DORA, NIS2 and the changing role of DNB supervision
Information security has been a core issue within the financial industry for many years. The urgency is increasing. New laws and regulations, increasing reliance on digital processes and sharper expectations from regulators are causing a structural shift in how institutions deal with IT risks.
From January 17, 2025, DORA will apply as the binding supervisory framework for operational resilience. This European regulation largely replaces DNB's current Good Practice Information Security. The bar will be raised. Banks, insurers, pension providers and other financial institutions will not only have to set up their information security, but also have to be able to justify it.
DORA and the end of noncommittal frameworks
Whereas Good Practice Information Security left much room for interpretation in practice, DORA is more concrete and legally enforceable. The focus is on structurally strengthening digital resilience. This includes ensuring the continuity of critical processes, being able to respond effectively to incidents and demonstrably managing IT-related risks.
For many institutions, this means a shift from IT security as a technical issue to a structural part of governance and integrated risk management.
What does this mean for supervision from DNB?
DNB will continue to play a central role in the supervision of information security even after DORA takes effect. In doing so, Good Practice will not be completely abandoned, but supplemented and where necessary replaced by the more stringent standards of DORA.
At the same time, NIS2 applies as a complementary framework. This European directive focuses on network and information security and affects institutions considered essential to the functioning of our economy and society.
DNB expects institutions to translate these frameworks into a coherent approach. This requires mature risk management, up-to-date threat analyses and a clearly designed process for reporting and accountability.
Information security within the three lines
Supervisors expect that information security is not only addressed technically, but is structurally embedded in governance. The responsibilities of the first, second and third lines must be clear. Implementation lies with the line organization, monitoring with risk and compliance, and independent assessment with internal audit.
ARC People supports institutions in clarifying and strengthening these mutual relationships. This starts with structure, but also requires clear frameworks, verifiable measures and workable reporting lines.
Behavior, awareness and soft controls
A mature design of information security requires more than technology and processes. In many cases, vulnerability arises where formal rules clash with practice. For example, when exceptions are tacitly granted or awareness campaigns have insufficient effect.
This is why ARC People also looks at behavior and culture. If required, our consultants analyze soft controls such as risk awareness, exemplary behavior and approach culture, and place these alongside formal control measures. Only when both tracks are in balance will effective control emerge.
Accountability to board and supervisors
Demands for accountability and reporting are increasing. Directors, audit committees and supervisors not only want to know that measures are in place, but also how they work and on what basis they were chosen.
We help institutions set up that accountability in a sharp and transparent way. Think of structured dashboards, verifiable KPIs and reports that match the maturity level of the organization. This creates not only grip, but also trust towards internal and external stakeholders.
The expertise of ARC People
ARC People supports financial institutions in designing, testing and strengthening their information security. Our consultants bring experience from audit, risk management and IT governance.
We help organizations include:
- Conducting threat analysis and risk assessments.
- Reviewing existing measures for effectiveness.
- Preparing for DORA and NIS2 at both strategic and operational levels.
- Shaping incident response and reporting lines to supervisors.
- Strengthening collaboration between the first, second and third lines.
We work for banks, insurers, pension funds and payment institutions, among others.
Discover the latest insights
Curious about the latest insights? Read our recent blog or download our full whitepaper for free. In it we delve deeper into the IB Monitor and supplement where necessary with more recent publications. We also discuss the new outlook and the impact of recent regulations such as DORA and NIS2 on the Dutch financial sector.
Learn more about Information Security DNB
Are you interested in learning more about this topic? Then contact one of our experts. We are ready to answer your questions and help you further.
Our expert team, with years of experience, will provide you with personalized advice appropriate to your specific situation. We strive to respond to your inquiries as quickly as possible.
Roy van Buuren
Senior Manager of IT Audit & Risk