORA vs. NIS2 vs. PSD2: The Key Differences

Implementation Date

The October 17, 2024, deadline for implementing NIS2 has passed, but organizations have a little longer to comply with DORA because the date for implementation is January 17, 2025. The PSD2 is active throughout the EU, but proposed changes to the regulation are likely to come in within the next few years.

Regulation Type

NIS2 is a directive that allows countries to develop rules based on their particular requirements, while DORA is a sector-specific regulation that allows no discretion at the member state level. Although there will be an exact copy of DORA in all EU member states, each EU country will be able to transpose the NIS2 directive into specific national laws at different times and via a range of legislation. Although NIS2 is part of the broader cybersecurity regulatory framework, DORA takes precedence where sector-specific rules apply, through what is known as a lex specialis exemption.

The PSD2 is a regulatory framework, with each EU member state able to individually adopt PSD2 regulations and implement them under their own laws.

Organizations Impacted

NIS2 applies to organizations operating in the EU that are defined as either “essential entities” or “important entities.” Essential entities include companies that are categorized as large enterprises and provide essential services to customers, in one of the 11 critical sectors, including trust service providers, domain name system (DNS) service providers, public electronic communication networks, public administration entities, any critical entity defined by the Critical Entities Resilience (CER) Directive ((EU) 2022/2557), and other entities specified by member states.

Important entities under NIS2 are all other organizations that are not categorized as essential entities. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will also have to comply with the security and notification requirements under the directive.

DORA applies to most financial entities and to ICT service providers that European regulators and authorities deem critical, such as cloud service providers (CSPs), as well as providers to the CSPs and financial entities.

All member states have adopted the PSD2, which applies to banks, financial institutions and other organizations involved in retail payments or providing financial services in the EU. Its primary focus is on EU financial institutions, including payment processors, banks, brokerages and fintech companies. Organizations headquartered outside Europe may still be subject to PSD2 compliance requirements if they have customers or users in the region.

Cybersecurity Compliance

NIS2 compliance focuses on strengthening overall cybersecurity and incident reporting requirements, and managing cyber risk using “appropriate and proportionate technical and organizational measures.” It covers aspects such risk analysis, information security policies, thorough incident handling, business continuity and supply chain security.

DORA compliance is more prescriptive than NIS2, in that its aim is to introduce more rigorous requirements around ICT risk management and ICT-related incident reporting than those agreed to in NIS2. As a result, it has specific provisions regarding ICT frameworks, incident response and third-party ICT contracts. This means that DORA constitutes lex specialis to or overrides NIS2 in terms of overlap, such as reporting requirements, if an organization is in the scope of both.

To comply with DORA, organizations are required to demonstrate that they are conducting an appropriate set of security testing on “critical” systems and applications at least annually and also fully addressing any vulnerabilities identified by the testing process. 
Testing requirements for NIS2 compliance vary by country, but DORA requires threat-led penetration testing every three years and a range of yearly assessments and tests, including annual penetration testing for critical applications and systems.

The PSD2 sets out security requirements designed to reduce fraud risk and prevent the risk of cyberattacks and information security threats in the financial industry. To achieve this, it includes five key areas of compliance: open banking APIs, Strong Customer Authentication (SCA), customer transparency, rapid complaint resolution and surcharge bans. The SCA requirement means that all payment processors and digital banking providers must use multifactor authentication to enable user login. Other aspects of the required compliance relate to the secure access and sharing of consumer data. Identifying API vulnerabilities and mitigating API security risks demands additional security measures, mainly those that involve the use of third-party vendors to offer API access to consumers. The use of third parties to provide services also puts demands on organizations to develop strong third-party risk management (TPRM) procedures to better identify and address risks throughout their supply chain.

Incident Reporting Requirements

DORA, NIS2 and the PSD2 all put exact security incident reporting demands on organizations in terms of administrative burden, pace and follow-up. While NIS2 incident reporting requirements include an early warning within 24 hours, an incident notification within 72 hours and a final report within one month, DORA’s requirements around what are classified as “major” incidents are subject to an initial notification within 24 hours, an intermediate notification within 72 hours and a final report within one month.

DORA’s incident reporting schedule is inspired by the corresponding rules under the PSD2, which requires payment service providers to make an initial report to the FCA within two hours of detection. DORA requires that if an incident is initially classified as non-major but then is reclassified as major, the initial report must be made as soon as the change in status has been identified. Intermediate reports to the FCA are also required every time the situation changes significantly or if new causes or new action is taken. The minimum requirement is that payment service providers must report every three business days until the specific cause of the incident is understood and specific numbers are available, with the final report required within two weeks of the service returning to normal.

The PSD2 requires payments firms to have security controls and policies that cover the software and IT systems they use. These security measures can also be used for DORA compliance.

Penalties for Noncompliance

Essential entities that fail to comply with NIS2 are subject to fines of up to €10 million (or 2% of the total worldwide annual turnover, whichever is higher), and important entities are subject to fines of up to €7 million (or 1.4% of annual turnover). NIS2 also allows for the banning of C-level executives from future roles in cases of noncompliance.

Organizations that fail to comply with DORA will receive corporate fines of up to 2% of annual turnover, fines for employees of up to €1 million, plus fines of up to €500,000 for critical third parties.

Institutions failing to meet the requirements of the PSD2 can be charged with financial penalties of up to 4% of their annual returns.

Complying With DORA, NIS2 and the PSD2: Key Recommendations

• Review DORA’s proportionality factors to understand if your organization is exempt from specific requirements in Articles 5 to 15.
• Gain stakeholder buy-in and ensure appropriate governance and reporting are in place, right up to board level.
• Work with third-party experts to help independently review compliance gaps but also build a roadmap toward operational resilience with clear timescales and owners.
• Ensure that your chosen provider can also go one step further and help implement the right solutions, policies, processes and services to not only help with compliance but implement long-term solutions that are sustainable and capable of aligning with other regulations.

DORA, NIS2 and the PSD2: Simplify Regulatory Demands with Kroll

Without the right kind of support in place, regulatory requirements can become a heavy burden for organizations. Whether you’re moving into a new financial market or looking to prepare for DORA or NIS2, it is vital to understand which steps to take first and how to minimize the potential demands on your resources. Kroll’s comprehensive suite of operational resilience services, such as cybersecurity assessments and program design, cyber resilience risk management, incident response, business continuity and disaster recovery planning, and third-party risk management can help you achieve this by providing a one-step approach to addressing your regulatory, compliance and risk concerns.

Our expertise enables organizations to meet the requirements of regulations such as DORA, NIS2, General Data Protection Regulation (GDPR), Service Organization Control 2 (SOC2) and PSD2 more efficiently. We offer solutions across the entire DORA maturity lifecycle, addressing all aspects of DORA compliance and maturity, from assessing possible gaps/weaknesses and advising on remediation to implementing the right controls and providing remote managed services.

With a deep understanding of the legislation and standards affecting your industry, our cybersecurity, operational resilience and regulatory compliance experts are able to deliver real insight and value.

We pride ourselves on our global presence and our reputation for technical and industry expertise in building and implementing custom global operational resilience programs that align with many regulations and industry standards.

Our 700+ skilled and certified cybersecurity professionals across the globe are experienced in not only helping clients comply with multiple regulations but staying resilient amid the changing regulatory and operational landscape.

If you’re a financial institution or service provider, discover how our DORA Compliance Assessment can help you on your journey toward digital operational resilience. Otherwise, learn more about our security advisory services.