Understanding NIS2 and DORA: What executives need to know

These days businesses are subject to increasing regulatory scrutiny, particularly regarding cybersecurity and operational resilience.

Two significant EU regulations, NIS2 (Network and Information Systems Directive 2) and DORA (Digital Operational Resilience Act), outline mandatory requirements for organizations. Failure to comply can result in severe penalties. It is essential for executives to understand how these regulations impact their operations, including supply chain security and potential fines for non-compliance.

What is NIS2?

We wrote extensively about NIS2, so we will add here only an executive summary (obviously 😉 ).

NIS2 is the successor to the Network and Information Systems Directive (NIS1) and seeks to enhance the cybersecurity posture of essential and important entities across the EU. The revised directive expands its scope and introduces stricter obligations, focusing on improving risk management, incident response, and resilience across sectors that provide critical services to society.

Applicability

It applies to Essential and Important entities:

  • Essential entities: Sectors like energy, transport, banking, financial market infrastructures, healthcare, and digital infrastructure.
  • Important entities: Sectors like waste management, food supply, postal and courier services, and social media platforms.

NIS2 extends beyond large organizations, requiring medium and large-sized businesses in these sectors to comply with the directive’s provisions.

Key Requirements

  • Risk management and incident response: Organizations must implement comprehensive security measures that cover organizational, technical, and human resource elements to manage and respond to cybersecurity risks.
  • Supply chain security: The regulation mandates that organizations address supply chain risks and ensure that third-party suppliers meet the necessary cybersecurity standards.
  • Incident reporting: Incidents with significant impact must be reported to competent authorities within 24 hours of detection.
  • Cross-border cooperation: Entities must cooperate with national and EU authorities for threat intelligence sharing and coordinated incident responses.

Is it mandatory?

Yes, NIS2 is mandatory for organizations operating within the scope of the directive across the EU. Public and private entities that fall under essential and important sectors are required to comply.

Penalties

The penalties under NIS2 are severe, with a tiered system based on the entity’s classification (essential or important):

  • For essential entities, the fines can be up to €10 million or 2% of the company’s total global annual turnover, whichever is higher.
  • For important entities, fines can reach €7 million or 1.4% of the total global annual turnover, whichever is higher.

In addition to financial penalties, non-compliance can lead to regulatory actions, including audits, corrective measures, or even suspension of operations in critical cases.

 

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation that focuses on ensuring that financial institutions and their critical ICT providers maintain robust operational resilience against cyber threats and ICT-related disruptions. DORA forms part of the EU Digital Finance Strategy and aims to harmonize ICT risk management across the financial sector.

Applicability

DORA applies to a wide range of financial institutions and ICT service providers, including:

  • Financial institutions: Banks, investment firms, insurance companies, payment service providers, crypto-asset service providers, and trading venues.
  • ICT third-party providers: Providers of essential IT services, such as cloud services, data management, and software providers, that work with financial institutions.

 

Key Requirements

  • ICT Risk Management Framework: Organizations must establish and maintain effective risk management frameworks that cover ICT-related risks. These frameworks must include regular risk assessments, incident detection mechanisms, and recovery plans.
  • Incident reporting: Organizations are required to report major ICT-related incidents to authorities, usually within a short time frame. The reporting should include root cause analysis and the steps taken to mitigate the impact.
  • Third-party oversight: DORA mandates stringent oversight of third-party ICT service providers. Contracts must include terms regarding business continuity, security, and regular audits.
  • Resilience testing: Financial institutions are required to conduct regular testing, including penetration testing, to assess their operational resilience.

Is it mandatory?

Yes, DORA is mandatory for all financial institutions and critical ICT service providers operating in the EU. The regulation ensures that financial systems remain operationally resilient in the face of disruptions, especially those stemming from cyberattacks.

Penalties

Non-compliance with DORA carries significant financial penalties. The fines and sanctions depend on the severity and impact of the breach. As of recent updates, penalties for non-compliance can be up to:

  • €2.5 million or 1% of the total annual global turnover of the organization.

