The EU is fighting back against cybercrime and protecting critical infrastructure with some new legislation. The Digital Operational Resilience Act (DORA) and NIS2 (Network and Information Systems Directive 2) are both EU legislative instruments that aim to enhance the cybersecurity of EU networks and information systems. Along with DORA and NIS2, there is another legal instrument coming into effect to strengthen the critical infrastructure utilised by Member States called the CER Directive. The post will explain the different focuses and responsibilities of each.
What is DORA?
Dora addresses an important issue within EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories. Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.
Full name: The full name is “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)”.
Deadline: It shall apply from 17 January 2025.
What is NIS2?
NIS2 is an evolution of the NIS directive (2016) that requires EU member states to take measures to improve the cybersecurity of network and information systems, to establish national incident notification systems, and cooperate with other EU member states and EU institutions in the field of cybersecurity. It also requires operators of essential services (such as energy, transport, health, and banking) and digital service providers (such as search engines and cloud services) to implement appropriate and proportional security measures and to notify serious incidents to the national authority. The directive aims to increase the level of cybersecurity in the EU and to ensure a common level of security for networks and information systems across the EU.
What is the CER Directive?
The Critical Entities Resilience Directive (CER) aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities and replaces the European Critical Infrastructure Directive of 2008. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered:
- energy,
- transport,
- banking,
- financial market infrastructures,
- health,
- drinking water,
- wastewater,
- digital infrastructure,
- public administration,
- space,
- and food.
Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.
As of January 2023, Member States have 21 months to transpose both the NIS2 and CER Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.
How your organisation can prepare for DORA and NIS2
Only a pragmatic approach that addresses digital risks and gaps can help organisations keep on top of the new regulations and their likely impact. We have summarised a few key actions organisations must take to prepare for NIS2 and DORA:
- Know your organisation: organisations should understand and identify all their critical processes, services and assets.
- Know your gaps: organisations should perform a gap assessment on DORA and NIS2 well in advance to know where they stand.
- Map your gaps against your risk landscape: identify the gaps that come up within the risks that have already been identified. Check for areas within the control framework that could grow more problematic.
- Only invest in areas where you can see real value: supply chain risk, for example, is an area that many organisations have significantly underinvested in — that may need to change.
- When you make investments, consider NIS2 and DORA together: take up actions that address changes from the act and the directive, achieving seamless compliance.
- Once DORA and NIS2 are finalised, perform another gap assessment: the assessment document can be shared with the regulator (if they ask), or with the company board (if questions arise).
How CommSec can help
CommSec has experience with projects in the domain of supply chain security and we can help organisations with sensible and cost-effective solutions to achieve compliance.