How NIS2 and DORA seek to strengthen cybersecurity for enterprises in the EU
Digitalization and technological advancements have often increased the risk of cyberthreats to information and communications technology (ICT) frameworks across industries, particularly in the financial sector. What’s more, these threats can have serious consequences, including the loss of sensitive financial data, operational disruption, and financial instability.
In response, the European Union is seeking to:
- 1. bolster the stability and security of the wider European economy,
- 2. enhance the protection of consumers' financial data, and
- 3. mitigate critical cyber-risks.
Today, I’ll provide a broad introduction to two key pieces of legislation that aim to further these goals by enhancing operational resilience to cyberattacks across the financial system and key economic sectors: DORA and NIS2.
#1: What are NIS2 and DORA?
NIS2, or the second network and information security directive, applies in the European Union, across industry verticals. Its purpose is to strengthen ICT network and information security in critical sectors in EU member states. It has been adopted by the European Parliament and is expected to become effective by the end of 2024.
NIS2 is the successor to NIS, which has already been around for a couple of years. NIS2 contains amendments to the original directive and expands the number of covered sectors compared to NIS1. It also expands the number of critical entities compared to NIS1. It's quite broad, and includes, among others:
- energy (for example, electricity, oil, and gas production)
- transport via air, water, and roads
- digital infrastructure providers such as cloud computing service providers
Not all companies in these sectors are included — it depends on the size of the company and the sector’s level of criticality. All medium and large companies, meaning companies with more than 50 employees, are in scope except in certain sectors where all operators of essential services are in scope irrespective of their size.
DORA, or the Digital Operational Resilience Act, applies specifically to financial services. The main goal of DORA is to make sure there are uniform cybersecurity requirements in place for all financial entities in the European Union — and also for their suppliers as well as their service providers, including cloud services providers. DORA has also been adopted by the European Parliament and will likely come into effect toward the end of 2024 or possibly early 2025.
DORA stems from guidelines from the European Banking Authority (EBA), one of Europe’s financial sector regulators. In 2015, the EBA created guidelines on outsourcing that needed to be fulfilled if banks wanted to outsource certain of their services or infrastructure to other companies. DORA essentially builds on these EBA guidelines.
#2: Why is the EU enacting/publishing DORA and NIS2 now?
The European Union wants to make sure that cybersecurity is tightly controlled across all critical sectors in member states.
NIS2, and DORA in the financial services sector particularly, are responses of the European Union to the increasing number of attacks against entities in the critical sector, especially in the electricity, oil, and gas sectors. The European Union wants to make sure that its industry is sufficiently resilient against cybersecurity attacks which are increasingly enacted by fraudsters, terrorists and possibly other nation states as well.
While neither NIS2 nor DORA define specific cybersecurity controls, they do define the governance framework that covers entities such as banks or utilities providers and which they need to put in place.
These frameworks are about governance and cyber-resilience at the higher level—making sure that there is a management framework in place rather than mandating the implementation of specific information systems security controls like encryption, for instance.
#3: What is the scope of DORA and NIS2?
The content of NIS2 and DORA is quite broad. For example, NIS2 focuses on four topics:
- 1. The first one is related to management liability for cybersecurity. It defines responsibilities that the board of directors or the executive management of a company should have in the area of cybersecurity. NIS2 also defines specific cybersecurity and risk management practices that companies should pay attention to, like risk analysis, incident detection and handling business continuity, for example in the event that there is an incident.
- 2. Supply chain security is very important, and refers to the security of not just the company itself, but its entire supply chain from suppliers, suppliers of their suppliers, and so on. Companies that are covered by the NIS2 directive have to audit their suppliers, and their entire supply chain from a security perspective.
- 3. There are also requirements around defining policies and procedures to audit the effectiveness of cybersecurity controls that companies have in place.
- 4. And finally, there are also requirements in NIS2 about incident reporting. Whenever a company that is regulated under NIS2 is confronted with a cybersecurity incident, they have specific reporting obligations to their national regulator. That can be a national bank for financial organizations or a designated other government entity for other types of companies.
#4: What does the regulatory impact of NORA and NIS2 look like for enterprises?
Larger enterprises in particular will need to pay even more attention to cybersecurity governance, making sure they have the right policies and procedures in place to define how they address cybersecurity risks. Enterprises must clearly define security responsibilities within the company, and they must audit their supply chain.
Enterprises can have hundreds or even thousands of suppliers; a large chunk of these suppliers will probably need to be reviewed from a security perspective.
Enterprises may perhaps already be doing that, but now it becomes mandatory; both NIS2 and DORA mandate sanctions in case of non-compliance. For NIS2, penalties can go up to 10 million euros. For DORA, penalties are not specifically defined yet. It's expected that national governments will be able to specify in more detail which penalties will apply.
As far as the actual administering of penalties goes, the financial regulators at the European level are involved — the EBA. They also work very closely together with all the national banking regulators (for instance, Banque de France, the National Bank of Belgium, and so on).
#5: How will the enterprise partner/supplier ecosystem be impacted?
Critical suppliers of banks will feel effects under DORA. If you are a very important digital service provider, for instance, you will also be subject directly to DORA. But even if your company is not considered critical, you will most likely still be subject to DORA indirectly — the contractual terms that DORA imposes onto financial institutions will ripple down towards most of the suppliers of financial institutions.
It’s important to mention that companies that are suppliers to European banks, but not based in European member states, will also be subject to DORA. If you are, for instance, a North American technology provider, you will still be subject to DORA if you are providing services to European banks. So long as the customer is in the European Union you will also be subject to the DORA requirements.
Because there’s no such thing as DORA certification or the like, every supplier will have to go through the contractual negotiations with every banking customer, and every bank will impose its requirements. Of course, after a while, suppliers will be familiar with the precise regulatory requirements, but they will have to re-comply every time, in every new contract with a European bank.
While NIS2 and DORA present compliance requirements, they also represent a number of best cybersecurity governance assessments and practices that are integral to operational preparedness and security risk management in today’s world of threats, attacks, and cyber-incidents.
What’s more, they also further a larger goal of bringing integrity back to the internet, so that digitization and technological advancements can continue to benefit enterprise organizations.
Contact us now to learn how we can help you secure your most important client-facing interactions and business processes.