How can financial institutions future-proof for changes in regulation, such as DORA and NIS2?
Compliance with national or EU-wide regulation is nothing new to the financial industry. For instance, regulations on knowing your customer, data protection and privacy, and payment services directly impact how banks, insurance companies, credit providers and so on conduct their daily business and processes.
In a digital world, all these processes rely on software solutions, processing millions of data points each single day.
However, regulations that affect financial services are constantly changing, which also requires changes to the software infrastructure that manages the related processes. What can financial institutions do to maintain flexibility and efficiency among all these changes?
DORA and NIS2 – the latest heavy-hitters for the financial sector
As you probably already know, there is – once again – new regulation that companies in the financial sector must comply with.
The NIS2 directive builds on the original NIS directive from 2016 and aims to enhance the cybersecurity and resilience of critical sectors across the EU. It expands the scope, sets tighter requirements and standardizes cybersecurity-related practices.
DORA, the Digital Operational Resilience Act, is a EU-wide regulation that specifically affects financial institutions in the EU.
Both NIS2 and DORA introduce new requirements for gathering and managing data related to risk management, not only for the financial operators themselves, but also deep down into the supply chain of third-party ICT service providers. Actually, managing third-party ICT risks is critical for any company as all companies utilize SaaS services more and more. Imagine that one day all your ICT services would be SaaS services – how would the corporate CTO be able to manage risks in that scenario?
Now, all the information required by NIS2 and DORA – not to mention any other new regulation around the corner – must be managed. It’s not about simply collecting and archiving the data; the data must be readily available throughout its lifecycle to establish robust risk management processes.
Here’s where the problems with traditional information management systems show up. Legacy systems are slow to adapt to changes and adding any custom data management features most likely means starting a cumbersome IT development project.
Luckily, there are more flexible options available.
Example: Efficient supplier data management with flexible metadata
One important domain that NIS2 and DORA set new requirements for is third-party risk management. Financial operators must ensure that all their suppliers comply with appropriate security standards. This applies to a wide range of suppliers, all the way to cloud service providers, software vendors and so on.
What’s more, the supplier information must be managed throughout its lifecycle: from initial service contracts to annually recurring audits and finally down to the supplier exit plan.
So, gathering and managing data becomes a regular part of everyday processes.
A key component for managing all this information is metadata. Let’s say you have hundreds of contracts between various suppliers. The only efficient way to manage all the data is through maintaining specific metadata on contract types, outsourcing, data protection, IT system level information, responsibilities, audits and risk categories.
With proper metadata in place, you can easily find specific contracts, generate reports and prepare for supplier audits, for example. Efficient metadata management with underlying document management capabilities brings your visibility on all matters to a totally new level.
To make supplier data management easy and efficient, make sure that your information management system has the capability to add custom metadata fields flexibly.
How Zefort helps with DORA and NIS2
Zefort is a zero-effort contract and data management solution that comes with bank-level security and a wide range of enterprise features.
Working together with our customers, including leading banks, we have developed a suite of features that make managing DORA and NIS2 requirements much easier.
#1 Dynamic and flexible metadata model
When adding a new document to Zefort, our AI automatically picks up normal metadata information, such as document titles, party names, and important dates, for example.
On top of the normal metadata, you can define any other (mandatory, optional or conditional) metadata fields you want. If there is mandatory metadata defined for a specific contract type, like a supplier contract, Zefort prompts you to add the required information. With the metadata in place, it’s easy to find the right documents later.
What’s best, Zefort allows great flexibility for managing the metadata. Users with appropriate access rights can add, change or remove metadata fields, set up conditional fields and data validation rules at any time – there’s no need to set up an extensive IT project.
We have extensive experience in planning metadata together with our customers – we’re happy to provide hands-on consultation on this matter!
#2 Contract activities
Under NIS2 and DORA, companies are in some cases required to perform regular audits for their suppliers. With a large number of supplier companies, it becomes increasingly difficult to remember all the audit dates and requirements.
Zefort helps your organization’s teams prepare for audits by delivering automatic notifications for important dates or other activities. What’s more, you can set the recurring auditing schedules as its own specific metadata field.
In addition to notifications, all activities are easily discoverable in Zefort’s Dashboard or Calendar view.
#3 Online forms for supplier audits
Also related to supplier audits, Zefort comes with a feature for easily creating online forms that your suppliers can fill and submit. This works perfectly for creating NIS2 or DORA-related supplier audit forms.
In order to verify the information submitted by your supplier, the Forms feature utilizes Zefort Sign, an eSignature tool that lets you get a personal signature from the supplier. You can even set up more complex flows to get signatures from multiple parties or notify specific team members about the signature process.
#4 Reporting supplier information
Zefort is flexible when it comes to moving data between systems. If you are using a certain business intelligence solution, such as Microsoft Power BI, you can easily push the data from Zefort to the tool of your choice.
You can also compile reports directly in Zefort. Simply filter documents based on their metadata, select the documents you want to include and export their data to an Excel spreadsheet, for example.
