Ecovis Global > DORA NIS2: New changes in the law should ensure more cyber security across the EU
DORA NIS2: New changes in the law should ensure more cyber security across the EU
7. June 2023
On 10 November 2022, the European Parliament passed two legal acts: The EU’s Digital Operational Resilience Act (DORA) and the Directive on measures for a high common level of cybersecurity across the Union (NIS2). EU Member States should implement the NIS2 measures from 18 October 2024, and DORA will apply directly from 17 January 2025. Both are expected to drastically change the cybersecurity landscape of the European Union (EU). ECOVIS ProventusLaw knows the details and the impact on companies.
What are the new legislations about?
The NIS2 Directive aims to create a common level of cybersecurity within the EU, repealing the current NIS Directive and creating the baseline for security requirements. NIS2 introduces standardised requirements for appropriate and proportional technical, operational, and organisational measures.
NIS2 will bring in new requirements within 3 areas: cyber strategy and governance, detection and management of security incidents, infrastructural and application security.
DORA, which is part of the digital finance package, aims to meet the growing IT security and cyber risks in the financial sector and the insurance industry. It is part of a package of measures aimed at guiding and supporting the digitalisation of the financial sector. In simple terms, under the regulatory framework of DORA, financial entities, and ICT service providers will now have to ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats, as well as prevent and mitigate cyber threats.
DORA introduces harmonised requirements for the security of network and information systems in financial entities in 4 main areas: ICT risk management, ICT-related incident management classification and reporting, digital operational resilience testing, managing ICT third party risks.
We can support you in correctly implementing the new DORA and NIS2 regulations in your company. Loreta Andziulytė, Attorney at Law, Partner, ECOVIS ProventusLaw, Vilnius, Lithuania
Which companies do the new changes apply to?
NIS2: One of the most significant changes introduced with NIS2 is its extended scope. It will apply to all entities which provide their services or carry out their activities in the EU or match the description of either an “essential” or an “important” entity in a defined list of sectors: telecoms, cloud computing, managed services, data centres, banking, transport, public administration, social media platforms and search engines, postal and courier services.
DORA: DORA will apply to a wide range of financial entities including, but not limited to, credit, payment and electronic money institutions, crypto asset service providers, insurance and reinsurance companies. The new requirements will collectively apply to 21 different categories of financial entities and IT and communications service providers, such as cloud and software providers.
What will be the consequences of non-compliance?
Under NIS2, non-compliance can lead to administrative fines and suspension of services. CEO’s and heads of legal may be temporarily prohibited from discharging their managerial functions. In the case of essential entities, the infringement of certain obligations may be subject to administrative fines of a maximum of at least EUR 10,000,000 EUR or 2% of the total worldwide annual turnover in the preceding financial year of the business to which the respective entity belongs, whichever is higher. In the case of important entities the fines can be a maximum of at least EUR 7,000,000 or 1.4 % of the total worldwide annual turnover as above.
DORA does not foresee the size or form of sanctions. However, EU member states are free to provide for sanctions and breaches of DORA in their national law.
How to prepare for NIS2 and DORA
The Ecovis advisers strongly advise that companies review the scope of both NIS2 and DORA and assess whether they will be affected. If this is the case, then preparations should begin as soon as possible.