Skip to main content
Touch blog
Meeting NIS2 and DORA compliance with Touch Call Recording Service

Meeting NIS2 and DORA compliance with Touch Call Recording Service

NIS2 and DORA are two new EU-wide regulations that will affect millions of organisations based in, and offering services to, the EU bloc – and have a direct impact on call recording and compliance programmes. Are you ready?

NIS2 and DORA are two new EU-wide regulations that will affect millions of organisations based in, and offering services to, the EU bloc. Touch can ensure that you’re ready.

The European Union’s (EU) Network and Information Systems (NIS2) Directive is an amended version of the original directive that is due to take effect on 16 January 2023. NIS2 is being introduced to enhance the resilience of private and public organisations in the EU and to better protect against supply chain vulnerabilities, ransomware attacks, and other cyber threats[1]. The deadline for implementation across all EU member states is October 2024.

NIS2 – “Critical” and “Important” entities

NIS2 identifies organisations as being “critical entities” or “important entities”. An attack or data leakage concerning a critical entity could lead to serious consequences for the economy and society. They include utility providers, telecoms operators and more – but the category also extend to financial markets. Such entities are subject to stringent rules.

Importantly, the addition of digital infrastructure and services companies means that even organisations that don’t physically reside in the EU are also affected if they provide services – such as financial and cloud services, social media networks, search engines, and so on – to EU countries.

NIS2 also sets out a framework for creating stronger, more consistent security requirements throughout the EU – in the original NIS directive some of these requirements were left to the interpretation of member states, which led to vulnerabilities. NIS2 eliminates that flexibility.

For both sets of entities, Article 21 of NIS2 clearly sets out how organisations must manage risk through the implementation of robust systems and best practices using a range of measures, including risk handling, information system security, incident handling and reporting, business continuity, encryption technologies, zero-trust access, and so on.

Under NIS2, critical entities also have stricter obligations to report incidents, and must now make an initial report (to the authorities of individual States, as well as a newly formed European cybersecurity management framework) of any significant security incident within 24 hours of detection. Organisations must also deliver an initial assessment of the incident within 72 hours of detection and file a detailed final report within a month of detection.

For non-compliance, Member States can apply fines of up to €10 million or 2% of annual revenue. In addition, critical entity management bodies (i.e., C-level executives) can be held personally liable for failure to meet their obligations.

Are you ready for the EU Digital Operational Resilience Act (DORA)?

As if that wasn’t enough to contend with for European companies, the EU will also enact the Digital Operational Resilience Act (DORA), a regulation that creates a comprehensive ICT risk management framework for the EU financial sector. DORA outlines technical standards that financial entities and their critical third-party technology service providers must implement by 17 January 2025.

DORA has two main objectives: to address ICT risk management in the financial services sector and harmonise ICT risk management regulations that already exist in individual EU member states.  By harmonising rules, DORA aims to close vulnerability gaps that could arise from different implementations of existing rules across individual states – i.e., every financial services firm throughout the EU will be held accountable to the same standards.

Notably, DORA also includes third-party suppliers of ICT systems, services, and data – such as cloud service and data centre providers, credit ratings services, and data analytics providers.

The DORA framework establishes a number of requirements:

  • ICT risk management and governance. Board members and executives are responsible for defining and executing risk management strategies, and will be held personally accountable for an entity's failure to comply. Firms must also establish business continuity and disaster recovery plans.
  • Incident response and reporting. Entities will be required to file three different kinds of reports for critical incidents: an initial report notifying authorities, an intermediate report on progress toward resolving the incident, and a final report analysing the root causes of the incident. 
  • Digital operational resilience testing. Entities must test their ICT systems regularly to evaluate the strength of their protections and identify vulnerabilities.
  • Third-party risk management. Financial firms are expected to take an active role in managing ICT third-party risk.

Again, the consequences of non-compliance are significant. Financial services organisations that do not meet DORA requirements may face fines up to €10 million 5% of their total annual turnover. In addition, third-party ICT service providers designated as "critical" by the European Supervisory Authorities (ESAs) may face fines of up to €5million, in the case of an individual, a maximum fine of €500,000 for non-compliance with the Act's requirements. The ESAs have the authority to impose these fines.

A heavy compliance burden – let Touch handle it on your behalf

Both NIS2 and DORA add to an already heavy compliance burden, as they will run concurrently alongside existing regulations such as MiFID II (for financial services institutions) and the General Data Protection Regulation (GDPR), which affects any organisation processing or storing personal data.

