Regulations such as Spain’s National Security Framework (ENS), the Digital Operational Resilience Act (DORA), the Network and Information Security Directive (NIS2), and the Payment Services Directive (PSD2), along with others such as the Whistleblowere Directive, Cyber Resilience Act and the AI Regulation, require organizations to adopt increasingly stringent compliance measures. In this article, we will explore the role of the Compliance Officer in this context and analyze how each of these regulations impacts businesses and the public sector.
The Compliance Officer is responsible for ensuring that an organization’s policies and procedures comply with current regulations. This professional, who may lead a specialized department, interprets and applies laws, manages compliance risks, and ensures that employees and partners understand and follow legal standards. In a constantly evolving regulatory environment, the Compliance Officer not only ensures current compliance but also acts as a “regulatory sentinel,” anticipating new requirements, integrating them into operations, and fostering an ethical and compliant culture.
DORA, NIS2, PSD2, and ENS: A Regulatory Environment in Cybersecurity and Resilience
To understand the importance of a Compliance Officer in Europe, it is useful to explore some of the key regulations that directly impact companies and the public sector. Each of these regulations addresses different aspects of security and operational resilience.
1. DORA – Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is one of the European Union’s most recent regulations, focusing on digital security and the response capabilities of financial institutions. Applicable to banks, insurers, investment firms, and other players in the financial sector, this regulation requires companies to adopt rigorous measures to protect against cyberattacks, infrastructure failures, and other operational risks.
DORA establishes specific requirements on:
- Digital Risk Assessments: Entities must identify vulnerabilities in their systems and define strategies to minimize potential impacts.
- Digital Resilience Testing: Simulated attacks must be conducted to test the organization’s response capabilities.
- Incident Management and Operational Continuity: DORA requires detailed plans to ensure that operations can continue during a crisis.
This regulation affects not only financial institutions but also technology service providers, who must meet high security standards to continue operating in the sector. In this context, the Compliance Officer is essential for coordinating and monitoring compliance with these requirements and reducing the risk of penalties.
2. NIS2 – Network and Information Security Directive
The NIS2 Directive is an update of the original NIS Directive and applies to a wider range of sectors deemed critical, such as energy, transportation, healthcare, and telecommunications. NIS2 aims to raise cybersecurity and operational standards across the European Union, requiring organizations to adopt advanced protection measures and report relevant security incidents to the appropriate authorities.
NIS2 requirements include:
- Risk Management and Information Security: Companies must implement a risk management approach that protects networks and systems against cyber threats.
- Incident Notification: Any relevant incident must be reported immediately, including details about the nature of the attack and actions taken.
- Non-Compliance Penalties: The directive imposes significant penalties for organizations that fail to meet requirements.
For organizations, especially those operating in critical sectors, the Compliance Officer is vital for implementing cybersecurity policies, establishing reporting processes, and ensuring compliance with NIS2 security requirements.
3. PSD2 – Payment Services Directive
The Payment Services Directive 2 (PSD2) aims to promote innovation in the financial sector, improve the security of electronic transactions, and strengthen consumer rights within the European Union. PSD2 introduces the concept of Open Banking, allowing third-party service providers access to customers’ financial information, with their consent, to offer additional services.
Key aspects of PSD2 include:
- Strong Customer Authentication (SCA): Strong authentication is required for transactions, using at least two of three factors: knowledge (password), possession (device), and inherence (fingerprint).
- Access and Data Management: Companies must ensure that financial data is protected and accessed only with the customer’s explicit authorization
For a Compliance Officer in a financial institution, PSD2 presents a constant challenge, as it requires precise monitoring to ensure that all transactions comply with authentication requirements and that financial data management processes meet regulatory standards
4. National Security Framework (ENS).
The ENS is a Spanish regulation aimed at the public sector and companies collaborating with public administration. Its goal is to ensure the protection of information and service continuity in digital environments. Although it is a national regulation, the ENS aligns with DORA and NIS2 principles, facilitating interoperability with European regulations.
The ENS establishes various levels of security based on system and data sensitivity. Key guidelines include:
- System Classification: Systems are classified into different security levels based on the information they handle.
- Incident Management: The ENS requires public entities to implement cyber incident management processes with a quick and effective response.
- Certification and Auditing: Entities must undergo audits to verify compliance with established security standards.
While the ENS has a national scope, companies and entities that already meet its requirements will be better positioned to adapt to European regulations such as DORA and NIS2, which also demand high security and risk management standards.
The Compliance Officer in the Context of These Regulations and the Ideal Profile
In this regulatory environment, the Compliance Officer’s role is primarily to manage compliance, but it goes far beyond procedural review. This professional must develop an integrated view of regulatory risks and establish a compliance infrastructure that addresses multiple regulations, both national and European. Key responsibilities include:
- Risk Assessment: Identify vulnerabilities in systems and procedures that could lead to regulatory non-compliance.
- Monitoring and Reporting: Create a monitoring system to track compliance and report any deviations to the relevant authorities.
- Employee Training: Ensure that all employees are familiar with applicable regulations, especially in key areas like cybersecurity and data protection.
- Regulator Relations: Act as a liaison with regulatory authorities, facilitating transparency and maintaining an open line of communication
With the increase in security regulations like DORA, NIS2, and PSD2, the ideal Compliance Officer should combine expertise in regulatory compliance and cybersecurity. This profile requires continuous training and updating and may be an internal or external figure who should possess:
- Knowledge of Legislation and Regulations: Experience in data protection laws, cybersecurity, and specific regulations like ENS, DORA, NIS2, and PSD2.
- Information Security Training: Skills in risk management and security system auditing, with certifications like CISM, CISA, or CISSP.
- Management and Leadership Ability: Skills to coordinate security and internal audit teams, implementing policies and managing cybersecurity incidents.
- Communication and Diplomacy Skills: Ability to interact with regulators, communicate risks to management, and train staff in compliance and cybersecurity.
The ideal Compliance Officer should be an active link between regulations, the IT team, Security, and senior management, ensuring that the organization not only complies with regulatory requirements but also strengthens its cybersecurity posture against emerging risks. This role should not fall within the CIO’s responsibilities or report hierarchically to the CIO, as it would create a conflict by overseeing their own performance.
Conclusion
The European regulatory environment requires companies and the public sector to take a proactive stance on security and digital operations standards. With the ENS in Spain and regulations like DORA, NIS2, and PSD2 in the European Union, the Compliance Officer becomes an essential role for protecting the organization from penalties and ensuring compliance. Having an expert Compliance Officer allows companies to manage regulatory risks comprehensively and maintain compliance in an increasingly complex and demanding security context.