Additionally, regulators may impose restrictions on operations, remove licenses, or mandate corrective actions to address vulnerabilities.

Comparison: NIS2 vs. DORA

Aspect NIS2 DORA
Scope Critical sectors across industries Financial sector and ICT suppliers
Application Public and private sector organizations Financial institutions and critical ICT service providers
Key Focus Cybersecurity, incident response, risk management Operational resilience, ICT risk management
Incident Reporting 24 hours for notification Strict timelines, specific to ICT incidents
Third-Party Requirements Supply chain security is critical Strong emphasis on ICT third-party providers
Penalties Up to €10 million or 2% of global turnover (essential entities), €7 million or 1.4% of global turnover (important entities) Up to €2.5 million or 1% of global turnover
Risk Management Risk management policies are mandatory ICT risk management framework required
Sector-Specific Broader range of sectors Financial sector-specific
Testing No mandatory testing Regular penetration testing required
Cross-border Cooperation Required between member states Required between financial supervisory authorities

Financial institutions: DORA or NIS2 or both?

Financial institutions can be classified as essential or important entities under the NIS2 Directive, especially given their critical role in the economy.

As a result, they can be subject to the obligations of both NIS2 and DORA.

  1. Under NIS2, essential and important entities include sectors that are vital for societal and economic stability, such as banking and financial market infrastructures. Financial institutions providing services like payment systems, credit services, and investment can fall under these categories. Therefore, financial institutions that meet the size and significance criteria of NIS2 must comply with its cybersecurity requirements. This includes risk management, incident reporting, and securing supply chains.
  2. Under DORA, financial institutions are specifically regulated to ensure their digital operational resilience against ICT-related risks. This regulation addresses the entire financial sector and its critical ICT service providers.

In essence, a financial institution can fall under both NIS2 and DORA due to its dual roles in providing essential services and requiring robust cybersecurity and operational resilience measures.

Non-compliance with either can lead to significant penalties.

Thus, financial institutions must ensure they meet the demands of both regulations to manage risks across cybersecurity and operational resilience​

Conclusion

Both NIS2 and DORA are essential frameworks designed to enhance cybersecurity and operational resilience within the EU.

While NIS2 covers a broad range of critical sectors, DORA is highly specialized for the financial industry.

For CEOs and CxOs, understanding the nuances of each regulation is key to ensuring compliance, particularly when considering the supply chain and third-party providers.

The penalties for non-compliance can be significant, including steep fines and operational restrictions, making it essential to prioritize robust cybersecurity and resilience strategies across the organization.

 

Further reading

Here are the official pages for both the NIS2 and DORA regulations:

 

NIS2 Directive:

You can find the official and up-to-date version of the NIS2 Directive (Directive (EU) 2022/2555) on EUR-Lex, the European Union’s official database for EU law.

These pages contains the full text of the Directive and all related legal documents:

 

DORA:

Related Posts

How to implement an Information Security Management System (ISMS)

We wrote here https://www.sorinmustaca.com/how-to-nis2-eu-directive/ that the 3rd  step in implementing the requirements of the directive is to establish a cybersecurity framework. If you haven’t read what a cybersecurity framework means, then you should read article: https://www.sorinmustaca.com/demystifying-cybersecurity-terms-policy-standard-procedure-controls-framework/ . An ISMS is typically based on the ISO 27001 standard, which provides a framework for establishing, implementing, maintaining, […]

Awesome Malware Analysis – Resources

Source and credit: https://github.com/rshipp/awesome-malware-analysis   I save it here for easier reference. Do note that this list grows a lot !   A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php. Awesome Malware Analysis Malware Collection Anonymizers Honeypots Malware Corpora Open Source Threat Intelligence Tools Other Resources Detection and […]

Executive summary: NIS2 Directive for the EU members (updated)

The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common […]