Making sense of NIS2 and DORA

Andy Schneider at Lacework explores the new pillars of EU cyber-resilience

 

"Don’t bury the lede" is a common piece of advice in business. But in reality it’s easy to get bogged down in the details of cyber-security regulation. As security leaders, we have to cut through the complexity and real importance of regulations and how they impact our organisations. 

 

For that reason, CISOs around the world are working to understand the intricacies of constantly changing legislation in order to navigate and prepare for them effectively.  

 

NIS2 and DORA are two additional pieces that add to the broader cyber-security regulation puzzle across the globe. The reason for this is simple; incidents still occur, and the impact of these events is getting bigger, all while digital transformation is speeding up.  

 

With cyber-attacks becoming more widespread, the NIS2 and DORA framework are not only designed to help enterprises prevent attacks, but to reinforce cyber-resilience. Companies and specifically executives should be aware that all regulations target the C-level and board.

 

This is represented in personal liability for executives. In this circumstance, negligence has consequences – an intentional tactic to make CISOs a strategic part of the business and personally responsible for security posture.

 

Upping the standards with the NIS2 directive 

NIS2 marks a significant update to the existing NIS1 framework, with EU member states required to implement these new rules into their national laws by 17 October 2024. This update expands the scope of cyber-security requirements to include more sectors such as energy, transport, banking, health, digital infrastructure, digital services, food, space, and manufacturing.  

 

The stakes are higher with stricter penalties for noncompliance as well.  In this instance, penalties can include drastic personal consequences, such as temporary bans on individuals holding managerial positions.  

 

Additionally, the directive addresses supply chain security and imposes specific mandates that include comprehensive risk analysis, robust incident response protocols, encryption standard, vulnerability disclosure procedures, threat detection mechanisms, and regular training programs.  

 

By broadening its scope and tightening regulations, the directive aims to bolster the resilience and security of critical infrastructure across Europe to protect these sectors against ever-evolving cyber-threats. 

 

DORA focuses on safeguarding the financial sector and will come into effect on 17 January 2025 to reinforce the digital safety of the EU’s financial sector. Targeting a wide spectrum of financial entities doing business in or with the EU, it also extends its regulatory reach to ICT third-party service providers deemed critical by European regulators. 

 

At its core, it aims to enhance the resilience of the financial sector by setting up a system for managing risks, reporting incidents, and establishing testing requirements. Mirroring NIS2, it holds management accountable for cyber-security, focuses on securing the supply chain, and encourages the use of modern detection technologies to surface anomalous behaviour.

 

DORA also emphasises the importance of governance and the role of senior management in overseeing cyber-security effort, promoting a culture of vigilance and accountability.  

 

Different but the same: directive vs regulation

The contrasting frameworks of the NIS2 directive and the DORA regulation show diverse approaches to regulation with broadly similar objectives. NIS2 sets overarching goals, leaving it to the individual EU states to create their own laws. DORA is a regulation, which is uniformly enforceable across all EU countries without the need for additional legislation. 

 

The scope of these frameworks also differs, as NIS2 has a broader scope, covering various critical sectors, while DORA focuses specifically on the financial sector and its technology service providers. DORA is considered to meet the requirements set out in NIS2 for the financial sector.  

 

In terms of incident reporting, NIS2 mandates a three-stage process, starting with an early warning within the first 24 hours, and spreads across to a detailed notification in 72 hours, with a final report after one month. DORA, on the other hand, requires a detailed report within one business day – knuckling down on the financial sector’s need for rapid response. 

 

The cost of noncompliance is a huge indicator of the gravity of these regulations.  DORA introduces corporate fines of up to 2% of annual turnover and personal fines for employees of up to €1 million, with critical third parties also subject to fines of up to €500,000.

 

NIS2 distinguishes between essential and important entities. Essential entities are subject to fines of up to €10 million (or 2% of the total worldwide annual turnover, whichever is higher). Important entities are subject to fines of up to €7 million (or 1.4% of annual turnover). Notably, NIS2 allows for the banning of C-level executives from future roles in cases of noncompliance. 

 

Two paths, one destination

While NIS2 and DORA have some notable differences, they share many common goals and principles aimed at strengthening cyber-security across the EU.If you export to the EU market or have a significant presence there, you’re bound by NIS2 / DORA regulation.  

 

Fundamentally, the foundation of NIS2 and DORA is strong risk management. Organisations must implement comprehensive cyber-risk management processes, including risk analysis, risk detection, risk response, vulnerability management, and employee training. Business continuity and digital resilience are key themes, requiring organisations to have plans in place to maintain operations during disruptions. 

 

Both regulations emphasise the use of advanced technologies, such as AI and machine learning, for proactive threat detection. Getting the basics right is the key message here, where mandating basics like multi-factor authentication and encryption is essential.  

 

A shared feature of both is the need to secure the entire supply chain ecosystem. By addressing supplier relationships and supply chain risks, these directives aim to ensure the integrity and resilience of the entire supply chain and third-party relationships.  

 

Additionally, both regulations grant national authorities enhanced supervisory powers for enforcement through inspections, audits, investigations, and penalties for noncompliance.  

 

Ensuring business continuity and digital resilience is another central theme to both NIS2 and DORA, with organisations mandated to develop operational plans and undergo external testing like audits and threat-led penetration tests. 

 

Emphasising the need for cross-border cooperation, both NIS2 and DORA also advocate for enhanced information sharing among EU states to strengthen defences and facilitate swift incident responses. 

 

Cutting through the noise 

Business continuity and digital resilience are paramount, requiring organisations to have plans in place to maintain operations during disruptions.  

 

In positive news, there’s a shift happening to focus more on detection rather than just compliance-oriented security. Detection is crucial to identifying if an intrusion or breach is happening, and if those happen, there are strict reporting requirements. Without detection, there’s no way to report anything.  

 

With a sound understanding of both NIS2 and DORA, you’ll be able to cut through the noise, ask the most important questions, and keep your focus where it belongs.  You will also be able to communicate the value of these regulations in a way that resonates across your entire organisation. 

 

---

 

Andy Schneider is Field CISO EMEA at Lacework 

 

Main image courtesy of iStockPhoto.com and ericsphotography