Securing Europe's Digital Future: DORA and NIS 2 Directive

As the digital landscape expands, so does the attack surface for potential cyber threats, making robust cybersecurity measures essential for protecting sensitive information, maintaining privacy, and ensuring the integrity of digital systems. 

According to the Internet Crime Complaint Center (IC3), cybercrime losses hit a record high in 2023 with a loss of U.S. $12.5 billion. 

In response to these challenges, the European Union has enacted two significant regulatory frameworks: the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS 2 Directive).

This article delves further into the importance of cybersecurity, introduces the Dora and NIS 2 Directive, and explains how they work together to create a comprehensive cybersecurity framework. 

What Is the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that came into effect in January 2023. It focuses on strengthening the cybersecurity posture of the financial sector and ensuring its resilience against cyber threats.

One of the key provisions of DORA is the establishment of robust risk management practices, particularly concerning Information and Communication Technology (ICT). To address this, financial institutions must establish a comprehensive framework to identify, assess, and prioritize ICT risks and vulnerabilities. Furthermore, DORA mandates inspection of critical ICT third-party service providers, including assessing their cybersecurity practices and enforcing contractual clauses to ensure compliance.

Another critical aspect of DORA is incident reporting requirements. DORA mandates that financial institutions report major ICT-related incidents to the relevant authorities. This includes incidents that disrupt critical business services, compromise sensitive financial data, or pose a significant risk to financial stability.

Regarding supervisory measures, National Competent Authorities (NCAs) will be tasked with overseeing compliance with DORA. This entails actively monitoring financial institutions' risk management frameworks, evaluating their oversight of third-party providers, and analyzing their incident reporting practices.

What Is the NIS 2 Directive

The NIS 2 Directive, formally known as the Directive on measures for a high common level of cybersecurity across the Union (EU 2022/2555), is a European Union regulation that came into effect in January 2023. 

NIS 2 Directive’s primary objective is to achieve a high standard of cybersecurity across all EU member states. It targets entities operating critical infrastructure sectors essential for the European economy and society. These sectors include energy, transportation, banking, waste management, healthcare, and digital infrastructure providers.  

NIS 2 Directive also applies to some non-critical entities that provide essential services, reaching a wider range of organizations, compared to the previous NIS Directive. It requires several key measures, including:

• Stronger Risk Management - Organizations must implement a comprehensive risk management framework to identify, assess, and mitigate cybersecurity risks to their network and information systems.
• Corporate Accountability - Management must supervise, approve, and be trained on the entity’s cybersecurity measures.
• Reporting Obligations - Organizations must promptly report security incidents that have a significant impact on their service provision or recipients.
• Business Continuity - Organizations must plan for business continuity during major cyber incidents, including system recovery, emergency procedures, and the establishment of a crisis response team.

Relationship between DORA and NIS 2 Directive

When exploring the relationship between DORA and the NIS 2 Directive, it becomes evident that while both contribute significantly to European cybersecurity, they operate with distinct characteristics and objectives. 

The main differences between DORA and NIS 2 Directive are:

Note: The main difference between a directive and a regulation lies in their legal nature and implementation process: regulations are binding laws that apply uniformly across all member states upon enactment, while directives set out objectives for member states to achieve, allowing flexibility in how they are implemented into national law.

In summary, it is important to mention that the NIS 2 Directive and DORA are not contradictory, but rather complementary. While the NIS 2 Directive seeks to enhance cybersecurity across diverse sectors, DORA builds upon the foundation laid by the NIS 2 Directive, providing additional protection for the critical financial sector.

If you want to gain deeper insights into the global implications of DORA and the NIS 2 Directive, register now for our upcoming webinar: 'Beyond the EU: DORA and NIS 2 Directive's Global Impact.

REGISTER NOW

How Can PECB Help?

PECB delivers the following tailored training courses designed to equip you with adequate knowledge and skills:

• PECB Certified DORA Lead Manager Training Course
• NIS 2 Directive Foundation Training Course
• Certified NIS 2 Directive Lead Implementer Training Course

About the Author

Vlerë Hyseni is the Digital Content Specialist at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact: support@pecb.com.