Doubts and recommendations when implementing DORA/NIS2 in your company

By Alba Huerga
18 Nov 2024

A major wave of changes is taking place in the Information Security and business ecosystem. Specifically, there are two regulations that will completely change the IT and cybersecurity sector in the coming years.

We are talking about the DORA (Digital Operational Resilience Act) and NIS2 Directive (Directive (EU) 2022/2555). The importance of keeping up with these two regulations goes beyond avoiding penalties and obtaining compliance documents. These two regulations can help organizations increase their level of digital maturity and gain competitiveness in the marketplace.

It’s time to surf the DORA/NIS2 era!

What is DORA?

This regulation, which will be applicable as of January 17, 2025, is explicitly related to EU financial services and focused on maintaining their cybersecurity resilience.

The objective of DORA is to ensure that the European financial sector is able to respond in an agile and effective manner in the event of a severe operational disruption, and to prepare it to deal with all types of cyber-attacks and ICT-related threats.

In other words, DORA establishes a set of standards and policies to improve operational resilience and cybersecurity in the financial sector.

That is why the Act will apply across all EU financial institutions, as well as additional firms included within the expanded regulatory perimeter under the term “critical third-party ICT service providers.” This is a term that includes services such as cloud resources, data analytics and hardware etc.

DORA

What is NIS2?

As for NIS2, this is the updated EU cybersecurity legislation with which medium-sized, large and some small public and private companies in various sectors must comply.

Companies linked to the energy sector, transport, banking, healthcare, ICT service management or the public administration itself must follow the NIS2 regulations and activate their adaptation processes.

The NIS2 Directive came into force on January 16, 2023, following its publication in the Official Journal of the European Union. However, States have had until October 17, 2024 to transpose the directive at national level and to adopt and publish the necessary measures to comply with it.

As of October 18, 2024, the measures contained in the NIS2 are mandatory.

Spanish companies cannot wait any longer to activate their adaptation process and must urgently activate the necessary measures and changes to comply with both regulations. In these cases, it is recommended to have the support of an expert compliance team specialized in these regulations.

A2SECURE has a team of professionals dedicated to technical consulting that works with a variety of clients from different sectors.

Thanks to their 17 years of experience in the cybersecurity industry, they are able to quickly and effectively carry out multiple audit and certification processes such as PCI DSS, PCI PIN, DORA, ENS, SWIFT, and now DORA and NIS2. All of this without affecting business operations and adapting to the particularities of each organization.

What are the main questions about the DORA/NIS2 regulations?

Due to its extensive knowledge and experience in this field, the consulting team is able to provide answers to the many doubts and unknown questions about both regulations.

A2SECURE has collected some of them in order to be useful for those companies interested in activating their roadmap to achieve compliance with both regulations.

FAQS about DORA

Which financial institutions are affected by DORA?

INCIBE lists on its portal the main entities affected by DORA (Digital Operational Resilience Act).

  1. Commercial banks and investment banks.
  2. Insurance companies.
  3. Fund managers, including entities that administer and manage investment funds.
  4. Securities companies, i.e., companies that offer securities brokerage and trading services.
  5. Electronic trading platforms that facilitate the purchase and sale of financial instruments.
  6. Securities clearing and settlement service providers. These are all those entities in charge of clearing and settlement of securities transactions.
  7. Credit rating agencies. This category includes those entities that issue evaluations and ratings on the creditworthiness of financial institutions and issuers of securities.

What requirements does DORA establish for financial institutions?

The infographic prepared by INCIBE, Spain’s National Cybersecurity Institute, sets out the specific requirements of the DORA in four main domains.

What kind of penalties could you receive in case of non-compliance with DORA?

Penalties may include fines, sanctions or other coercive measures by the regulatory authorities depending on the seriousness of the non-compliance.

According to articles Article 324, Article 312 and 313 of BOE No. 66, dated 18/03/2023 financial institutions may be asked to pay up to 10 000 000 euros or 5% of their total annual turnover, according to the latest available approved annual accounts.

While in the case where the fine is to third party suppliers the DORA document itself states the following:

“The amount of the periodic penalty payment, calculated from the date set out in the decision imposing such fine, shall be up to 1% of the average daily worldwide turnover of the essential third party ICT service provider in the preceding financial year. In determining the amount of the periodic penalty payment, the lead supervisor shall take into account the following criteria in relation to non-compliance with the measures referred to in paragraph 6:”

Will DORA affect existing ICT risk management standards?

The new EU DORA regulation will have a strong impact on how financial institutions improve governance and manage ICT risks, but also how they disclose incidents and strengthen their resilience.

DORA will complement and reinforce existing standards and regulations (such as ESA +ENISA), requiring organizations to integrate its requirements into their current risk management practices.ç

How does DORA address third party risk management (TPRM)?

DORA requires a comprehensive process to assess the security measures of third-party providers and ensure that they also meet compliance requirements.

