7 min read time

DORA & NIS2, a game changer for your corporate´s Cyber Resilience Strategy

by   in Portfolio

 The latest Global Risk Report published in January 2024 by the World Economic Forum explores some of the most serious risks we may face over the next decade, in a context of rapid technological change, economic uncertainty, global warming and conflict.

This report analyzes different risk categories such as economic, environmental, geopolitical, social, and technological, and among all these risks analyzed at a global level, in the next two years and among the first 5 risks, we can find that two of them are related to technology: Misinformation and disinformation and cyber insecurity.

According to this report and focusing on the technological part, we can realize that in an increasingly digital world, different sectors face unique challenges and threats related to information and communication technologies (ICT).

Because of all these circumstances, organizations like the European Union (EU), are developing new directives to provide a common security framework for its member states. When talking about European Union, the objective is to improve overall cybersecurity, reduce risks and ensure a robust and resilient digital infrastructure in the EU creating a safer digital environment for citizens, businesses, and public institutions.

For these reasons, two main directives have been developed and will be implemented in the incoming months, The Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2). Read "White Paper: Network & Information Security Directive (NIS2)".

Although there have been multiple stages in the implementation of directives, since the early 2000s, technological evolution has forced the regulatory approach to vary, and it is no longer just about compliance but about fostering a culture of resilience in cyber security.

For this reason, DORA and NIS2 represent a change with respect to previous directives, since they propose not only processes for securing environments, but also processes for incident management as well as for management of recovery processes. In other words, we are moving from securitization to securitization, protection and recovery of assets and services critical to society and the economy. Read also "Why do you need protection from data losses?".

What is the Digital Operational Resilience Act (DORA)?

DORA directive (EU) 2022/2554 attempts to solve a problem in EU financial regulation as financial institutions were not managing all components of operational resilience. With the application of DORA, rules must follow for protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to:

  • ICT risk-management
  • Incident reporting Operational
  • Resilience testing
  • and third-party risk management

In its article 12, we can find: Backup policies and procedures, restoration and recovery procedures and methods:

  1. […] financial entities shall develop and document:

(a) backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data;

(b) restoration and recovery procedures and methods

  1. Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods. […]

Examples of impacted institutions are Credit institutions, E-money institutions, Payment institutions and Investment firms.

What is the Network and Information Security Directive (NIS2)?

NIS2 Directive (EU) 2022/2555 is an EU-wide legislation on cyber security that aims to enhance the security of network and information systems within the EU by requiring operators of critical infrastructure and essential services to implement appropriate security measures and report any incidents to the relevant authorities.

To improve Europe’s resilience against current and future cyber threats, NIS2 Directive introduces new requirements and obligations for organizations in four main areas:

  • risk management,
  • corporate accountability,
  • reporting obligations,
  • and business continuity.

In addition to the four overarching areas of requirement, NIS2 mandates that essential and important entities implement baseline security measures to address specific forms of likely cyber threats. Among others, these measures include:

  • Procedures for the use of cryptography and, when relevant, encryption.
  • The use of multi-factor authentication, and
  • A plan for managing business operations during and after a security incident. This means that backups must be up to date.

In its article 21, Cyber security risk-management measures, we can also read that Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures […] and shall include at least the following:

[…] (c) business continuity, such as backup management and disaster recovery, and crisis management

NIS2 directive categorize entities into:

Essential Entities (EE) à Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million: Energy; Transport; Finance; Public Administration; Health; Space; Water supply (drinking & wastewater); Digital Infrastructure: e.g. cloud computing service providers and ICT (Information and communication technology) management

Important Entities (IE) à Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million: Postal Services; Waste Management; Chemicals; Research; Foods; Manufactoring: e.g. medical devices and other equipment; Digital Providers: e.g. social networks, search engines, online marketplaces

Comparing DORA and NIS2

DORA prioritizes financial sector cyber security to improve digital operational resilience among key financial entities. It is due to come into force across the EU in January 2025 and covers 21 different types of financial organizations.

On the other hand, NIS2 seeks to promote and guarantee a harmonizing cyber security strategy in a wide spectrum of critical and important sectors. Member states must adopt its guidelines into their domestic legislation by October 2024.

When talking about penalties for non-compliance with DORA, any financial institutions that fail to meet DORA requirements could face fines up to 10 million euros or 5% of their total annual turnover – making non-compliance a significant risk that can severely damage financial health and brand reputation.

But also, NIS2 directive fines for non-compliance can be severe – 10 million fine or at least 2% of global annual turnover for the previous fiscal year, whichever is higher (for essential entities) and 7 million fine or at least 1.4% of global annual turnover for the previous fiscal year, whichever is higher (for important entities).

And what about in other countries?

Looking at couple of them, in March 2024, and as a first step to analysis similarities and differences, the US Department of Homeland Security (DHS) and European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) announced an initiative to compare cyber incident reporting elements that will inform cyber incident reporting requirements by the US, and European Union (EU) under the NIS 2 Directive. When looking at financial institutions, the Office of the Comptroller of the Currency (OCC), who regulates the banking sector, issued in 2020 an Interagency Paper on “Sound Practices to Strengthen Operational Resilience” integrating previous guidance, common industry practices, and the work of the Basel Committee on Banking’s Supervision’s Operational Resilience Group.

And with regards to UK, does the NIS2 Directive apply to UK businesses? the short answer is no; the UK is not implementing NIS2 as they're no longer bound by EU legislation but is working on its own proposals to amend the NIS regime and strengthen it to further protect essential services against digital threats, such as cyber-attacks. By contrast, and when referring to financial institutions, UK has the operational resilience framework that adopts a broader view of operational resilience compared with DORA.

OpenText to support customers into their cyber resilience journey

OpenTextTm Cybersecurity helps organizations of all sizes secure and protect their most valuable and confidential information, when combined with OpenTextTm Portfolio solutions such as Data Protector, Data Protector for Cloud Workloads and OpenText Cloud to Cloud that provide Enterprise Backup and Recovery solutions, OpenText can offer a modern, complementary portfolio of solutions to improve end-to-end resilience, all delivered by a single provider and with 360-degree visibility for the entire organization, improving security and trust every step of the way.


Explore how OpenText Data Protector can help your organization to ensure data integrity and data protection. 

Request a free trial of OpenText Data Protector  

Learn more about Cloud data backup and restore 

Already a Data Protector customer? Learn what is new in the latest version. 

Read about data backup and resiliency 

Read what analysts say about Data Protector 

Read what a customer is saying about Data Protector 

Watch the Data Protector videos on YouTube 

Labels:

Data Protection
Information Management