COUNTDOWN
TO COMPLIANCE
DORA
Deadline to be compliant:
17 January 2025
NIS 2
Deadline to be compliant:
18 April 2026
DIGITAL OPERATIONAL RESILIENCE ACT
DORA
WHAT IS DORA?
The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.
It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.
WHY IS DORA NEEDED?
The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.
When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
This is where the Digital Operational Resilience Act, or DORA, comes into play.
WHAT DOES IT COVER?
- ICT risk management
- Principles and requirements on ICT risk management framework
- ICT third-party risk management
- Monitoring third-party risk providers
- Key contractual provisions
- Digital operational resilience testing
- Basic and advanced testing
- ICT-related incidents
- General requirements
- Reporting of major ICT-related incidents to competent authorities
- Information sharing
- Exchange of information and intelligence on cyber threats
- Oversight of critical third-party providers
- Oversight framework for critical ICT third-party providers
TIMELINE FOR IMPLEMENTING LEGISLATIVE ACTS
The three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)), are preparing a set of policy products to enable the application of DORA.
Timeline:
- 16 January 2023: Entry into force of DORA
- 17 January 2025: Application of DORA
- from 2025: Start of the oversight activities for the ESAs (incl. CTPPs designation)
EU DIRECTIVE 2022/2555
NIS 2
WHAT IS THE NIS 2 DIRECTIVE?
NIS: EU’s First Cybersecurity Law
The Network and Information Systems Directive (NIS) was introduced in 2016 as the first European legislation on cybersecurity. Its primary objective was to increase the cyber resilience of EU Member States by identifying essential service operators in the Union and enforce cybersecurity measures, with incident reporting being a central requirement.
Why NIS was revised
However, not long after its establishment, it became clear that the implementation of the Directive varied greatly between Member States. This inconsistent implementation led to a fragmented system where some companies and organizations were considered essential in some countries, but not in others.
To rectify this, the European Commission decided to revise the NIS Directive to clearly define the organizations covered and their specific requirements, a plan that came into fruition in 2021 in the form of the Network and Information Security Directive (NIS2).
WHY IS NIS 2 NEEDED?
NIS 2: A Better Version of NIS
The NIS 2 directive expands the scope of the original NIS Directive to include a wider range of organizations, increasing the amount of “entities” covered by a factor of 10. Where NIS only covered sectors such as water supply, energy, digital infrastructure, banking, financial market infrastructure, health, and transport, NIS 2 now widens its range of affected sectors to include public administration, digital providers, space, research, postal services, waste management, foods, manufacturing and chemical products.
In addition, NIS2 also strengthens requirements for cybersecurity enforcement, including early mandatory incident reporting, widened risk management and a newly defined designation of C-level cybersecurity responsibility.
WHAT DOES IT COVER?
To bolster Europe’s resilience against current and future cyberthreats, the NIS2 Directive introduces new requirements and obligations for organizations in four overarching areas: risk management, corporate accountability, reporting obligations, and business continuity.
- Risk Management
To comply with the new Directive, organizations must take measures to minimize cyber risks. These measures include incident management, stronger supply chain security, enhanced network security, better access control, and encryption. - Corporate Accountability
NIS2 requires corporate management to oversee, approve, and be trained on the entity’s cybersecurity measures and to address cyber risks. Breaches may result in penalties for management, including liability and a potential temporary ban from management roles. - Reporting Obligations
Essential and important entities must have processes in place for prompt reporting of security incidents with significant impact on their service provision or recipients. NIS2 sets specific notification deadlines, such as a 24-hour “early warning”. - Business Continuity
Organizations must plan for how they intend to ensure business continuity in the case of major cyber incidents. This plan should include considerations about system recovery, emergency procedures, and setting up a crisis response team.
TIMELINE FOR IMPLEMENTING LEGISLATIVE ACTS
The NIS2 law and Royal Decree will enter into force on 18th October 2024. As a result, all the obligations of the law and the Royal Decree will apply to essential and importantentities (cybersecurity measures, incident reporting, etc.) from that date onwards.
The control of essential entities will then take a gradual approach, based on the chosen path for the regular conformity assessment.
No later than 18th April 2026, as part of the first mandatory conformity assessments, essential entities must at least:
- Either obtain CyFun® level important verification, in the context of an assessment carried out by a conformity assessment body (CAB) on the basis of the CyFun® framework ;
- Or submit to the CCB the scope and statement of applicability as part of an assessment carried out by a CAB on the basis of the ISO/IEC 27001 norm;
- Or submit to the CCB a CyFun® level important* self-assessment (*or level basic depending on the result of the risk-analysis), as part of an assessment carried out by the CCB inspection service;
- Or submit to the CCB the information security policy, the scope and the statement of applicability of the ISO/IEC 27001 norm to the CCB, as part of an assessment carried out by the CCB inspection service.
No later than 18th April 2027, essential entities opting for a CyFun® or ISO/IEC 27001 certification must have obtained it.
For entities identified by the CCB (as explained at the end of the scope section above), these deadlines start on the day that the identification is notified to the concerned entity.