  • Organizations must assess and manage the operational resilience of these service providers.
  • Contracts with external providers must include specific security and compliance obligations and be regularly reviewed and updated to address evolving risks.
  • Ongoing monitoring mechanisms and periodic audits are required to ensure that suppliers meet these contractual obligations.
  • DORA defines procedures for coordinating incident responses for both organizations and their suppliers.

Undoubtedly, this is a process that could easily be optimized through the use of pioneering tools such as Riskblade.

Which companies and entities are affected by NIS2?

The NIS2 Directive applies to public and private entities in a total of 18 sectors.

These include 11 “high criticality” sectors: energy, banking, financial market infrastructures, healthcare, transport, digital infrastructure, drinking water, wastewater, public administration, ICT services management and space.

While the remaining 7 are considered as “critical”: research, chemical, food, postal services, digital providers, manufacturing and waste management.

Unlike the first version of the directive, NIS2 expands the number of sectors that are affected by this regulation, and also the type of company, since now even SMEs or micro-SMEs fall within its scope, as long as they are considered critical for the country.

However, the second version of the directive has excluded the defense or national security sector, public security, the police, the judiciary, parliaments and central banks from the scope of application.

My company was already obliged to comply with NIS1: What happens now?

With respect to NIS1, the NIS2 Directive extends its scope with more sectors, in order to provide a more complete coverage to the services of greater importance for social and economic activities. In addition, it no longer differentiates between operators of essential services (OSE) and digital service providers (DSP) as it did previously.

For this reason, if an organization was obliged to comply with the transposition of the NIS Directive1 into Spanish law, it is essential that it reviews in detail the specific provisions and updates of the NIS2 and its transposition into Spanish law. In this way you will be able to analyze the new requirements contemplated in the regulations and see if you currently comply with them or if it is necessary to implement extraordinary measures and policies to comply with them.

A complex process that is always best to left in the hands of experts to avoid incurring in any type of non-compliance due to lack of knowledge.

What kind of sanctions could you receive in case of non-compliance with NIS2?

As stated by INCIBE on its website, “the NIS2 Directive gives national authorities a minimum list of coercive powers towards the affected entities in case of non-compliance, including”:

  1. Warning for non-compliance.
  2. Adopt binding instructions or remedy requirements.
  3. Ordering the cessation of conduct in breach of the directive.
  4. Ordering that risk management measures or reporting obligations be ensured in a specified manner and within a specified period of time.
  5. Order that natural or legal persons to whom they provide services or perform activities that are potentially affected by a significant cyber threat be informed.
  6. Order the implementation of recommendations made as a result of a security audit within a reasonable timeframe.
  7. Appoint a monitoring officer with well-defined tasks for a specified period of time to monitor compliance.
  8. Order to make non-compliance issues public.
  9. Impose administrative fines.
  10. The certification or authorization of an essential entity related to the service may be suspended if the deadline for taking action is not met.
  11. Temporarily prohibit those responsible for management at the level of executive director or legal representative from exercising managerial functions (applicable only to essential entities, not to important entities).

Additionally, in a proportionate and dissuasive manner, the following penalties may be imposed:

  • A maximum of at least EUR 10,000,000 or up to 2% of the total annual worldwide turnover of the company to which the essential entity belongs in the preceding financial year, the higher amount being preferential.
  • A maximum of at least 7,000,000 euros or 1.4% of the total annual worldwide turnover of the company to which the significant entity belongs in the preceding fiscal year, with the higher amount being preferential.

What obligations will the affected entities have?

All entities within the scope of the directive must adopt cybersecurity risk management measures, as well as comply with the cybersecurity incident notification obligations set out in the NIS2.

Regarding cybersecurity risk management, the NIS2 Directive sets out a minimum list of technical, operational and organizational measures to manage the security risks of information systems and networks, as well as the physical environment of such systems.

A2SECURE Directiva NIS2

These measures must be used by both essential and important entities in their operations or in the provision of their services to prevent or minimize the impact of incidents on the recipients of their services. The measures indicated as minimums shall always be required in proportion to the specific risks and vulnerabilities and the size of the entities:

  1. information systems security policies and risk analysis;
  2. incident management;
  3. business continuity, such as backup management and disaster recovery, and crisis management;
  4. supply chain security, including security aspects relating to the relationship between each entity and its direct suppliers or service providers;
  5. security in the acquisition, development and maintenance of network and information systems, including vulnerability management and disclosure;
  6. policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
  7. basic cyber hygiene practices and cybersecurity training;
  8. policies and procedures relating to the use of cryptography and, where appropriate, encryption;
  9. human resources security, access control policies and asset management;
  10. the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications

(SOURCE: INCIBE FAQS)

It is therefore important to know in detail what is new in NIS2 and the main differences in relation to the previous legislation, NIS1.

Adaptation to DORA and NIS2 does not have to be a tedious process for the organization. Especially, if you have the help of subject matter experts with experience in both regulations.

Would you like to start your transition to DORA and NIS2 and don’t know where to start? Haven’t we answered all your questions about DORA/NIS2? Contact our strategic consulting team now.

Comments are closed.