Understanding DORA, NIS2 and CER

dora and nis2

The EU is fighting back against cybercrime and protecting critical infrastructure with some new legislation. The Digital Operational Resilience Act (DORA) and NIS2 (Network and Information Systems Directive 2) are both EU legislative instruments that aim to enhance the cybersecurity of EU networks and information systems. Along with DORA and NIS2, there is another legal instrument coming into effect to strengthen the critical infrastructure utilised by Member States called the CER Directive. This post will explain the different focuses and responsibilities of each.

What is NIS2?

NIS2 is an evolution of the NIS directive (2016) NIS1, which requires EU member states to take measures to improve the cybersecurity of network and information systems, establish national incident notification systems, and cooperate with other EU member states and EU institutions in the field of cybersecurity.

It also requires operators of essential services (such as energy, transport, health, and banking) and digital service providers (such as search engines and cloud services) to implement appropriate and proportional security measures and to notify serious incidents to the national authority. The directive aims to increase the level of cybersecurity in the EU and to ensure a common level of security for networks and information systems across the EU.

Cybersecurity Measures under NIS2:

At a minimum, entities must take appropriate measures such as:

  • Risk analysis and information systems security policies;
  • Incident handling;
  • Business continuity, such as backup management and disaster recovery;
  • Supply chain security;
  • Effective cybersecurity risk-management measures;
  • Basic cyber hygiene practices and cybersecurity training;
  • Policies and procedures regarding the use of cryptography & encryption;
  • Access control policies and asset management;
  • The use of authentication solutions;

By adhering to these measures outlined in the NIS2 Directive, operators of essential services can enhance their resilience and protect critical infrastructure and systems.

Timeline: EU member states will have to transpose NIS2 into their national legislation by October 17, 2024.

Download NIS2 Quick Reference Guide from the NCSC

Read our blog on how a 24/7 SOC can help with NIS2

What is DORA?

DORA addresses an important issue within EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and reinsurance undertakings. DORA forms part of the NIS2 Directive but for banking, and financial market infrastructure organisations.

It introduces targeted rules on:

  • Information and Communication Technology (ICT) risk management
  • ICT–related incident management, classification and reporting
  • Digital operational resilience testing
  • Managing ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)

After DORA, these organisations also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories.

Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.

Timeline: It shall apply from the 16th of January 2025.

Read our blog on working towards DORA

What is the CER Directive?

The Critical Entities Resilience Directive (CER) aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities and replace the European Critical Infrastructure Directive of 2008. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. 11 sectors will be covered:

  • energy,
  • transport,
  • banking,
  • financial market infrastructures,
  • health,
  • drinking water,
  • wastewater,
  • digital infrastructure,
  • public administration,
  • space,
  • and food.

Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy.

As of January 2023, Member States have 21 months to transpose both the NIS2 and CER Directives into national law. During this time, Member States shall adopt and publish the measures necessary to comply with them.

How your organisation can prepare?

Only a pragmatic approach that addresses digital risks and gaps can help organisations keep on top of the new regulations and their likely impact. We have summarised a few key actions organisations must take to prepare for NIS2 and DORA:

  1. Know your organisation: understand and identify all their critical processes, services and assets.
  2. Know your gaps: perform a gap assessment/ risk assessment on DORA and NIS2 well in advance to know where they stand.
  3. Map your gaps against your risk landscape: identify the gaps that come up within the risks that have already been identified. Check for areas within the control framework that could grow more problematic.
  4. Only invest in areas where you can see real value: supply chain risk, for example, is an area that many organisations have significantly underinvested in — that may need to change.

How CommSec can help?

CommSec has experience with projects in the domain of ICT governance, risk and cybersecurity services such as incident response. We can help organisations with an ICT risk assessment/gap analysis and implementation of security controls.

Speak to one of our team – Get in touch