NIS2 and DORA: Are you ready for the dynamic duo of EU cyber regulations?
You’ve heard it too many times to count: “Don’t bury the lede.” But when it comes to cybersecurity regulations, it’s all too easy to get lost in the details and lose sight of the big picture.
As cybersecurity leaders, we can’t afford to let that happen. We need to be the ones who cut through the clutter, and make the importance of these regulations real and tangible. That’s why, over the past few months, our team at Lacework has been collaborating with CISOs globally to understand the nuances of these new rules and create resources to help other cybersecurity leaders prepare for them.
Today, I’m excited to introduce the EU NIS2/DORA regulatory framework, a guide designed to help you navigate these complex regulations while keeping their core objectives front and center. While developing this framework, we learned a great deal about these regulations and their implications for cyber leaders and businesses. Here are a few key things to note.
Let’s break down the basics
NIS2 directive: Expanding the scope and raising the bar
NIS2 is an update to the existing NIS1 directive and the EU member states must incorporate those rules into their national laws by October 17, 2024. It expands the scope of NIS1 cybersecurity requirements to include more sectors, such as energy, transport, banking, health, digital infrastructure, digital services, food, space, and manufacturing. NIS2 introduces stricter penalties for noncompliance, holding management personally accountable and granting national authorities stronger supervisory powers. Penalties also include drastic personal consequences like temporarily banning an individual from holding managerial positions. The directive addresses supply chain security and imposes specific cybersecurity requirements, including risk analysis, incident response, encryption, vulnerability disclosure, threat detection, and training.
DORA regulation: The financial sector’s new best friend
DORA focuses on the financial sector and will come into effect on January 17, 2025. It applies to financial entities (including brokerages, insurance, credit institutions, investment managers, crowdfunding providers, crypto entities, and more) doing business in or with the EU. It also applies to information and communication technology (ICT) third-party service providers deemed critical by European regulators.
DORA aims to improve the digital safety of the financial sector by setting up a system for managing risks and reporting incidents, and establishing testing requirements. Like NIS2, it holds management more responsible for cybersecurity, focuses on securing the supply chain, and encourages the use of modern detection technologies to surface unusual behavior. It also emphasizes the importance of governance and the role of senior management in overseeing cybersecurity efforts.
Separate but related: A look at the differences
There are a few differences between NIS2 and DORA that you’ll want to remember:
- Directive vs. regulation: NIS2 is a directive, which means that it sets out general rules and objectives that all EU countries must achieve, but it is up to the individual countries to devise their own laws on how to reach these goals. DORA is a regulation, which means that it is directly applicable and enforceable in all EU member states and does not require each country to create its own laws.
- The scope spectrum: NIS2 has a broader scope, covering various critical sectors, while DORA focuses specifically on the financial sector and its technology service providers. DORA is considered to meet the requirements set out in NIS2 for the financial sector.
- Incident reporting: NIS2 requires an early warning within 24 hours of an incident, followed by a detailed notification within 72 hours, and then a final report with resolution details in one month. DORA, on the other hand, requires a detailed report within one business day.
- The cost of noncompliance: DORA introduces corporate fines of up to 2% of annual turnover and personal fines for employees of up to €1 million, with critical third parties also subject to fines of up to €500,000. NIS2 distinguishes between essential and important entities. Essential entities are subject to fines of up to €10 million (or 2% of the total worldwide annual turnover, whichever is higher). Important entities are subject to fines of up to €7 million (or 1.4% of annual turnover). Notably, NIS2 allows for the banning of C-level executives from future roles in cases of noncompliance.
Two paths, one destination: Shared goals
While NIS2 and DORA have some notable differences, they share many common goals and principles aimed at strengthening cybersecurity across the EU.
- Use advanced technology for detection: Both regulations emphasize the use of advanced technologies, such as AI and machine learning, to detect anomalous activities and potential intrusions proactively. At Lacework, our Composite Alerts, including our machine-learning powered anomaly detection capabilities, provide all needed context to effectively respond to detected intrusions.
- Protect critical infrastructure: They emphasize the importance of protecting critical infrastructure and services from cyber threats.
- Get the fundamentals right: NIS2 and DORA both mandate basic cybersecurity hygiene measures, such as multi-factor authentication (MFA) and encryption.
- Manage risks: The foundation of NIS2 and DORA is strong risk management. Organizations must implement comprehensive cyber risk management processes, including risk analysis, risk detection, risk response, vulnerability management, and employee training.
- Hold management accountable: Both rules hold management accountable for ensuring compliance with cybersecurity requirements and emphasize the role of senior management in overseeing cybersecurity efforts.
- Secure the supply chain: While NIS2 refers to suppliers and DORA mentions supply chain risks, both aim to ensure the integrity and resilience of the entire supply chain and third-party relationships.
- Supervisory powers: Both regulations grant national authorities enhanced supervisory powers to enforce compliance, including the ability to conduct inspections, audits, and investigations, and to impose penalties for noncompliance.
- Keep businesses going: Business continuity and digital resilience are key themes, requiring organizations to have plans in place to maintain operations during disruptions.
- External testing is necessary: NIS2 requires organizations to undergo external audits, including penetration testing, while DORA mandates threat-led penetration testing to simulate real-world attack scenarios.
- Cross-border cooperation: NIS2 and DORA promote cross-border cooperation and information sharing among EU member states to foster a coordinated approach to cybersecurity and incident response.
Introducing the NIS2/DORA Framework
Over the past few months, we’ve been learning about these cyber regulations and what they mean for cybersecurity leaders and the companies that they work with. The NIS2/DORA framework is an infographic we created in collaboration with members of the European CISO community that walks you through the essentials of NIS2 and DORA, like whether they apply to your company, what you should put in place to prepare, and more. Using this framework, you’ll be able to cut through the noise, ask the most important questions, and keep your focus where it belongs. And you’ll be able to communicate the value of these regulations in a way that resonates across your entire organization.
Learn more
It’s important for organizations operating in the EU to familiarize themselves with these regulations and take proactive steps to prepare. Here are additional resources to strengthen your understanding of these rules.
Suggested for you