Navigating compliance with NIS 2 and DORA

The Network and Information Systems Security Directive (NIS 2) and the Digital Operational Resilience Act (DORA) are EU-wide laws that enforce cybersecurity risk management requirements for financial institutions and entities providing essential and important services across the 27 Member States of the European Union. With the deadline for compliance for both legislations rapidly approaching, organizations must ensure their implementation of the specified security measures to fulfill their regulatory obligations. This article will guide you through the legal requirements and key details of NIS 2 and DORA to help you streamline your compliance process. Read on to learn more:

What is NIS 2?

First entered into force in 2016, the original NIS Directive has been enhanced and was recently replaced by NIS 2, which came into effect in January 2023. The NIS 2 Directive aims to enhance cybersecurity resilience for critical sectors across the EU, providing organizations with a baseline for security through a set of minimum technical, administrative, and operational measures that include:

• Risk assessment and information security policies
• Incident handling
• Business continuity planning
• Supply chain security
• Security of network and information systems acquisition
• Assessment of the effectiveness of cybersecurity risk management measures
• Cybersecurity training
• Cryptography and encryption policies
• Access control and asset management
  
• Policies for the use of multi-factor authentication and communication systems

With changes introduced in NIS 2, the directive is now comprised of the following distinct components: 

• Scope - The directive applies to large entities (with 250+ employees) and medium-sized organizations (with 50 to 249 employees) that operate within any country in the EU under the following sectors:

• Incident reporting requirements – Under the directive, organizations must follow strict incident reporting procedures. Each Member State is assigned a Computer Security Incident Response Team (CSIRT) to which essential and important organizations must report any significant incident and submit an early warning, a full notification report, a temporary report, and a final or progress report within specified timeframes.
  
  
• Increased focus on supply chain security – Although they may not necessarily be operating under the sectors covered by the directive, other suppliers and service providers must also comply with NIS 2 if they are working with essential and important entities. Organizations must manage cybersecurity risks within their own supply chains and are in charge of regulating the activities of their suppliers and service providers.
  
  
• Leadership accountability clause – Senior leadership is responsible for overseeing risk management activities and the overall implementation of NIS 2 requirements. In cases of non-compliance and security incidents, NIS 2 imposes personal liability on boards and executives, potentially leading to reputational damage and substantial fines.

The European Commission has set the deadline for the implementation of NIS 2 requirements for essential and important organizations on October 17, 2024.

What is DORA?

On the other hand, DORA, which was passed into law in December 2022, focuses on regulating the entire EU financial system and mandates requirements for ICT risk management and third-party risk management, incident reporting, operational resilience testing, and information sharing for financial institutions.

Aside from holding highly confidential and valuable information, the financial sector is characterized by its heavy reliance on technology, making it a prime target for cyberattacks. DORA aims to empower financial entities to effectively address risks, respond to threats, and minimize disruptions to critical services through the establishment of a unified framework for ICT risk management across the EU. Main components of DORA include:

• Scope – All EU-based financial entities such as banks, investment firms, credit institutions, and insurance companies, including digital platforms providing financial services, are subject to DORA compliance. Third-party service providers that equip financial institutions with ICT systems and solutions, such as those delivering cloud and data analytics services, are also covered by DORA.
  
  
• ICT risk management and governance – Financial institutions must secure their ICT infrastructure by establishing processes for risk management and mitigation. This includes identifying and classifying assets, performing risk assessment and treatment, implementing security policies and controls, and creating business continuity plans. Like NIS 2, DORA also holds corporate leaders accountable for overseeing the execution of ICT risk management strategies and frameworks.
  
  
• Incident reporting and response – Similar to NIS 2, financial entities must have incident documentation, monitoring, and response procedures in place and report any major operational or ICT-related incident to their respective Member State authorities. An initial notification report must be submitted followed by a progress report and a final report with detailed root cause analysis of the incident.
  
  
• Digital operational resilience testing – ICT systems must be continuously tested through vulnerability scanning and assessment, penetration testing, and scenario-based testing to ensure incident prevention, detection, containment, and recovery for financial entities.
  
  
• Third-party risk management – Legal contracts detailing data privacy, confidentiality, audit, and other security requirements must be created by financial entities. ICT providers that do not meet these requirements or comply with the other provisions of DORA will not be allowed to work with financial firms.

As for DORA, financial institutions have until January 17, 2025, to comply with its requirements.

NIS 2 or DORA: Which one takes precedence?

Like other laws and regulations, NIS 2 and DORA share several similarities that introduce complexities in the compliance process. Both NIS 2 and DORA provide a framework for cybersecurity risk management and apply to organizations that carry out services within the European Union. They also mandate the same incident reporting procedures and the complete involvement of executive leadership teams in risk management activities.

However, while NIS 2 sets a baseline for cybersecurity across various sectors, DORA is specifically tailored to the financial sector, with distinct requirements such as ICT infrastructure resilience and ICT third-party risk management that provide financial entities with a more targeted approach.

For organizations that fall under the scope of both NIS 2 and DORA, such as financial market infrastructure and managed service providers supplying ICT systems to financial institutions, the sector-specific requirements of DORA shall apply instead of those from NIS 2. This includes security measures that have equivalent provisions in NIS 2, such as business continuity plans and incident reporting mechanisms.

Achieve NIS 2 and DORA compliance with 6clicks

To take the next step and easily align your organization with NIS 2 or DORA, leverage the powerful security compliance capabilities of the 6clicks platform.

Our Content Library provides you access to a wide array of standards, regulations, frameworks, and templates, including NIS 2 and DORA.

Identify overlapping requirements between NIS 2 and DORA using our AI engine, Hailey, which can automate the mapping of different authority documents. If your organization is already compliant with NIS 1, Hailey can also map your existing policies and controls to the provisions of NIS 2, helping you determine your level of compliance with new and unchanged requirements.

Fulfill the cybersecurity risk management and third-party risk management requirements of NIS 2 or DORA with 6clicks’ IT Risk Management and Vendor Risk Management solutions. Conduct risk assessments, create risk treatment plans, and onboard your suppliers or service providers using our vendor assessment templates.

Meanwhile, using our control management and continuous control monitoring features, you can set up, manage, assign responsibilities, and perform manual or automatic tests for controls such as data backup and encryption as part of the requirements of NIS 2 or DORA.

Finally, capture, track, and resolve incidents through 6clicks’ Issue & Incident Management functionality in compliance with the incident reporting and response requirements of NIS 2 and DORA.

Consult with a 6clicks expert below to explore the full capabilities of our platform.