NIS2
DORA
NIS2
New NIS2 Directive in the European Union
The European Union has introduced the NIS2 Directive, which aims to strengthen the level of cybersecurity in the member states. These regulations, which will enter into force in October 2024, impose several requirements on selected entities from various sectors. In our article, you will learn what changes the NIS2 Directive introduces and how to prepare for its implementation.
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Systems Directive 2) aims to raise the level of cybersecurity in the European Union. It concerns the protection of digital infrastructure and improving risk management. The new regulations extend the regulations of the National Cybersecurity System Act, imposing additional obligations on key and important entities in the public and private sectors.
Implementation of NIS2
The NIS2 Directive was published on December 22, 2022, and will enter into force on October 18, 2024. After this date, the Ministry of Digital Affairs will publish a list of companies covered by NIS2, which will have six months to adapt to the new requirements.
Scope of the NIS2 Directive
The new regulations expand the definitions of key and important entities. They require reporting serious cybersecurity incidents within 24 hours of their detection, and a full report must be submitted within 72 hours. The regulations also cover supply chain security and the implementation of risk management strategies, such as:
• Risk management policy
• Incident handling
• Business continuity policy
• Cybersecurity training
• Cryptography and encryption
• Human resources security
• Multi-factor authentication
Preparing for NIS2 implementation
To prepare for NIS2 implementation, companies must conduct security audits, business continuity audits, penetration tests, and verification of the human factor and key service providers. It is also important to improve employees' cybersecurity skills through regular training.
Consequences of non-compliance with NIS2
Non-compliance with the NIS2 Directive is associated with serious consequences, including financial penalties. Key entities may be fined at least EUR 10 million or 2% of the company's total annual turnover, while important entities may be fined EUR 7 million or 1.4% of the company's annual turnover. The NIS2 Directive also introduces the personal liability of board members for failure to comply with the new requirements.
The impact of NIS2 on the national cybersecurity system
The NIS2 Directive introduces uniform protection standards throughout the European Union, which will increase the awareness of companies and employees about digital threats. The new regulations will force greater investment in cybersecurity, allowing for the creation of strong structures and systems throughout the European Union.
Adjustment to the NIS2 Directive is crucial for increasing the security of networks and IT systems and maintaining the continuity of companies' operations in the face of growing cyber threats.
DORA
The European Union, responding to the growing digitalization and the challenges associated with it, is introducing various legislative tools. One of them is the DORA Regulation (Digital Operational Resilience Act), which is of key importance for financial institutions operating in the EU. In this article, we will analyze the DORA Regulation, explain what exactly it is, what financial entities it covers, and what obligations it imposes.
The DORA Regulation – what is it?
The Digital Operational Resilience Act (DORA for short), is an EU legal act that tightens the requirements for the digital security of the financial sector, fintechs, and ICT providers operating in the EU. Its main goal is to strengthen the resilience of these institutions to threats related to cybersecurity and operational disruptions, such as hacker attacks, IT failures, or human errors.
What is “digital operational resilience”?
Digital operational resilience, according to the DORA Regulation, is the ability of financial institutions to maintain the continuity, reliability, and quality of services based on ICT technologies, both internally and in cooperation with external suppliers. This means that financial institutions must be prepared for various crises and disruptions that may affect the operation of their IT systems and networks.
Background of the creation of the EU DORA Act
The DORA regulation is part of the EU legislative package on digital finance, which aims to adapt the regulatory framework to the development of financial technologies and to unify digital security standards in the financial sector. The document is based on the work and recommendations of various European institutions, such as the European Central Bank, and is a common legal act for all financial entities.
Date of implementation of DORA provisions
Financial institutions must implement DORA provisions by 17 January 2025, which means that they should start preparing to comply with the requirements of this regulation now.
Which institutions must comply with DORA?
DORA covers a wide range of entities in the financial sector, including traditional financial institutions, fintech companies, ICT service providers, and many others. In total, the regulations will apply to over 22,000 financial institutions across the European Union.
DORA Regulation Content
DORA focuses on five key areas: ICT risk management, ICT incident management, digital operational resilience testing, risk management of cooperation with external providers, and exchange of information on cyber threats.
1. ICT risk management Financial institutions must establish a comprehensive framework for managing information and communication technology risks, including strategies, policies, protocols, and tools necessary to effectively protect the digital infrastructure.
2. ICT incidents DORA regulates the ICT incident management process, requiring reporting of serious incidents to the relevant authorities and classification of events according to specific criteria.
3. Digital operational resilience testing Institutions must test key IT systems and applications at least once a year, covering various aspects such as open source analysis, network security assessments, scenario testing, and penetration testing.
4. Third-party risk management in the ICT industry DORA regulates cooperation with external ICT service providers, requiring vendor assessment, development of an exit strategy, transition plan, and identification of key IT service providers.
5. Information exchange arrangements Financial institutions are required to share information on cyber threats and the results of analysis of these threats.
Penalties for non-compliance with DORA
In the event of a breach of DORA, supervisory authorities may impose financial penalties on institutions subject to the regulation. Penalties will be tailored to the type of breach and its impact on the institution and the financial sector. Serious breaches may result in penalties of up to 10% of the annual turnover of the organization.
Benefits of implementing DORA
Implementing DORA brings many benefits to financial organizations, including:
• Increased cybersecurity
• Reduced risk
• Ensuring compliance with the law
• Avoiding financial penalties
• Building reputation
The European Union on guard for cybersecurity
The DORA guidelines, alongside the NIS2 Directive and the Cyber Resilience Act, are another step by the European Union towards strengthening digital security. Compliance with regulations, implementation of appropriate protection measures, and effective management of ICT risk are key for companies and customers, who can count on greater reliability and security of services. Therefore, institutions covered by DORA should prepare for the new requirements now to avoid sanctions and increase their competitiveness and trust in the digital services market.