By Anastasios Arampatzis and Eleftherios Chelioudakis

Over the past years, the number of digital policy initiatives at the EU level has expanded. Many legislative proposals covering Information and Communication Technologies (ICT) and influencing the rights and freedoms of people in the EU have been adopted, while others remain under negotiations. Most of these legislative acts are crucial, dealing with a wide range of complex topics, such as AI, data governance, privacy and freedom of expression online, access to digital data by law enforcement authorities, e-health, and cybersecurity.

Civil society actors often need help to follow the EU policy initiatives, while businesses face severe challenges in understanding the complex legal language of the legislative requirements. This article aims to raise awareness about two recently adopted EU legislations on cybersecurity, namely the Digital Operational Resilience Act (DORA) and the revised version of the Network and Information Security Directive (NIS2).

NIS2

NIS2 is the much-needed response to the expanding landscape threatening critical European infrastructure.

The original version of the Directive introduced several obligations for national supervision of operators of essential services (OES) and critical digital service providers (DSP). For example, EU Member states must supervise the cybersecurity level of operators in critical sectors, such as energy, transport, water, healthcare, digital infrastructure, banking, and financial market infrastructures. Moreover, Member States must supervise critical digital service providers, including online marketplaces, cloud computing services, and search engines.

For this reason, the EU Member States are to establish competent national authorities in charge of these supervisory tasks. In addition, NIS introduced channels for cross-border cooperation and information sharing between the EU Member States.

However, the digitalization of services and the increased level of cyberattacks throughout the EU led the European Commission in 2020 to propose a revised version of the NIS, namely NIS2. The new Directive entered into force on 16 January 2023, and the Member States now have 21 months, until 17 October 2024, to transpose its measures into national law.

The new Directive has broadened the scope of the NIS to strengthen the security requirements imposed in EU Member States, streamline reporting obligations, and introduce more robust supervisory measures and stricter enforcement requirements, such as harmonized sanctions regimes across EU Member States.

NIS2 introduces the following aspects:

  • Expanded applicability: NIS2 increases the number of sectors covered by its provisions, including postal services, car manufacturers, social media platforms, waste management, chemical production, and agri-food. The new rules classify the entities into ‘Essential entities’ and ‘Important entities’ and apply to subcontractors and service providers operating within the covered sectors.
  • Increased readiness for global cyber threats: NIS2 seeks to enhance collective situational awareness among essential entities to identify and communicate related threats before they expand across Member States. For example, the EU-CyCLONe network will assist in coordinating and managing large-scale incidents, while a voluntary peer-learning mechanism will be established to support awareness.
  • Streamlined resilience standards with stricter penalties. Unlike NIS, NIS2 provides for high penalties and robust security measures. For example, infringements by essential entities shall be subject to administrative fines of a maximum of at least €10 million or 2% of their total global annual turnover, while important entities shall be fined a maximum of at least €7 million or 1.4 % of their total global annual turnover.
  • Streamlined reporting processes. NIS2 streamlines the reporting obligations to avoid causing over-reporting and creating an excessive burden on the entities covered.
    Expanded territorial scope: According to the new rules, specific categories of entities not established in the European Union but offering services within it will be obliged to designate a representative in the EU.

DORA

The Digital Operational Resilience Act (DORA) addresses a fundamental problem in the EU financial ecosystem: how the sector can stay resilient during severe operational disruption. Before DORA, financial institutions used capital allocation to manage the significant operational risk categories. However, they need to better address and integrate cybersecurity resilience into their larger operational frameworks in the evolving threat landscape.

The European Council press release provides a comprehensive statement of the purpose of the Digital Operational Resilience Act:

“DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.”

In other words, DORA creates a homogeneous regulatory framework on digital operational resilience to ensure that all financial entities can prevent and mitigate cyber threats.

Per Article 2 of the Regulation, DORA applies to financial entities, including banks, insurance companies, investment firms, and crypto-asset service providers. The Regulation also covers critical third parties offering financial companies IT and cybersecurity services.

Because DORA is a Regulation and not a Directive, it is enforceable and directly applicable in all EU Member States from its application date. DORA supplements the NIS2 directive and addresses possible overlaps as “lex specialis”.

DORA compliance is broken down into five pillars covering diverse IT and cybersecurity facets, giving financial firms a thorough foundation for digital resilience.

  • ICT risk management: Internal governance and control processes ensure the effective and sensible management of ICT risk.
  • ICT-related incident management, classification, and reporting: Detect, manage and alert ICT-related incidents by defining, establishing and implementing a cybersecurity incident response and management process.
  • Digital operational resilience testing: Evaluate readiness for managing cybersecurity incidents, spot flaws, shortcomings, and gaps in digital operational resilience, and swiftly put corrective measures in place.
  • Managing ICT third-party risk: This is an integral component of cybersecurity risk within the ICT risk management framework.
  • Information sharing: Exchange cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures (TTP), and cybersecurity alerts, to enhance the resilience of financial entities.

According to Article 64, the Regulation entered into force on 17 January 2023 and “shall apply from 17 January 2025.” It is also important to note that Article 58 specifies that by 17 January 2026, the European Commission shall review “the appropriateness of strengthened requirements for statutory auditors and audit firms as regards digital operational resilience.”

Four steps to compliance today

Although the deadlines are further down the line, affected organizations do not have to sit and wait. Time (and money) is precious when preparing to achieve compliance with the NIS2 and DORA requirements. Organizations must assess and identify actions they can take to prepare for the new rules.

The following recommendations are a good starting point:

  • Governance and risk management: Understand the new requirements and evaluate the current governance and risk management processes. Additionally, consider increasing funding for programs that help detect threats and incidents and strengthening enterprise-wide cybersecurity awareness training initiatives.
  • Incident reporting: Evaluate the maturity of incident management and reporting to understand current state capabilities and gauge awareness of the various cybersecurity incident reporting standards relevant to your industry. You should also check your ability to recognize near-miss situations.
  • Resilience testing: Recognize the talents needed to design and carry out resilience testing, including board member training sessions on the techniques used and their implications for repair.
  • Third-party risk management: To assist in creating a risk containment plan, concentrate on enhancing contract mapping and assessing third-party vulnerabilities. Recognize the services that are essential for hosting fundamental business processes. Check to see if a fault-tolerant architecture has been implemented to lessen the impact of critical provider disruption.

This article was prepared as part of the project “Increasing Civic Engagement in the Digital Agenda — ICEDA” with the support of the European Union and South East Europe (SEE) Digital Rights Network. The content of this article in no way reflects the views of the European Union or the SEE Digital Rights Network.

Photo by FLY:D on Unsplash

Four steps to compliance today

Although the deadlines are further down the line, affected organizations do not have to sit and wait. Time (and money) is precious when preparing to achieve compliance with the NIS2 and DORA requirements. Organizations must assess and identify actions they can take to prepare for the new rules.

The following recommendations are a good starting point:

Governance and risk management: Understand the new requirements and evaluate the current governance and risk management processes. Additionally, consider increasing funding for programs that help detect threats and incidents and strengthening enterprise-wide cybersecurity awareness training initiatives.

Incident reporting: Evaluate the maturity of incident management and reporting to understand current state capabilities and gauge awareness of the various cybersecurity incident reporting standards relevant to your industry. You should also check your ability to recognize near-miss situations.

Resilience testing: Recognize the talents needed to design and carry out resilience testing, including board member training sessions on the techniques used and their implications for repair.