NIS2 and DORA, the Power Couple of EU Cybersecurity Legislation

The European Union has introduced two powerful pieces of cybersecurity legislation aiming to reshape the digital defenses of businesses across the continent. We take you through NIS2 and DORA and explain what they mean for your organization.

A number of cybersecurity-related acronyms have been floating around the European Union in the past couple of years. The main ones are, in no particular order: NIS2, DORA, CRA, and CER. They are all either part of or related to the EU Cybersecurity Strategy aiming to increase resilience in an increasingly complex, critical, and dangerous cyberspace, with the ultimate goal of creating a safer society.

Most of the above will have a major impact on businesses big and small, yet the dense language and large amounts of legal text and cross-references make getting to the core ideas quite a task. 

In this article, we’ll demystify two major EU cybersecurity regulations whose implementation timelines are drawing near – the NIS2 Directive and DORA. Let’s see how ready you are.

What are NIS2 and DORA all about?

NIS2 (Network and Information Security) is an EU directive that builds upon and replaces its 2016 predecessor. The main purpose of NIS was to harden and harmonize the security of network and information systems against cyberattacks in critical sectors such as banking, financial markets, energy, digital infrastructure, health, water, and transportation. The idea was to make sure that both public and private companies implement strong security measures across the board. 

The general objectives of NIS were:

  • Risk management;
  • Defensive measures against cyber attacks;
  • Detection of cyber attacks;
  • Incident and response management.

NIS2 builds on top of that initial goal in several ways, chief among them being:

  • Creating a cyber crisis management structure (CyCLONe);
  • Widening the scope of affected sectors (by adding 11 new sectors to the original 7), effectively adding more than 100 thousand companies to the scope; 
  • Doubling down on incident reporting, risk assessments, managing the supply chain, and other security cybersecurity requirements,
  • Imposing personal responsibility and stricter penalties for non-compliance.

It’s important to note the word directive here:

A “directive” is a legislative act that sets out a goal that EU countries must achieve. However, it is up to individual countries to devise their own laws on how to reach these goals.

The above means that each member state will have to transpose NIS2 into their legislation – by October 17th, 2024. Croatia was the first to the finish line by putting the Law on Cybersecurity into force this February. 

Further, by April 17th, 2025, states need to determine which companies will fall within the categories of essential and important entities that are affected by NIS2, which will be regularly updated.

On the other hand, DORA (Digital Operational Resilience Act) is an EU regulation that must be applied in its entirety across the EU as of January 17th, 2025. Being a lex specialis, it takes precedence over NIS2 for the relevant organizations.

DORA primarily focuses on the financial sector, which is a high-stakes space and especially vulnerable to cyberattacks. Any downtime or data loss affecting banks, payment providers, insurance and investment companies, crypto-asset service providers, or critical third parties (such as cloud and data providers) can have serious repercussions on the economy at large, making the resilience of those systems one of the top priorities.

Is your business affected by NIS2 and DORA?

NIS2 recognizes two categories of companies: essential and important entities. The main differences between the two are in the measures these entities must take and how this will be supervised. 

There are certain other criteria that organizations have to meet to fall in either of these categories, the main ones being company size and annual revenue.

The exact criteria vary by country because each member state defines them in its national legislation, so you should check the local laws to see if the rules apply to you. 

The NIS2 Directive defines sectors of high criticality (essential entities) as follows:

  • Banking
  • Digital infrastructure
  • Drinking water
  • Energy
  • Financial market infrastructures
  • ICT service management (B2B)
  • Health
  • Public administration
  • Transport
  • Space
  • Waste water

Other critical sectors (important entities) include:

  • Chemicals
  • Digital providers
  • Food
  • Manufacturing
  • Postal and courier services
  • Research
  • Waste management

When it comes to DORA, we already mentioned that it focuses on the financial sector. However, this doesn’t mean it only applies to financial entities. Companies that provide services to the financial sector are also affected by the act. For example, if you are an ICT vendor to a financial institution, DORA has something to say about your operations as well.

