Your relationship with DORA starts or ends with filling a questionnaire:
https://forms.gle/P5aBjS8fNXjBPTSr8
In the world of digital security, regulations are evolving at a rapid pace, and adapting to them is not just a formality but a strategic necessity. One of the most significant financial security regulations is DORA (Digital Operational Resilience Act) – the European Digital Operational Resilience Regulation. It imposes stringent requirements on financial institutions and IT service providers to strengthen cyber resilience in the sector.
But how do you know if your organization is ready for DORA? It all starts – or ends – with the completion of a questionnaire.
What is DORA and why is it important?
DORA is part of the EU’s broader strategy to make financial institutions more resilient to cyber threats. It introduces mandatory IT risk management requirements, oversight of service providers, and mechanisms to test resilience to cyber-attacks.
The impact of regulation is not limited to banks and insurance companies. It also affects fintech companies, investment funds, credit intermediaries, payment operators and even the technology providers of these organisations. If your business falls under DORA, missing the requirements could result in fines, regulatory penalties or even license revocation.
Completing the questionnaire – the first step towards compliance
To make the adaptation process easier, we have created a specialized questionnaire (available here) that will help you do a quick self-assessment of your readiness for DORA.
The questionnaire covers several key areas:
- IT risk identification – do you have a clear process for identifying threats?
- Monitoring and management – how do you monitor and respond to incidents?
- Cyber resilience – do you conduct regular testing and training?
- Interaction with third parties – what mechanisms do you use to evaluate your suppliers?
- Completing the questionnaire will give you insight into whether your organization is on the right track or has critical gaps that need to be addressed immediately.
Filling is just the beginning
DORA is not just a “tick box”. Regulation requires continuous improvement, monitoring and response to new threats. Completing the questionnaire will give you a starting point, but the next step is developing and implementing a comprehensive cyber resilience strategy.
Whether you are starting or already in the process of compliance, this tool is the key to timely and informed action. Because in the age of digital finance, survival and success are defined by resilience against risks – and that starts with knowledge.
Extended scope of NIS2
NIS2 significantly expands the scope of sectors and organisations that fall under its requirements. Whereas NIS1 covered seven sectors including energy, transport and health, NIS2 adds new sectors based on their criticality to the economy and society. These include:
- Postal and courier services
- Waste management
- Manufacture and distribution of chemicals
- Food production
- Manufacture of medical devices
- Digital service providers, including online marketplaces and social media
This extension means that many organisations not previously subject to such regulations will now have to comply with the new requirements.
Criteria for determining the entities concerned
NIS2 introduces clear criteria for the identification of affected entities. All medium-sized and large enterprises in the sectors mentioned are covered by the Directive. Medium-sized enterprises are those with between 50 and 249 employees and an annual turnover of between EUR 10 and 50 million, while large enterprises have more than 250 employees and a turnover of more than EUR 50 million. This means that even organisations that are not considered to be critical infrastructure but meet these criteria will be affected.
Fundamental requirements of NIS2
The Directive imposes a number of obligations on affected entities, including:
Risk management: organisations must adopt measures to manage cyber security risk, including assessing risks, implementing appropriate technical and organisational measures and regular monitoring.
Incident reporting: significant incidents affecting the provision of services must be reported to the competent authorities within specified deadlines.
Supply chain security: organisations must manage the risks associated with their suppliers and partners, ensuring that they too comply with cyber security requirements.
Transposition into Bulgarian law
In Bulgaria, the transposition process of NIS2 is ongoing. On 4 July 2024, the Ministry of eGovernment submitted a draft law amending the Cybersecurity Act to transpose the Directive. The public consultation on the Bill closed on 3 August 2024 and adoption is expected by 17 October 2024. An implementing regulation will then be adopted which will detail specific measures and obligations for organisations.
What’s next for organisations?
Organisations covered by NIS2 should take the following steps:
- Compliance assessment: to determine whether they fall within the scope of the Directive based on their sector and size.
- Risk assessment: conduct a detailed analysis of their current cyber security practices and identify gaps against IIA2 requirements.
- Develop an action plan: Create and implement a plan to achieve compliance, including training staff, implementing technical measures, and establishing incident reporting procedures.
With the advent of NIS2, cybersecurity is becoming not only a technical but also a strategic priority for organizations. Timely adaptation to the new requirements will ensure not only legal compliance but also increased resilience against cyber threats.
Questionnaire: https://forms.gle/P5aBjS8fNXjBPTSr8