Summary
In summary, this article explains two regulations from the European Union, The Digital Operational Resilience Act (DORA) and NIS 2 Directive. DORA focuses on enhancing the digital resilience of financial entities, mandating robust risk management, system testing, and third-party monitoring to prevent ICT-related disruptions. The updated NIS, NIS 2 (EU, nis-2-directive.com, 2024) expands its scope to cover more sectors, introduces a classification system for entities, and enforces stricter security requirements and incident reporting, aiming to protect critical infrastructures across the EU. Together, NIS 2 and DORA reinforce the EU’s commitment to safeguarding essential services and financial stability.
Introduction
With the increasing frequency and complexity of cyber-attacks targeting European Union (EU) members and their organizations, the EU has taken significant steps to strengthen the resilience and security of its member states’ digital landscape. As such, the EU has created two important standards to carry out these reinforcements, the Digital Operational Resilience Act (DORA) and the updated Network and Information Security Directive 2 (NIS 2). This article explores the main aspects of DORA and NIS 2, highlighting their impact on the EU’s cybersecurity strategy and the obligations they impose on organizations, not only within their member states, but also beyond their borders.
In what consists DORA?
The Digital Operational Resilience Act (DORA) (EU, digital-operational-resilience-act, 2024) is a European Union regulation designed to strengthen the digital resilience of financial entities operating in the EU. It applies to financial companies in the EU and extends to organisations that provide services to these companies. This regulation focuses on ensuring business continuity and operational resilience, recognizing the importance of maintaining the stability of the financial sector in a digital world. Through the implementation of frameworks, DORA (EU, digital-operational-resilience-act, 2024) aims to protect financial organisations from disruptions related to ICT (Information and communication Technology), including cyber-attacks, system failures and other operational risks.
Although all EU member states are subject to DORA (EU, digital-operational-resilience-act, 2024), the responsibility for carrying out audits and supervising compliance lies with the national authorities in each country. This decentralised control allows for supervision tailored to the specific characteristics of each member state’s financial landscape.
At the centre of DORA (EU, digital-operational-resilience-act, 2024) are several fundamental pillars. Risk management requires financial organisations to implement and regularly audit comprehensive ICT risk management plans. These plans include the identification of critical functions and assets, continuous monitoring of ICT risks, incident detection and response procedures, and robust business continuity policies to ensure smooth operation during disruptions.
Incident response and reporting is another critical aspect. Entities should establish processes to systematically identify, record, classify and categorise all ICT incidents. They must submit detailed incident reports and use standardised templates for timely reporting, as developed by the European Supervisory Authorities (ESAs).
Digital operational resilience testing requires organisations to carry out rigorous testing of critical ICT systems on an annual basis, with advanced testing carried out every three years to assess preparedness for severe scenarios.
DORA (EU, digital-operational-resilience-act, 2024) also emphasises third-party risk management in ICT, requiring the continuous monitoring of risks associated with third-party dependencies and the maintenance of detailed records of all contractual agreements. Critical third-party suppliers are subject to supervision by European supervisory authorities.
Finally, DORA (EU, digital-operational-resilience-act, 2024) encourages the sharing of data and information between financial organisations to increase resilience against cyber threats. Organisations are encouraged to share ideas and knowledge, while supervisory authorities provide confidential information that must be used.
By focusing on these pillars, DORA (EU, digital-operational-resilience-act, 2024) ensures that EU financial institutions are not only compliant, but also resilient in the face of increasingly complex digital threats.
In what consists NIS 2?
The Network and Information Security Directive 2 (NIS 2) (EU, digital-operational-resilience-act, 2024) is a key legislative framework introduced by the European Union to strengthen security and resilience in critical sectors that are vital to the economy and society of EU member states. NIS 2 (EU, nis-2-directive.com, 2024) applies to a wide range of sectors, including energy, transport, health, water supply and digital services, such as cloud service providers and online marketplaces. The directive aims to ensure that organisations in these sectors adopt adequate security measures to protect their networks and systems against increasingly sophisticated threats.
Under NIS 2 (EU, nis-2-directive.com, 2024), organisations are obliged to implement effective risk management practices. These include the adoption of appropriate technical and organisational measures to effectively manage cybersecurity risks. The measures must be adapted to the potential impact of these risks on the continuity of essential services, with regular updates to cope with evolving threats.
Incident reporting is another critical aspect of NIS 2 (EU, nis-2-directive.com, 2024). The directive requires that significant incidents affecting the security of network and information systems be reported to the competent national authorities within a specified timeframe. This requirement ensures that incidents are managed transparently, allowing for a coordinated response at national and EU level.
NIS 2 (EU, nis-2-directive.com, 2024) also promotes co-operation and information sharing between EU Member States. It establishes frameworks for cross-border collaboration, enabling the sharing of information and best practices to strengthen collective cybersecurity resilience across the EU.
