To print this article, all you need is to be registered or login on Mondaq.com.
Two years can feel like a long time, but it’s really
not. The Beatles
released Help!, Rubber
Soul, Revolver and Sgt.
Pepper’s Lonely Hearts Club Band in 21
months. Shackleton spent about the same amount of time
floating around in the Weddell Sea.
Businesses in the European Union now face their own two-year
voyages, thanks to the entry into force of two cybersecurity laws
that will apply to a wider range of industries than ever before and
significantly increase their security and incident reporting
obligations.
The laws entered into force on Monday: one, a regulation —
the Digital Operational Resilience Act, or “DORA”
— that will be directly effective across member states from
17 January 2025; and the other, a directive — the NIS2
Directive, or “NIS2” — that gives member states
more wiggle room as to how the law should be set out in their
country by 18 October 2024. This article only considers the
EU position, but the UK plans to introduce similar legislation to
DORA and NIS2 and so organisations will have to comply with dual
regimes that are likely to be broadly similar albeit with some key
points of difference.
DORA
DORA is designed to strengthen the financial sector’s
resilience to IT-related incidents and introduces prescriptive
requirements that are intended to be homogenous across the EU.
A wide range of entities are in scope, including banks,
credit and investment firms, trading venues and repositories, and
credit ratings agencies and electronic money
institutions.
The law is based on five pillars: (1) setting up and maintaining
resilience of systems and tools that minimise IT risk; (2)
identifying sources of IT risk, on an ongoing basis, in order to
implement risk prevention measures; (3) promptly detecting
anomalous activities; (4) having in place dedicated and
comprehensive business continuity policies and disaster recovery
plans; and (5) establishing mechanisms to learn and evolve from
external and internal events within the institution. In
practice, this will mean complying with the following
obligations:
- Internal governance and control frameworks.
Management must define, approve and oversee the
implementation of all measures relating to IT risk management.
They will determine the entity’s tolerance for IT risk
and agree its policy on arrangements relating to the use of
third-party service providers. Notably, management must
undertake regular training to keep their knowledge and skills up to
date in order to understand and assess IT risks. In a
fast-moving area, this will not be straightforward. - Risk management. Entities must have an
appropriate and well-documented IT risk management framework in
place that enables them to address risks quickly and
comprehensively. This should include the procedures,
protocols and tools necessary to protect all physical components,
which should be reviewed at least annually. - Incident management. Entities must
implement processes to detect, manage and notify IT-related
incidents (including to competent authorities and affected clients)
and put in place systems to generate early warning indicators.
The Joint Committee of the European Supervisory Authorities
is mandated to develop common regulatory technical standards to
establish the content of reporting for major IT-related incidents,
and may also draft implementing technical standards to establish
standard forms for reporting these incidents. - Operational resilience testing. Entities
must establish and maintain a comprehensive digital operational
resilience testing programme. Although a risk-based approach
is permitted, testing must be undertaken by independent parties,
whether internal or external. Entities that are classified as
“significant” are required to carry out threat-led
penetration testing at least once every three years. Once the
testing is carried out, all reports and remediation plans must be
submitted to the competent authority. - Managing third-party risk. Entities must
manage third-party risk in a proportionate way that takes into
account the scale, complexity and importance of IT-related
dependencies. In practice, this will require maintaining a
register of information relating to all contractual arrangements on
the use of IT services provided by third parties, conducting
diligence on prospective vendors before engaging their services,
and including the contractual terms prescribed by DORA.
NIS2
NIS2 repeals and replaces the previous iteration of the Network
and Information Systems Directive, which readers may recall took
effect in May 2018 but has largely been overshadowed by the GDPR in
the minds of businesses, individuals and regulators. NIS2
broadens scope of the previous Directive, including by applying to
a wider range of organisations, tightening incident reporting
obligations, and requiring in-scope entities to flow down security
obligations to their supply chains.
The previous Directive applied to operators of essential
services and digital service providers. NIS2 takes a
different tack and will apply to (1) entities in
“essential” and “important” sectors, in
certain cases regardless of the organisation’s size, and (2)
medium and large entities (i.e., those with less than 250 employees
and an annual turnover below €50 million) in those sectors.
Small entities — being those with less than 50
employees and annual turnover below €10 million — are
largely exempt, unless the entity is important to the functioning
of the member state.
The following sectors are considered “essential”:
energy; transport; banking; financial market infrastructures;
health; drinking water; digital infrastructure (i.e., software and
hardware companies); ICT service management; public administration
entities (but excluding the judiciary, parliaments and central
banks); and space. Organisations in the following sectors are
considered “important”: postal and courier services;
waste management; manufacturing, production and distribution of
chemicals; food production, processing and distribution;
manufacturing of medical devices, electronic products and
transport; digital providers (including social media platforms);
and research.
As mentioned above, NIS2 introduces a range of new and enhanced
obligations, including:
- Cybersecurity obligations. Organisations
must take appropriate technical, organisational and operational
measures to manage cybersecurity risks faced by their network
systems. These measures can include: risk analysis and
information system security policies; incident handling procedures;
business continuity planning, such as backup management, disaster
recovery and crisis management; supply chain security; and the use
of encryption, multi-factor authentication and cryptography, where
appropriate. - Governance obligations. Managers of
essential and important entities (i.e., board of directors and
other senior officers) must approve the cybersecurity risk
management measures taken by their organisations and oversee the
implementation of the cybersecurity risk management measures.
Importantly, an organisation’s management can be liable
for non-compliance with these governance requirements. - Incident management obligations. NIS2
streamlines incident reporting obligations by differentiating
between “incidents” (an event compromising the
availability, authenticity, integrity or confidentiality of stored,
transmitted or processed data or of the services offered by, or
accessible via, network and information systems) and “cyber
threats” (any potential circumstance, event or action that
could damage, disrupt or otherwise adversely impact network and
information systems, the users of such systems and other persons).
Entities are required to make an initial report of significant
incidents to the relevant Computer Security Incident Response Team
or other competent authority within 24 hours — a shorter
timeframe than under the previous Directive — and submit a
final report to the CSIRT within one month of the incident. - Sanctions and enforcement. The
supervisory remit of competent authorities depends on whether the
organisation is an essential or an important entity. For
essential entities, authorities are empowered to
carry out random inspections at the entities’ sites, carry
out regular audits of their compliance programme and issue fines of
up to the greater of €10 million or 2% of annual worldwide
turnover. For important entities, authorities may take action
when they are provided with evidence or indications of an
organisation’s non-compliance, particularly with respect of
the NIS2 notification requirements, and issue fines of up to the
greater of €7 million or 1.4% of annual worldwide turnover.
In addition, authorities may order entities to publicise
details of their infringing behaviour, to stop certain conduct and
— in the case of essential entities — temporarily ban
members of the management team from discharging their functions if
the authority’s deadlines are not met.
Next Steps
Organisations with security and data governance programmes in
place to comply with the GDPR and NIS1 have a head start in meeting
some of their obligations under DORA and NIS2. That said,
both laws have requirements that go over and above the current
regimes, meaning that businesses should start putting plans in
place now. Two years goes quickly, after all.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from European Union