Close this search box.

Enhanced Regulations & Compliance

Ensure your business will have the processes and technology in place when the legislation comes into force in 2024.

Preparing for compliance to new cybersecurity regulations needs time, effort and investment.

17 October 2024

NIS2 (The Network and Information Security Directive).

Cyberattacks that are designed to destroy, steal or otherwise compromise your valuable data –including your backups – are increasing in frequency and cost.  Protecting your critical data and recovering it with assured integrity is key to resuming normal business operations post-attack – and the sooner you act, the better.

Doing nothing is not an option...

Failure to comply with the new regulations can bring serious consequences.

NIS 2.0 Directive Fines

  • Up to €10 million or 2% of the entity’s global turnover, whichever is higher.
  • In severe cases, up to €20 million or 4% of the entity’s global turnover, whichever is higher.

FCA CP19/32 consequences

  • Failure to comply with the Financial Conduct Authority puts you at risk of fines where there has been a breach of rules or market abuse.
  • The FCA can also withdraw a firm’s authorisation. prohibiting individuals from carrying on regulated activities. suspending firms and individuals from undertaking regulated activities.
  • In addition to fines, the disqualification of being able to do business with other companies, or the reputational damage, could be severe.

DORA Non-Compliance Fines

  • Individuals, not just companies, can be fined, held accountable and be awarded possible custodial sentences.
  • For organisations: minimum 2% of average daily worldwide turnover for up to six months, with individual countries able and willing to increase the base rate of fines.

Which organisations will be affected?


Banks and financial institutions, including third parties that provide information communication technologies services to banks, such as cloud platforms, data analytics services, and solutions from other IT partners and providers. Banks must ensure their own compliance to DORA and also take steps to verify the DORA compliance of any provider that handles digital financial data.

FCA CP19/32

Building Operational Resilience affects UK banks, building societies, Prudential Regulation Authority (PRA) designated investment firms, Solvency II firms, Recognised Investment Exchanges (RIEs), Enhanced scope Senior Managers & Certification Regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) and/or the Electronic Money Regulations 2011 (EMRs 2011).


Any organisation with over 50 employees and an annual turnover of €10M+, as well as any organisation included in the original NIS Directive. Scope is also increased to include the electronic communications and digital services industries. While the legislation applies to the EU primarily, UK businesses need to prepare for the likely implementation of either the NIS 2 requirement, or a UK modified version.

What are organisations required to do?

Cyberattacks that are designed to destroy, steal or otherwise compromise your valuable data – including your backups – are increasing in frequency and cost. Protecting your critical data and recovering it with assured integrity is key to resuming normal business operations post-attack.
NIS 2 Requirements
  • Risk assessment and management
  • Incident reporting
  • Incident response
  • Communication and cooperation
  • Security awareness and training
  • Supply chain security
  • Resilience
DORA Requirements
  • ICT risk management and governance
  • ICT incident classification and reporting
  • Digital operational resilience testing
  • ICT third-party risk management
  • ICT third-party providers oversight framework

FCA CP19/32 Requirements
  • Firms must have performed mapping and testing of their important business services
  • Firms must also have identified any vulnerabilities in their operational resilience.

Take the Proact approach to operational resilience.

Proact have a simple seven-step approach that will ensure your organisation will reach compliance before the required deadlines:

1. Preparation

Assess the risks and vulnerabilities to your organisation's data and systems, identify critical assets and data, and determine the recovery objectives and strategies.

2. Backup

Establish a robust backup strategy that includes regular, secure backups of critical data, systems, and applications, both on-site and offline.

3 .Detection and Notification

The organisation should have a mechanism to detect any cyber-attack or data breach, and a notification process that involves alerting all necessary stakeholders, including IT and security teams, management and customers.

4. Containment and Recovery

Once the attack has been detected, it is crucial to contain the damage and prevent it from spreading further. This may involve isolating the affected systems, shutting down critical applications and starting the recovery process.

5. Investigation

After the attack has been contained, an investigation should be conducted to determine the cause, scope, and impact of the attack. This will help to identify any additional risks, vulnerabilities, or gaps in the organisation's security and recovery plans.

6. Remediation

The organisation should then implement remediation measures to address any identified weaknesses or gaps, such as implementing new security measures, patching vulnerabilities, or improving staff training and awareness.

7. Recovery

The final step is to restore critical systems and data from the backup and ensure that they are secure and functional. This may involve testing and validating the backup data and systems, as well as conducting additional security testing to ensure that the organisation is fully protected.

Cyber recovery round table exercise

In the event of a cyber incident, it’s critical in your business has the right technology and processes to be able to recover as fast as possible; and your staff are prepared.
Cyber event management is a collaborative effort for your organisation that IT cannot manage alone; you need to prepare expectations of what services IT will perform, and what other business functions need to perform.
Using the NCSC (National Cyber Security Centre) recommended scenarios, we have created our round table exercise to look at your business awareness and technical testing.

A security posture that doesn’t just rely on resilience

Any organisation shouldn’t rely on their operation resilience for their security posture; you should look to stop a potential threat ever reaching your recovery solution in the first instance. That’s secure by design.
At Proact we can fully manage your security posture across 5 core areas. Using our two 24/7 Security Operation Centre’s (SOC) to fill any gaps in resources, skills and technology to provide around-the-clock cyber defence.
  • Managing security risk
  • Protecting against cyber attack
  • Detecting cyber security events
  • Minimising the impact of cyber security incidents

We’ve got your back!

With deadlines fast approaching, Proact can help you plan and execute an optimum, tailored approach to DORA, NIS2 and Operational Resilience compliance.

  • Assess your current position
  • Define and plan what it will take for you to reach compliance
  • Help you implement your plan
  • Routine testing and plan reviews, to ensure it still meets your business needs.


The time to act is now to ensure compliance before the deadline. Turn your operational resilience into a competitive advantage.


one of our specialists

By clicking Submit, I agree the terms and conditions outlined in the Proact Privacy Policy.