National authorities play a crucial role in the implementation of NIS 2 (EU, nis-2-directive.com, 2024). These authorities are responsible for monitoring compliance, providing guidance and imposing sanctions on organisations that do not meet the directive’s standards.
Essentially, NIS 2 (EU, nis-2-directive.com, 2024) is designed to create a more secure and resilient digital environment across the European Union, ensuring that critical sectors are well protected against cyber threats.
How does NIS 2 differ from NIS?
The transition from the original Network and Information Security (NIS) Directive to NIS 2 (EU, nis-2-directive.com, 2024) marks a significant improvement in the European Union’s approach to cybersecurity. With the digital landscape becoming more complex and cyber threats becoming more sophisticated, the EU has recognised the need for a more robust and comprehensive framework to protect critical infrastructures and services. NIS 2 (EU, nis-2-directive.com, 2024) responds to these challenges with several important updates.
One of the most notable changes to NIS 2 (EU, nis-2-directive.com, 2024) is the broadening of its scope. While the original NIS directive focussed on a select group of critical infrastructure sectors, NIS 2 (EU, nis-2-directive.com, 2024) broadens its scope to include other industries, especially those providing essential digital services. This extension reflects the growing importance of sectors such as cloud computing and online marketplaces, which are now considered vital to the EU economy and therefore more vulnerable to cyber threats.
In addition to expanding its scope, NIS 2 (EU, nis-2-directive.com, 2024) introduces a new system for classifying entities, distinguishing between ‘essential’ and ‘important’ entities. Essential entities are those whose operations are so critical that their disruption could pose significant risks to public safety or the economy. These entities are subject to regulatory obligations and stricter control. Important entities, while still critical, are considered less likely to cause serious consequences in the event of disruption and therefore face slightly different levels of regulatory control. This categorisation allows for more tailored regulatory approaches based on the potential impact of each entity’s operations.
NIS 2 (EU, nis-2-directive.com, 2024) also sets stricter security requirements compared to its predecessor. Under the original NIS directive, many security practices were recommended but not mandatory, which led to inconsistent implementation across the EU. NIS 2 (EU, nis-2-directive.com, 2024) solves this problem by establishing explicit security standards that all covered entities must follow. For example, encryption, which was previously recommended, is now mandatory to protect sensitive data, both at rest and in transit. These requirements ensure that all organisations implement a basic level of security, reducing the risk of cyber attacks and improving overall resilience.
Another significant update to NIS 2 (EU, nis-2-directive.com, 2024) is the introduction of a more structured approach to incident reporting. The directive requires organisations to report significant security incidents within strict deadlines – an initial notification must be made within 24 hours, followed by a detailed report within 72 hours. This ensures that incidents are managed quickly and transparently, allowing for better coordination and response at national and EU level.
Recognising the growing risks associated with third-party suppliers, NIS 2 (EU, nis-2-directive.com, 2024) places greater emphasis on supply chain security. Organisations are now required to assess their suppliers’ cybersecurity practices, include security provisions in contracts and conduct regular audits to ensure that third-party risks are effectively managed. This focus on the supply chain is crucial, given the growing number of cyberattacks targeting vulnerabilities in third-party services.
NIS 2 (EU, nis-2-directive.com, 2024) also strengthens co-operation and information sharing between EU Member States. By promoting the exchange of cybersecurity information and best practices, the directive fosters a more unified and coordinated defence against cyber threats across the EU. This collective approach is crucial to tackling the transnational nature of many cyber risks.
NIS 2 (EU, nis-2-directive.com, 2024) increases regulatory oversight and the application of sanctions in the event of non-compliance. National authorities have more tools to monitor and ensure that organisations comply with the directive’s provisions, holding them accountable for their cybersecurity practices. This ensures that the Directive’s standards are applied consistently across all Member States, leading to a safer and more resilient digital environment across the EU.
NIS 2 (EU, nis-2-directive.com, 2024) represents a substantial step forward in the EU’s cybersecurity framework, reflecting the need for greater protection in an increasingly digital and interconnected world. By broadening its scope, strengthening security requirements and improving co-operation, NIS 2 (EU, nis-2-directive.com, 2024) aims to protect the EU’s critical infrastructures and essential services from the growing threat of cyberattacks.
In short, NIS 2 (EU, nis-2-directive.com, 2024) and DORA (EU, digital-operational-resilience-act, 2024) reflect a growing movement towards a proactive and coordinated approach to cybersecurity and operational resilience, recognising the interconnectedness of critical infrastructures and the need for a unified response to common challenges. These guidelines are vital not only for the protection of organisations, but also for the overall security of digital society in Europe, promoting a safer and more reliable environment for all citizens and businesses.
Authors
João Videira – Cybersecurity Architect at Balwurk
Ricardo Rodrigues – CEO at Balwurk
References
EU. (12 de 9 de 2024). Obtido de nis-2-directive.com: https://www.nis-2-directive.com/
EU. (12 de 9 de 2024). Obtido de digital-operational-resilience-act: https://www.digital-operational-resilience-act.com/