NIS2 and DORA: What are they and what do you need to know?

Tips
Written By Marvel Consulting Team

The European Union is taking measures to target cybersecurity. This is shown in new regulations like NIS2 and DORA. But what do they actually mean, especially for you and your company?

NIS2 Directive: Update to an existing piece of legislation

NIS2 is an EU-wide directive on cybersecurity. It is an updated version of the earlier NIS (Network and Information Systems) directive, which was modernized to fit the changing landscape of cybersecurity. NIS2 expands the scope of sectors and entities the legislation applies to, aiming to boost the resilience and responsiveness to threats of the important, essential, and critical entities operating in the EU area. 

NIS2 applies to medium and large enterprises operating in the following sectors:

  • Energy 

  • Transport

  • Banking

  • Financial market infrastructures

  • Health

  • Drinking water

  • Wastewater

  • Digital infrastructure

  • ICT service management (B2B)

  • Public administration

  • Space

  • Postal and courier services

  • Waste management

  • Manufacture, production and distribution of chemicals

  • Production, processing and distribution of food

  • Manufacturing

  • Digital providers

  • Research

The legislation also applies to other entities regardless of their size, if they are deemed critical for society by the Critical Entities Resilience Directive (CER critical). 

NIS2 can also indirectly affect organizations not mentioned in the legislation.

What is expected of the entities under the NIS2 directive, is a comprehensive cybersecurity risk management plan to avoid, mitigate and manage cybersecurity threats. Among other factors, it must include policies for managing the security of information systems, how deviation is managed, cybersecurity training for employees, and the security of supply chains. What this means for organizations not mentioned in the NIS2 legislation, is that the new directive can also affect them indirectly. 

NIS2 also mandates incident reporting. This means that all incidents that can cause a cybersecurity threat must be reported to the authorities in a timely manner.

NIS2 will be effective from October 17th, 2024. Noncompliance with the directive can lead to penalties. You can find NIS2 on the EUR-Lex website by clicking here.

DORA focuses on the financial sector

Dora the Hacker could be after your organization’s assets: better update your cybersecurity! Picture created with the help of generative AI from Canva and Adobe

Instead of an explorer, DORA, or Digital Operational Resilience Act, is an EU regulation that aims to strengthen the cybersecurity of financial entities. It is closely related NIS2, but doesn’t have as wide of a scope as NIS2. The objective of DORA is to strengthen the resiliency of the financial sector in the EU area, to make sure it can operate even during disruption.

The requirements of DORA are similar to those of NIS2, since both of them have similar goals: to improve cybersecurity. DORA mandates the following things: 

  • ICT risk management

  • ICT third-party risk management

  • Digital operational resilience testing

  • Reporting of ICT-related incidents

  • Exchange of information and intelligence on cyber threats

  • Oversight of critical third-party providers

ICT risks can lead to financial service disruptions if not properly managed. These disruptions can cause further damage to other sectors or even the economy, which is why the digital operational resilience of the financial sector is seen as a priority. 

DORA will be effective from January 17th, 2025. Noncompliance with DORA can also lead to penalties. You can find DORA on the EUR-Lex website by clicking here.

What’s next?

If your organization is included in the scope of these legislations — either directly or indirectly — now is the time to act and improve your cybersecurity! But, even if you aren’t specifically named in the legislation, boosting your cybersecurity is never a bad idea. Here is a list of actions you can take right now to get started. 

Conduct a comprehensive risk assessment.

Evaluate the current state of cybersecurity in your organization. Identify and prioritize potential vulnerabilities and threats. 

Create a cybersecurity risk management plan.

This should include your day-to-day activities, as well as how to deal with deviation and report incidents. 

Implement cybersecurity measures.

Adopt necessary cybersecurity measures, including technologies and practices. Train your employees on cybersecurity. 

Ensure compliance and continuous improvement.

Stay informed on new regulations. Update your plans regularly to make sure all necessary factors are taken into account. 

Feeling overwhelmed or unsure of what you should do?

The tips above are general and not organization-specific. If you feel stuck or unsure of how to continue, don’t worry! Our network of IT professionals also includes cybersecurity experts. See our services page for more information and get in touch with us!

Marvel Consulting Team
Previous

Consultant’s Perspective: AI in Project Management
Next

How to Navigate Digital Disruption (Your Organization’s Version)