It’s the same with NIS2 – if you are part of the supply chain, you might be affected since successfully managing “external” risk is crucial in both cases.

What do NIS2 and DORA requirements mean for your business?

The preparation for NIS2 is a relatively complex procedure, but the high-level steps can be boiled down to:

  • Once the EU member state you’re in passes the law, the categorization of your organization within essential or important entities will have to be assessed. 
  • If your company falls within one of the categories, it will be included in the registry of entities.
  • You will have to map out your risk management framework and execute a gap analysis to evaluate current compliance with NIS2 and, in certain cases, special cybersecurity regulations (such as DORA).
  • Finally, depending on what is determined in the step before, you will need to amend or implement new policies in due time on an organization-wide level. This is where the real long-term work lies.

Sounds simple, doesn’t it? Let’s look at the requirements.

NIS2 revolves around implementing an all-hazards (“consider everything”) approach to risk management to protect network and information systems, including:

  • Policies on risk analysis and information system security;
  • Incident handling;
  • Business continuity, such as backup management and disaster recovery, and crisis management;
  • Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  • Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; 
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • Basic cyber hygiene practices and cybersecurity training;
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  • Human resources security, access control policies, and asset management;
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

All of the above is wrapped up with reporting obligations, meaning that essential and important entities will be required to communicate all significant incidents to the local CSIRT (Computer Security Incident Response Teams) and recipients of their services, i.e. customers. They will also need to inform them about any measures or remedies they can take in response to the threat. The first report must be sent within 24 hours of discovering the incident. 

What does that mean in plain English? No more hiding under the rug. Every incident will have to be reported and documented, which may be both uncomfortable and bothersome for affected companies, but improves the long-term stability of the sector and the safety of the end users.

DORA further expands on the above by covering the following categories:

  • ICT risk management
  • ICT-related incident management, classification, and reporting
  • Digital operational resilience testing
  • ICT third-party risk management
  • Information sharing

DORA is somewhat more rigid in its application of third-party risk management, mandating contractual obligations between financial organizations and their ICT providers. 

Additionally, while NIS2 compliance can be shown by an audit every two years, DORA prescribes, among other things, a yearly resilience test program. Those tests include:

  • Vulnerability assessments and scans,
  • Open source analyses,
  • Network security assessments,
  • Gap analyses,
  • Physical security reviews,
  • Questionnaires and scanning software solutions, 
  • Source code reviews where feasible,
  • Scenario-based tests,
  • Compatibility testing,
  • Performance testing,
  • End-to-end testing and penetration testing.

On top of that, an advanced TLPT (threat-led penetration test) is mandated every three years.

Security testers and white hat hackers, rejoice! 

What if your business doesn’t comply?

Both NIS2 and DORA come with significant legal and financial implications and prescribe stricter supervision.

To make sure individuals and companies take accountability, NIS2 underlines personal responsibility for upper management in case the company fails to comply with certain requirements or doesn’t report security incidents. This could mean the temporary removal of these individuals from their managerial positions or other sanctions, depending on the local law implementing NIS2.

Personal responsibility is topped up with a potential €7,000,000 (or 1.4% of the total annual worldwide turnover) penalty for important entities and €10,000,000 (or 2% of the turnover) for essential entities. 

The exact penalties for non-compliance with DORA are yet to be determined by the relevant local authorities, but we already know that critical ICT providers can be fined up to 1% of the provider’s average daily worldwide turnover.

Security is not a nice-to-have

For those who aren’t doing so already, the aforementioned should be enough incentive to start taking cybersecurity seriously and building a proactive, transparent, and security-first culture.

Not to mention this is all part of a larger trend. NIS2 and DORA are, in essence, just some of the pillars on top of which the EU plans to continue expanding its cybersecurity strategy. Since digital services are already ubiquitous and manage major parts of our lives, we expect we’ll be writing plenty of articles on the topic in the years to come.

If you need support in adapting to NIS2 and DORA or just strengthening your security posture, check out our Cybersecurity services.