The EU is fighting back against cybercrime and protecting critical infrastructure with some new legislation. The Digital Operational Resilience Act (DORA) and NIS2 (Network and Information Systems Directive 2) are both EU legislative instruments that aim to enhance the cybersecurity of EU networks and information systems. Along with DORA and NIS2, there is another legal instrument coming into effect to strengthen the critical infrastructure utilised by Member States called the CER Directive. This post will explain the different focuses and responsibilities of each.
What is DORA?
DORA addresses an important issue within EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings.
It introduces targeted rules on:
- Information and Communication Technology (ICT) risk management
- ICT–related incident management, classification and reporting
- Digital operational resilience testing
- Managing of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
After DORA, they these organisations also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories.
Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.
Full name: The full name is “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)”.
Timeline: It shall apply from 16th of January 2025.
What is NIS2?
NIS2 is an evolution of the NIS directive (2016) that requires EU member states to take measures to improve the cybersecurity of network and information systems, to establish national incident notification systems, and cooperate with other EU member states and EU institutions in the field of cybersecurity.
It also requires operators of essential services (such as energy, transport, health, and banking) and digital service providers (such as search engines and cloud services) to implement appropriate and proportional security measures and to notify serious incidents to the national authority. The directive aims to increase the level of cybersecurity in the EU and to ensure a common level of security for networks and information systems across the EU.
Based on the maturity of the company and the current market conditions, the following areas should be prioritised to safeguard critical infrastructure and ensure compliance with the NIS Directive:
- Training and Awareness: Enhance the knowledge and understanding of cybersecurity among your employees to promote a security-conscious culture within the organisation.
- Streamlining Incident Reporting: Implement efficient processes for reporting and handling security incidents, including prevention, detection, and response measures.
- Improving Overall Security Posture: Focus on enhancing the overall security posture of your company by implementing appropriate security controls, technologies, and best practices.
- Funding Cybersecurity: Allocate sufficient resources and funding to support robust cybersecurity measures and ensure the protection of critical assets and systems.
By addressing these focus areas, a company will achieve an elevated cybersecurity posture. We believe that as governments and regulators impose stricter controls, there is a growing impetus for companies to pursue their security objectives.
The NIS2 Directive includes the following cybersecurity measures for such operators:
- Conducting risk analysis and establishing information system security policies.
- Implementing comprehensive incident handling procedures, encompassing prevention, detection, and response to security incidents.
- Developing business continuity and crisis management plans to ensure uninterrupted operations during adverse events.
- Ensuring supply chain security by implementing measures to mitigate risks associated with third-party vendors and partners.
- Strengthening security in network and information systems through appropriate safeguards and controls.
- Establishing policies and procedures for managing cybersecurity risks effectively.
- Utilizing cryptography and encryption technologies to safeguard sensitive information.
By adhering to these measures outlined in the NIS2 Directive, operators of essential services can enhance their resilience and protect critical infrastructure and systems.
What is the CER Directive?
The Critical Entities Resilience Directive (CER) aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities and replaces the European Critical Infrastructure Directive of 2008. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered:
- energy,
- transport,
- banking,
- financial market infrastructures,
- health,
- drinking water,
- wastewater,
- digital infrastructure,
- public administration,
- space,
- and food.
Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
As of January 2023, Member States have 21 months to transpose both the NIS2 and CER Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.
How your organisation can prepare?
Only a pragmatic approach that addresses digital risks and gaps can help organisations keep on top of the new regulations and their likely impact. We have summarised a few key actions organisations must take to prepare for NIS2 and DORA:
- Know your organisation: organisations should understand and identify all their critical processes, services and assets.
- Know your gaps: organisations should perform a gap assessment on DORA and NIS2 well in advance to know where they stand.
- Map your gaps against your risk landscape: identify the gaps that come up within the risks that have already been identified. Check for areas within the control framework that could grow more problematic.
- Only invest in areas where you can see real value: supply chain risk, for example, is an area that many organisations have significantly underinvested in — that may need to change.
- When you make investments, consider NIS2 and DORA together: take up actions that address changes from the act and the directive, achieving seamless compliance.
- Once DORA and NIS2 are finalised, perform another gap assessment: the assessment document can be shared with the regulator (if they ask), or with the company board (if questions arise).
How CommSec can help?
CommSec has experience with projects in the domain of ICT governance, risk and cybersecurity services such as incident response. We can help organisations with an ICT risk assessment, gap analysis and implementation of security controls.
Click here to contact us for a consulation