NIS2 and DORA: What You Need to Know to Stay Compliant and Secure

Navigating regulatory compliance can be challenging, particularly for critical sectors in the EU. The NIS2 (Network and Information Security Directive) and DORA (Digital Operational Resilience Act) regulations set the standards for cybersecurity and operational resilience. This guide delves into what these regulations entail, who they impact, and how your organization can ensure compliance.

Understanding NIS2 and DORA

The NIS2 Directive: Strengthening Cybersecurity and Operational Resilience Across the EU

NIS2 focuses on improving cybersecurity capabilities across the EU, expanding the scope of the original NIS Directive to include more sectors and entities. It aims to enhance the cybersecurity of networks and information systems, covering critical and important sectors such as digital infrastructure, energy, and healthcare.

DORA: Ensuring Digital Operational Resilience in the Financial Sector

DORA is tailored specifically to the financial sector, ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. It mandates robust operational resilience and comprehensive incident reporting.

Sectors Covered by NIS2 and DORA

NIS2 Scope:

NIS2 covers a broader range of entities compared to its predecessor, focusing on sectors classified as either “essential” or “important.”

Essential Sectors:

• Energy, Transport, Banking, Health
• Digital Infrastructure, Public Administration, Space

Important Sectors:

• Postal and Courier Services, Waste Management
• Chemical, Food Manufacturing, Medical Devices
• Computers, Electronics, Machinery, Motor Vehicles
• Digital Providers (e.g., online marketplaces, search engines, social networking platforms)

NIS2 applies to large and medium-sized organizations in these sectors, generally defined as companies with more than 50 employees and an annual turnover exceeding 10 million euros. It also includes IT service providers like online marketplaces, search engines, cloud computing, and data centers without any quantitative thresholds.

DORA Scope:

DORA applies to all financial institutions within the EU, encompassing both traditional and non-traditional financial entities.

Traditional Financial Entities:

• Banks, Investment Firms, Credit Institutions

Non-Traditional Financial Entities:

• Crypto-asset Service Providers, Crowdfunding Platforms

DORA also includes third-party service providers supplying ICT systems and services to financial firms, such as cloud service providers and data centers. Additionally, it covers firms providing critical third-party information services, like credit rating services and data analytics providers.

Compliance Requirements

• Risk Management: Effective risk management involves regular assessments, preventive measures, robust detection systems, and clear response protocols.

• Supply Chain Security: Ensuring security throughout the supply chain is crucial, requiring oversight of suppliers and service providers.

• BCDR & Emergency Communication: Business continuity and disaster recovery mechanisms are essential, along with secure emergency communication systems.

• Training and Awareness: Routine cybersecurity education for employees reduces the risk of human error.

• Anomaly Detection: Early identification of intrusions through anomaly detection systems is vital.

• Secure Infrastructure: Incorporating security principles in network and information systems includes basic cyber hygiene practices and multi-factor authentication.

• External Testing: Annual resilience testing and regular external audits ensure systems can withstand attacks.
• Incident Response: Effective incident response capabilities are necessary for quick and detailed reporting.

Penalties for Non-Compliance

NIS2:

National authorities in each EU member state can enforce the NIS2 Directive with powers to conduct audits, inspections, and impose fines. They can issue binding instructions and temporary service suspensions, and management bodies are accountable for cybersecurity measures.

• Designated Entities and Timeframe: The NIS2 Directive took effect on January 16, 2023. EU member states must transpose it into national law by October 17, 2024, with compliance required by January 17, 2025. It applies to sectors such as energy, transport, healthcare, and digital infrastructure.

DORA:

European Supervisory Authorities (ESAs) are responsible for enforcing penalties. They have supervisory and investigatory powers to uphold digital operational resilience in finance.

• Designated Entities and Timeframe: Penalties and frameworks were published in the Official Journal of the EU on December 27, 2022, under Regulation (EU) 2022/2554. Requirements became enforceable on January 17, 2025, and ESAs developed technical standards during this period.

Timeline and Deadlines

The NIS2 and DORA regulations came into force on January 16, 2023. EU member states must localize NIS2 into state law by October 17, 2024. Companies have until January 17, 2025, to fully comply.

Practical Steps to Compliance

• Conduct a Compliance Audit: Assess current status against NIS2 and DORA requirements.
• Develop a Compliance Roadmap: Outline steps needed to address gaps and achieve compliance.
• Implement Security Measures: Strengthen risk management, supply chain security, and incident response protocols.
• Regular Training: Ensure continuous education and awareness among employees.
• Engage External Auditors: Conduct annual resilience tests and security audits.
• Monitor and Update: Regularly review and update policies and procedures to stay compliant.

Conclusion

Compliance with NIS2 and DORA is a regulatory requirement and a critical component of robust cybersecurity and operational resilience. By understanding the regulations, identifying the impacted sectors, and implementing necessary measures, organizations can protect themselves and ensure continuity of essential services.

It’s critical to evaluate your current compliance status and take proactive steps to align with NIS2 and DORA. Consulting with legal and cybersecurity experts to ensure comprehensive adherence to these critical regulations is essential.