How to Prepare for the DORA and Cyber Resilience Act?

On 10 November 2022, the European Parliament passed two legal acts: The EU’s Digital Operational Resilience Act (DORA) and the Directive on measures for a high common level of cybersecurity across the Union (NIS2). EU Member States should implement the NIS2 measures from 18 October 2024, and DORA will apply directly from 17 January 2025. Both are expected to drastically change the cybersecurity landscape of the European Union (EU). ECOVIS ProventusLaw knows the details and the impact on companies.

What are the new legislations about?

NIS2 directive aims to create a common level of cybersecurity within the EU and repels the current NIS Directive by creating the baseline of security requirements. NIS2 welcomes standardised requirements for appropriate and proportional technical, operational and organisational measures.

DORA in this regard is similar to the NIS2. With the aim of mitigating the arising risks and harmonising the regulatory framework, DORA is a part of the Digital finance package adopted to strengthen the information and communication technology (hereinafter – ‘ICT’) security of entities operating within the financial sector and its ICT services providers. To simplify, following the regulatory framework of DORA, financial entities and its ICT service providers will now have to ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats as well as prevent and mitigate cyber threats.

Will the new changes apply to your organisation?

One of the most significant changes introduced with NIS2 is its extended scope of applicability. It will apply to all entities which provide their services or carry out their activities in the EU or match the description of either an “essential” or an “important” entity in a defined list of sectors. The list of sectors is now much more specific, and extend not only to entities established within the EU, but also to providers of digital infrastructure or services that are considered as essential or important service providers in the EU. Some of the sectors to which NIS2 will be applicable directly are:

Telecoms;
Cloud computing;
Managed services;
Data centres;
Banking;
Transport;
Public administration;
Social media platforms and search engines;
Postal and courier services.

DORA will apply to a wide range of financial entities, including, but not limited to, credit, payment and electronic money institutions, crypto asset service providers, insurance and reinsurance undertakings. The new requirements will collectively apply to 21 different categories of financial entities and IT and Communications Services Providers, such as cloud and software providers. The full list of entities can be found in Art. 2 of DORA.

Which law prevails between DORA and NIS2?

Both DORA and NIS2 cover similar areas and requirements. However, for financial entities, DORA will be the main governing regulation as it is considered to be lex specialis. This means that, for financial entities, DORA will take precedence over the requirements outlined within NIS2. Nonetheless, NIS2 and DORA clarify and complement each other, and both regulations will be fully applicable.

What are the deadlines for implementation?

NIS2

DORA

By 17 October 2024, EU Member States shall adopt and publish the measures necessary to comply with this NIS2 Directive.

They shall apply those measures from 18 October 2024.

DORA is directly applicable legal act in EU Member States.

It will be directly applicable from the 17th of January 2025.

What changes can be expected?

NIS2

DORA

NIS2 will impose new requirements within 3 areas:

Cyber strategy and governance. In this regard, requirements relating to awareness training, information security and cyber risk management are introduced.

Detection and management of security incidents. The second area of requirements focus on aspects such as incident reporting and handling, having appropriate business continuity and crisis management procedures.

Infrastructural and application security. In this regard, the NIS2 foresees harmonised requirements regarding third party risk management, access control, secure development practices, infrastructural and network security requirements.

DORA introduces harmonised requirements for financial entities concerning the security of network and information systems mainly within 4 areas:

ICT risk management. In this regard, changes are introduced in areas such as governance and organisation, ICT risk management framework and systems, protocols, tools, etc.

ICT-Related incident management classification and reporting. This includes incident management processes, classification of incidents and cyber threats, supervisory feedback and more.

Digital operational resilience testing, e.g., general requirements for financial entities, testing of ICT tools and systems, etc.

Managing ICT third party risks. This includes oversight framework of critical ICT third party service providers, principles for a sound management of third-party risks.

What will be the consequences for non-compliance?

NIS2

DORA

NIS2 foresees the possibility to apply and combine sanctions in case of non-compliance.

Administrative fines. In case of infringements of certain obligations, organisations within the scope of the NIS 2 Directive may be subject to administrative fines of a maximum of at least 10 000 000 EUR or of a maximum of at least 2% (in the case of essential entities) and of a maximum of at least 7 000 000 EUR or of a maximum of at least 1.4 % (in the case of important entities) of the total worldwide annual turnover in the preceding financial year of the undertaking, to which the respective entity belongs, whichever is higher.

Accountability on the management body. In this regard, CEO’s and Heads of legal may be temporarily prohibited from discharging their managerial functions.

Suspension of services. In case of non-compliance, organisations may be obligated to temporarily suspend their services.

DORA does not foresee the size or forms of sanctions; however, EU member states are free to provide for criminal sanctions for breaches of DORA in their national law.

How will they affect data protection and GDPR?

The upcoming changes introduced with DORA and NIS2 are not only important because of their potential to greatly benefit the digital infrastructure and security of many European entities, but also because of their impact on data protection. The bodies responsible for European digital infrastructure impose different levels of standards and obligations for different European entities. While some industries are more heavily regulated, for example the financial sector, the newly introduced changes will ensure that the universal level of cybersecurity for a much wider scope of Europe’s digital infrastructure. Privacy law requirements for companies regulated under DORA or NIS2 will remain unaffected, however the new requirements will benefit the protection of personal data across the Union, especially in terms of information sharing, third party service providers and personal data security breaches.

How to begin preparing for the new requirements?

Being proactive and beginning your compliance journey may be difficult, however it is manageable. In this regard, we strongly advise reviewing the scope of applicability of both, NIS2 and DORA and reviewing if they will apply to your organisation. If the answer would be positive, begin preparations as soon as possible.

The content of this article is intended to provide a general guide to the subject matter. As your legal advisors we will be happy to assist you regarding all the questions related to the new changes, including legal advice as well as revision and preparation of your internal documents.

Prepared by Loreta Andziulyte, Partner of ECOVIS ProventusLaw, Milda Šlekytė, Senior Associate of ECOVIS ProventusLaw, and Julija Ginotytė, Junior Associate of ECOVIS ProventusLaw