Privacy policy

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content.
Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content. Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Skip to main content

Understanding the impact of new EU cybersecurity regulations and directives

In our increasingly digital world, robust cybersecurity frameworks are more critical than ever. With the introduction of cybersecurity regulations and directives like the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2), organizations are working to align these requirements with established frameworks like COBIT, NIST and ISO 27001 — which they might already be working to become compliant with.  

Let's take a closer look at DORA and NIS2, explore how compliance with other frameworks and standards can be mapped for ease of implementation, and highlight the crucial touchpoints for cyber recovery. 

What is DORA?

The Digital Operational Resilience Act (DORA) — EU Regulation 2022/2554 — is a European Union cybersecurity regulation that is applicable in all EU member states. Its goal is to ensure that financial entities within the EU can withstand and recover from all types of ICT-related disruptions and threats. 

DORA’s key focus areas include risk management, incident reporting and digital operational resilience testing. DORA came into force on January 16, 2023, and compliance with most of its provisions will become mandatory starting on January 17, 2025. Hence, EU financial institutions have less than six months to come into compliance as of today. 

It requires financial entities to conduct regular self-assessments and independent audits of their ICT risk management frameworks. The penalties for non-compliance can include financial penalties, public reprimands, or even restrictions on business operations.

 

Implementing a strong cyber recovery strategy is not only a wise move in order to be prepared for our darkest business hour, but it will go a long way towards ensuring compliance with these new directives.

What is NIS2?

The Network and Information Security Directive 2 (NIS2) — also known as EU Directive 2022/2555 — sets goals for EU member states to enhance cybersecurity across a wider range of sectors. NIS2 focus includes improving cybersecurity levels across a broad range of industries such as energy, transportation, banking and financial markets, healthcare and pharmaceuticals, IT, communications and others. 

It mandates enhanced incident reporting requirements and an overall strengthening of security measures in businesses that provide essential services. 

It was adopted in November 2022, and EU member states must enact its provisions into their national laws by October 2024. For entities covered by the directive, regular risk assessments, audits and security reviews will become mandatory. alongside other compliance requirements. Non-compliance can result in administrative fines, periodic penalty payments and other sanctions as determined by national law in each EU member state — similar to the penalties associated with GDPR. 

Assessing your existing security frameworks 

Integrating DORA and NIS2 compliance into existing cybersecurity frameworks can help organizations ensure they are on the right track and strengthen their security posture. An important step is to work with expert consultants and your SMEs to assess which measures you might have already introduced or implemented, along with any relevant security standards or frameworks (like ISO 27001 or NIST).  

Once you have thoroughly documented your organization’s existing security controls, they should be mapped to the NIS2 or DORA requirements in order to understand what requirements have already been satisfied, and where any gaps remain.  

Cyber recovery touchpoints 

Both DORA and NIS2 implicitly stress the importance of policies on risk analysis, continuity and incident recovery, among others. Collectively, these resemble the key aspects of cyber recovery: 

  • Identification of the critical materials  
  • Immutability of those materials  
  • Resilience planning, regular backups and system restoration 
  • Testing and drills for recovery plans 

Moving forward with DORA and NIS2 compliance 

By understanding how DORA and NIS2 map to existing cybersecurity frameworks or standards they might have already introduced, organizations can develop comprehensive strategies that meet regulatory requirements and bolster their defenses against cyberthreats.  

Mapping DORA or NIS2 to the certifications that your business already holds or is assessed to is a worthwhile exercise. Having a clear picture of where your business stands today is essential to help identify any gaps and develop a roadmap to compliance. 

To learn more about this topic, I encourage you to view a replay of our webinar: Beyond the buzzwords: Atos Cyber Recovery & the new regulatory landscape where we explore DORA and NIS2 in detail and outline compliance strategies. 

If you need guidance or support to move forward, we are here to help.  

Posted on: October 9, 2024

Share this blog article