The two new regulations mean that organisations have a requirement to comply, not just for legal and financial reasons, but also for data security by ensuring, in the case of DORA, the safeguarding of sensitive financial data and its confidentiality and integrity. Both NIS2 and DORA are aligned with personal data and privacy regulations such as GDPR.

Reputational damage can also be caused by non-compliance, while conversely compliance enhances reputation, and fosters trust among customers and partners. Business continuity is another requirement, and specifically laid out in NIS2.

Touch Call Recording Service is a fully managed service that resides in the network – and so requires no resource-heavy and risky software or hardware deployments on your premises. Touch provides all the components necessary – from hardware to software, as a managed service. We ensure that, through our on-going technological and regulatory roadmap, compliance with all existing and new regulations is assured by us. It takes the headache away from you.

Table 1 shows our target response and support request resolution times. Notably, our Recovery Time Objective (RTO) – the duration of time and service level within which a business process must be restored after a disaster – is just one hour.

Table 1. Touch target response and support request resolution times.


Category 1 - Disaster

Category 2 - Critical errors

Category 3 - Major errors

Category 4 - Minor errors or support requests

Response time

1 hour

4 hours

1 days

5 days

Intermediate Solution time

Uninterrupted correction

Maximum 2 days

Maximum 1 week

Maximum 4 weeks

Permanent Solution time

Maximum 1 weeks

Maximum 1 weeks

Maximum 2 weeks

Maximum 10 weeks

All call recordings are immediately available in the Touch Web-Portal on completion of a call or digital communications. All recordings are encrypted, mirrored, and stored with geographical redundancy with a production site and a geographically separated disaster recovery site.

This enables our business continuity plan (BCP)/ disaster recovery plan (DRP) to ensure that our customer’s operations are not affected, and that data is secure and available at all times.

Touch applies high standards to its own service performance obligations

Our own DRP outlines a documented, structured approach with instructions for responding to unplanned incidents. Touch has procedures for incident management that aim to restore normal ICT operation as soon as possible should any incident occur.

It also goes further, by identifying the cause of the incident, preventing recurrence, and ensuring a formal approach to the handling of any incident. Incidents are documented, which can be used, for example, to report NIS2- and DORA- related events to the relevant authorities – an important aspect of compliance.

From our side, it means that we can fulfil our contractual as well as our service-oriented obligations in terms of KPIs for our customers. And, support our objective – to deliver the best customer service possible to your business.

Access to recordings from the Touch Web-Portal is subject to access and permission rights. That means that access is only available to those with permissions rights and, because every query (type of query and search parameters) is logged in the database together with the specific session ID that refers to an individual web user’s account, it provides complete accountability and transparency.

Third-party risk assessments on regular basis are a part of the operational excellence of the service. For example, our data centres are managed under ISO27001 certified control, and third-party security assessment and penetration tests are performed annually.

Put simply, Touch applies its own stringent requirements to its own services, assuring our customers that they too can expect the very best performance and threat monitoring capabilities. We have decades of helping financial services firms to meet MiFID and MiFID II rules, as well as ensuring compliance for our customers with all relevant obligations, including GDPR, Dodd-Frank, The Personal Data Protection Act (Singapore), and many more.

We monitor the regulatory landscape on your behalf and apply updates to our Call Recording Service before new rules are implemented – it means that with Touch you can rest assure that your organisation meets all existing and new compliance obligations. To find out more, contact us today.


Explore touch call recording

Touch call recording

Why Microsoft Teams recording requires an integrated approach to ensure compliance

MS Teams is one of the most popular collaboration apps available today. But, despite having its own policy-based call recording capability, it does not meet compliance requirements, unlike Touch Call Recording Service.

Speech Analytics to enable continuous customer experience quality monitoring and assurance with Touch QMS

AI-driven Speech Analytics is a fast-growing tool for continuous customer experience quality monitoring and assurance, and can help to optimise the customer experience and, ultimately, to increase customer satisfaction.

Sign up today with touch call recording service

Get started with Touch Call Recording Service

Start recording in minutes, not months. Need something specific? Get in touch.

Touch is

Touch Call Recording was recently awarded 'eco-lighthouse' certification, Norway's most widely used certification scheme for enterprises seeking to document their environmental efforts and demonstrate social responsibility.
Eco-lighthouse logo