Compliance Challenges for Financial Entities as ICT Providers Under GDPR, DORA, and NIS2

Financial entities that also serve as ICT providers encounter significant compliance challenges due to their dual roles as data controllers, data processors, or both under multiple regulatory frameworks, including the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), and the NIS2 directive. This dual role complicates compliance efforts as these entities must navigate overlapping obligations related to the security of ICT infrastructure, the management of supplier risks, and the protection of personal data. The General Data Protection Regulation (GDPR) governs the processing of personal data, requiring entities to implement appropriate technical and organizational measures to protect data subjects' rights. When acting as data processors for clients, financial entities must adhere to strict contractual obligations and ensure that personal data is processed only as instructed by the data controller. The Digital Operational Resilience Act (DORA), which applies to EU financial entities from January 2025, introduces stringent requirements for operational resilience. Financial entities must conduct regular audits and continuous monitoring of critical ICT providers to mitigate risks associated with third-party services. This includes assessing the security posture of suppliers and ensuring that they meet DORA's resilience standards. The NIS2 directive, which must be transposed into national law by October 2024, extends incident reporting obligations to ICT providers. This means that financial entities acting as ICT providers must establish robust mechanisms for detecting, responding to, and reporting cybersecurity incidents to relevant authorities. The convergence of these regulations necessitates a comprehensive approach to cybersecurity and compliance for financial entities serving as ICT providers. These entities must integrate GDPR's data protection requirements with DORA's operational resilience mandates and NIS2's incident reporting obligations. This integration requires a holistic cybersecurity strategy that addresses the security of ICT infrastructure, the management of supplier risks, and the protection of personal data. By adopting a proactive and integrated approach to cybersecurity and compliance, financial entities can effectively navigate the complexities of their dual roles and enhance their overall resilience against cyber threats.