The DORA Regulation and the NIS2 Directive are both important pieces of European cybersecurity legislation. They complement each other as NIS2 aims to strengthen the overall level of cybersecurity in the EU, while DORA ensures the functioning of the financial system, even in the event of a cyberattack. The whole chain of providers will be affected, and for it to work smoothly, partnerships become more important.
NIS and NIS2
The Network and Information Security (NIS) Directive, which came into force in 2018, was the first step towards strengthening cybersecurity legislation in the EU, targeting providers of essential services such as banking, transport and healthcare, as well as certain digital services such as search engines, cloud services and online marketplaces. One of its aims was to ensure that all Member States were prepared for cyber threats.
NIS2 is a further development of NIS. It will apply to new sectors and actors such as transport, banking and finance, public administration, energy, as well as their suppliers and subcontractors. In addition to ensuring that critical businesses and organizations have a sufficiently high level of digital security, NIS2 includes clearer monitoring requirements, closer coordination between EU Member States, and stronger sanctions for non-compliance.
As it is a European directive, it will be up to each country to decide what will be required by law. Each Member State must transpose the Directive into national law by October 18, 2024, when the NIS Directive expires.
DORA
DORA (Digital Operational Resilience Act) is the EU regulation for financial actors such as banks, insurance companies, investment firms and their third-party service providers. It aims to strengthen the digital operational resilience of the financial sector against cyber threats, for example. Companies need to have effective information security governance, put in place procedures and measures to manage and report various IT incidents, and carry out regular testing and monitoring of various digital operations.
Financial institutions cannot wait to act, but must start thinking about the implications for their own business. But subcontractors also need to prepare as they in turn will be affected by the financial institutions. DORA came into force at the beginning of 2023 and now financial operators have until January 2025 to ensure compliance.
How to prepare for DORA and NIS2 in 5 steps
So preparation is needed, but where do you start? Navigating these rules and requirements can be a challenge, but the right preparation can make the transition smoother.
- Understand the requirements
Knowledge is power. Read and analyze DORA and NIS2 carefully to understand exactly what is required of your business. Access information from various channels such as law firms and key players in information security and be aware that there is no quick fix. Subcontractors will face questions from financial institutions they work with and need to be prepared for stricter information security requirements. Also, keep in mind that regulations do not only affect you in the IT department, but also operations, legal, HR and other departments. - Update or implement new policies and procedures
To ensure your company complies with the new rules, risk analysis should be carried out. Based on your understanding of the rules and assessment of current capabilities, you should then design and implement updated or completely new security policies and procedures. In this work, it is valuable to get help. Companies can turn to industry associations, and municipalities, regions and authorities can consult the MSB or other authorities. Municipalities and regions can also get support from SKR. - Training and awareness
An important part of preparation is training. It is not enough for you as a CISO to be informed, but all employees need to be aware of the importance of cybersecurity and what they can do to contribute. A joint effort where the whole company is prepared protects the organization. It also gives the company a competitive advantage, and facilitates, for example, procurements when the customer and supplier have a common understanding well in advance. - Continuous follow-up
Review and update security policies and procedures regularly to ensure that the company continues to respond to new regulations. - Joint effort
It is important to point out that preparing for DORA and NIS2 requires a coordinated effort from the entire organization. All parts of the business, from IT to HR and legal, should work together to ensure compliance and security in a changing regulatory environment.
Partnerships: a prerequisite for success
We will see more cyberattacks. One reason for this is better tools and processes for detecting breaches, which means more attacks will be reported. But at the same time, many companies will also be better able to deal with the problems and become more resilient, thanks to enhanced incident response and more reported incidents.
Security will increase significantly if we do it right and share information. It will require closer cooperation between authorities and businesses and between businesses themselves. This will make us more resilient and allow us to get early warnings that will prepare us better.
Per Gustavsson, CISO at Stratsys, also believes that the relationship between customer and supplier has changed. From being clearly separated actors, he believes in a future symbiosis and increased transparency that will allow financial companies to more easily identify suitable suppliers.
"We see a need for more transparency and to help each other. We are part of more 'communities' today. The weakest link is the interaction between systems and people, and here hackers can always drive a wedge. But if you have a strong collaboration, it's harder to penetrate."
Per Gustavsson, CISO at Stratsys.
