I'm an ICT service provider, get me out of here!

DORA & NIS2: New rules for ICT service providers – opportunities and obligations in a double pack

The regulatory landscape for information and communication technology (ICT) in Europe is changing rapidly. With the Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive 2 (NIS2 Directive), there are now two sets of regulations that set new standards for service providers – both in terms of security architecture and in their cooperation with customers.

The regulatory focus, increasing transparency and accountability throughout the supply chain are presenting many ICT service providers with unprecedented challenges.

What DORA and NIS2 mean for ICT service providers

The Digital Operational Resilience Act (EU Regulation 2022/2554) aims to ensure the digital operational resilience of financial companies and explicitly includes their third-party ICT service providers within its scope. The regulation obliges financial companies to carefully manage and monitor the ICT service providers they use – and even gives supervisory authorities the option of directly monitoring particularly critical providers. DORA is considered a ‘lex specialis’ for the financial sector, meaning that it applies instead of NIS2 and has specific, sector-related requirements.

The NIS2 Directive (EU Directive 2022/2555) significantly expands the scope of cybersecurity requirements compared to its predecessor. It now covers significantly more industries and service providers, including many IT and managed service providers.

For ICT service providers, this means that it is no longer just large corporations that come under regulatory scrutiny. In future, medium-sized companies may also be considered ‘essential’ or ‘important’ entities under NIS2 and will therefore be obliged to manage their ICT service providers appropriately.

The requirements for security measures, monitoring processes and reporting obligations are increasing – not just as recommendations or best practice approaches, but as a binding legal framework.

New preconditions and requirements of the regulations

A key criterion for the obligations under DORA is determining the materiality of a service. Financial companies must assess whether the service provided by an ICT service provider supports a ‘critical or important function’ for their own organisation. DORA defines this as a function being critical or important if its disruption or failure would have a significant negative impact on the financial performance of the company, the continuity of its services or its compliance with regulatory obligations. In particular, the degree of dependence on the service provider, the availability of equivalent alternatives, the complexity of the outsourcing and the potential impact on sensitive processes must be taken into account.

Under NIS2, the main factors determining classification are whether the ICT service provider operates for customers in one of the defined sectors and what role it plays in their supply chain. The more important the ICT service provided is for a customer in one of the 18 defined NIS2 sectors, the higher the requirements that must be met.

Many of the requirements now mandatory under both regulations are not entirely new in practice. Norms, standards and best practices such as the ISO/IEC 2700x series or the BSI IT-Grundschutz already contain specifications on security, emergency planning and service provider management. What is new, however, is that DORA and NIS2 not only recommend these measures, but also prescribe and enforce them in detail. These include, among other things, stricter, multi-level reporting requirements in the area of incident management (incident management reporting) with clear deadlines, in some cases within 24 hours of becoming aware of an incident. Also enforceable are binding measures to secure the entire supply chain down to sub-service providers, regularly tested business continuity and recovery plans, and comprehensive audit and access options for customers and authorities. The management of ICT risks at service providers is also coming to the fore. Although ICT service providers do not have to map the comprehensive requirements of their financial customers in the area of ICT risk management, transparent and verified risk and asset management, for example, are essential for increased operational resilience. This is the only way to guarantee that customer requirements for the confidentiality, availability, integrity and authenticity (VIVA) of a service are met.

The tangible impact on ICT service providers

The implementation of these regulatory requirements has several consequences for ICT service providers. First, the compliance burden will increase significantly, as security measures must not only be documented but also continuously reviewed and verifiably tested. Contracts with companies must be adapted to meet the new regulatory requirements – for example, by including clear provisions on audit rights, exit strategies and security standards. At the same time, a high level of regulatory resilience can become a competitive advantage: service providers who can demonstrate their compliance transparently and proactively draw attention to their own security level will be particularly attractive and reliable for companies in regulated industries.

However, this often requires targeted investment in security technologies, monitoring solutions and incident response capabilities. In addition to the effort and costs involved in technological realignment, there is also a significant amount of organisational change. The people involved should be appropriately consulted and involved so that the new technologies and structures function effectively. Regulatory compliance is thus becoming not only a legal necessity, but also a strategic issue for sustainable corporate development.

Intelligent and efficient implementation

ICT service providers can efficiently implement the new requirements if they take a strategic approach. Instead of viewing DORA and NIS2 requirements in isolation, integrated implementation is recommended to avoid duplication of effort. Standardised frameworks such as ISO 27001, the NIST Cybersecurity Framework or the BSI IT-Grundschutz serve as a solid, proven foundation on which specific regulatory requirements can be mapped and expanded.

Automation plays a key role here: uniform tools for continuous security monitoring, automated reporting and compliance dashboards reduce manual effort and enable a quick response to incidents. In addition, it makes sense to establish targeted partnerships with specialised partners – for example, for penetration tests, digital forensics or as part of a Security Operation Centre (SOC). AI systems also play an essential role in contract review today, delivering prompt results for contract amendments. Early gap analysis also helps to systematically identify existing weaknesses and define action plans to remedy them. This provides a basis on which the level of compliance can be reliably improved.

adesso as a partner with experience in both worlds

adesso understands regulatory requirements from two perspectives: from the customer side, for example banks, insurers, KRITIS operators and public authorities, and as an ICT service provider for these companies from all relevant industries.

This dual experience enables us to contribute extensive practical knowledge to develop tailor-made solutions that comply with the regulatory framework and are easy to implement in practice. Proportionality, effectiveness and efficiency are key aspects for adesso

The added value of partnering with adesso is therefore evident in our comprehensive knowledge of regulatory requirements and established solution methods. On this basis, we carry out tailored analyses to determine the current status, materiality and criticality. These are based on precise mapping of the DORA and NIS2 requirements and are used to develop roadmaps and action plans for achieving the target vision. We see ourselves as a partner who provides comprehensive support. In addition to consulting, designing and implementing resilience measures, we often play an active role in providing operational support for business organisation, training and awareness-raising measures, and assist with audits and reporting to authorities.

Our experience shows that those who focus on regulatory resilience at an early stage and across all areas not only gain legal certainty, but also the trust of the market, their customers and their own employees.

The bottom line is that DORA and NIS2 set new standards for ICT service providers – not only in terms of technology, but also in governance, contracting and strategic cooperation with customers. Those who see the requirements not as a burden but as a strategic opportunity can turn compliance into a real market advantage. With adesso as a partner who understands both perspectives, regulatory obligations become a sustainable competitive advantage.

DORA and NIS2 in direct comparison – why ICT service providers should bundle both requirements

From the perspective of ICT service providers, DORA and NIS2 are not isolated regulations, but two sides of the same coin. Both address digital resilience, but they have different focuses and operate at different levels. DORA focuses on the financial sector with very specific requirements for the control and monitoring of external ICT services in relation to the support of critical or important functions. NIS2, on the other hand, has a much broader industry focus and acts as a crossbar across all critical sectors – with a clearly harmonised sanctions framework at EU level.

An integrated compliance approach is particularly worthwhile for ICT service providers that serve both financial companies and customers from other critical areas. This allows overlaps to be exploited, duplication to be avoided and security architectures to be documented uniformly.