Two years can feel like a long time, but it’s really not. The Beatles released Help!, Rubber Soul, Revolver and Sgt. Pepper’s Lonely Hearts Club Band in 21 months. Shackleton spent about the same amount of time floating around in the Weddell Sea.
Businesses in the European Union now face their own two-year voyages, thanks to the entry into force of two cybersecurity laws that will apply to a wider range of industries than ever before and significantly increase their security and incident reporting obligations.
The laws entered into force on Monday: one, a regulation — the Digital Operational Resilience Act, or “DORA” — that will be directly effective across member states from 17 January 2025; and the other, a directive — the NIS2 Directive, or “NIS2” — that gives member states more wiggle room as to how the law should be set out in their country by 18 October 2024. This article only considers the EU position, but the UK plans to introduce similar legislation to DORA and NIS2 and so organisations will have to comply with dual regimes that are likely to be broadly similar albeit with some key points of difference.
DORA
DORA is designed to strengthen the financial sector’s resilience to IT-related incidents and introduces prescriptive requirements that are intended to be homogenous across the EU. A wide range of entities are in scope, including banks, credit and investment firms, trading venues and repositories, and credit ratings agencies and electronic money institutions.
The law is based on five pillars: (1) setting up and maintaining resilience of systems and tools that minimise IT risk; (2) identifying sources of IT risk, on an ongoing basis, in order to implement risk prevention measures; (3) promptly detecting anomalous activities; (4) having in place dedicated and comprehensive business continuity policies and disaster recovery plans; and (5) establishing mechanisms to learn and evolve from external and internal events within the institution. In practice, this will mean complying with the following obligations:
- Internal governance and control frameworks. Management must define, approve and oversee the implementation of all measures relating to IT risk management. They will determine the entity’s tolerance for IT risk and agree its policy on arrangements relating to the use of third-party service providers. Notably, management must undertake regular training to keep their knowledge and skills up to date in order to understand and assess IT risks. In a fast-moving area, this will not be straightforward.
- Risk management. Entities must have an appropriate and well-documented IT risk management framework in place that enables them to address risks quickly and comprehensively. This should include the procedures, protocols and tools necessary to protect all physical components, which should be reviewed at least annually.
- Incident management. Entities must implement processes to detect, manage and notify IT-related incidents (including to competent authorities and affected clients) and put in place systems to generate early warning indicators. The Joint Committee of the European Supervisory Authorities is mandated to develop common regulatory technical standards to establish the content of reporting for major IT-related incidents, and may also draft implementing technical standards to establish standard forms for reporting these incidents.
- Operational resilience testing. Entities must establish and maintain a comprehensive digital operational resilience testing programme. Although a risk-based approach is permitted, testing must be undertaken by independent parties, whether internal or external. Entities that are classified as “significant” are required to carry out threat-led penetration testing at least once every three years. Once the testing is carried out, all reports and remediation plans must be submitted to the competent authority.
- Managing third-party risk. Entities must manage third-party risk in a proportionate way that takes into account the scale, complexity and importance of IT-related dependencies. In practice, this will require maintaining a register of information relating to all contractual arrangements on the use of IT services provided by third parties, conducting diligence on prospective vendors before engaging their services, and including the contractual terms prescribed by DORA.
NIS2
NIS2 repeals and replaces the previous iteration of the Network and Information Systems Directive, which readers may recall took effect in May 2018 but has largely been overshadowed by the GDPR in the minds of businesses, individuals and regulators. NIS2 broadens scope of the previous Directive, including by applying to a wider range of organisations, tightening incident reporting obligations, and requiring in-scope entities to flow down security obligations to their supply chains.
The previous Directive applied to operators of essential services and digital service providers. NIS2 takes a different tack and will apply to (1) entities in “essential” and “important” sectors, in certain cases regardless of the organisation’s size, and (2) medium and large entities (i.e., those with less than 250 employees and an annual turnover below €50 million) in those sectors. Small entities — being those with less than 50 employees and annual turnover below €10 million — are largely exempt, unless the entity is important to the functioning of the member state.
The following sectors are considered “essential”: energy; transport; banking; financial market infrastructures; health; drinking water; digital infrastructure (i.e., software and hardware companies); ICT service management; public administration entities (but excluding the judiciary, parliaments and central banks); and space. Organisations in the following sectors are considered “important”: postal and courier services; waste management; manufacturing, production and distribution of chemicals; food production, processing and distribution; manufacturing of medical devices, electronic products and transport; digital providers (including social media platforms); and research.
As mentioned above, NIS2 introduces a range of new and enhanced obligations, including:
- Cybersecurity obligations. Organisations must take appropriate technical, organisational and operational measures to manage cybersecurity risks faced by their network systems. These measures can include: risk analysis and information system security policies; incident handling procedures; business continuity planning, such as backup management, disaster recovery and crisis management; supply chain security; and the use of encryption, multi-factor authentication and cryptography, where appropriate.
- Governance obligations. Managers of essential and important entities (i.e., board of directors and other senior officers) must approve the cybersecurity risk management measures taken by their organisations and oversee the implementation of the cybersecurity risk management measures. Importantly, an organisation’s management can be liable for non-compliance with these governance requirements.
- Incident management obligations. NIS2 streamlines incident reporting obligations by differentiating between “incidents” (an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems) and “cyber threats” (any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons). Entities are required to make an initial report of significant incidents to the relevant Computer Security Incident Response Team or other competent authority within 24 hours — a shorter timeframe than under the previous Directive — and submit a final report to the CSIRT within one month of the incident.
- Sanctions and enforcement. The supervisory remit of competent authorities depends on whether the organisation is an essential or an important entity. For essential entities, authorities are empowered to carry out random inspections at the entities’ sites, carry out regular audits of their compliance programme and issue fines of up to the greater of €10 million or 2% of annual worldwide turnover. For important entities, authorities may take action when they are provided with evidence or indications of an organisation’s non-compliance, particularly with respect of the NIS2 notification requirements, and issue fines of up to the greater of €7 million or 1.4% of annual worldwide turnover. In addition, authorities may order entities to publicise details of their infringing behaviour, to stop certain conduct and — in the case of essential entities — temporarily ban members of the management team from discharging their functions if the authority’s deadlines are not met.
Next Steps
Organisations with security and data governance programmes in place to comply with the GDPR and NIS1 have a head start in meeting some of their obligations under DORA and NIS2. That said, both laws have requirements that go over and above the current regimes, meaning that businesses should start putting plans in place now. Two years goes quickly, after all.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.