NIS2 and DORA: Introducing Two Cybersecurity Regulations

As today’s threat landscape evolves, nations must draft new frameworks and standards to address the latest cyber advancements. The updated Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA) are two of the most recent policies governing cybersecurity processes for nations participating in the EU. Companies doing business with clients in these regions must familiarize themselves with the new frameworks.

In this article, we’ll explore the contents of the NIS2 and DORA policies. We’ll provide an overview of each policy’s purpose and scope, highlight some similarities and applications between the two, and offer steps you can take to prepare for their implementation.

NIS2

NIS2 is the broader of the two cybersecurity policies, applying to key entities within nearly every major sector. Established in January 2023, it builds on its predecessor, the Network and Information Security Directive (NIS), which was founded in 2016. EU member states have until 17 October 2024 to implement NIS2 into their national laws.

Who Does NIS2 Apply to?

One of the key features of NIS2 is its expanded scope, categorizing organizations into two groups: Essential Entities and Important Entities. Essential Entities face stricter regulations and stiffer penalties than Important Entities, so it’s crucial to understand which category a company falls under.

Essential Entities are considered “large” organizations within critical sectors, such as:

• Energy
• Transport
• Banking
• Healthcare
• Government services
• Wastewater and drinking water
• Financial market infrastructure
• Digital infrastructure
• ICT service managers
• Aerospace

To qualify as a “large” entity, organizations must:

• Have 250 employees or more, or
• An annual turnover of €50 million or more and a balance sheet total of €43 million or more.

Meanwhile, Important Entities are organizations within sectors less central to society, including:

• Waste management
• Digital providers
• Postal and courier services
• Manufacturing
• Food and Agriculture
• Chemicals
• Research and Development

Important Entities are classified as “medium-sized” organizations, meaning they must:

• Have 50 or more employees or
• Have an annual turnover and balance sheet total of €10 million or more.

A significant limitation of the previous NIS policy was its limited scope. NIS2 addresses this by applying its regulations to more industries and categorizing them based on size and profitability, thereby providing cybersecurity protection with greater granularity across more sectors of society.

The Purpose of NIS2 

NIS2 was created to address the most recent advancements in cyberattacks and to overcome the key weaknesses of its predecessor, NIS. Beyond expanding its scope and categorizing entities by size, NIS2 introduces several important improvements that foster a more consistent cybersecurity strategy across all major sectors, contributing to a safer digital environment within the EU.

• Harmonized Security Requirements: NIS2 establishes baseline security standards to create a more uniform cybersecurity posture across EU member states.
• Increased Incident Reporting: The directive expands the number of incidents requiring reporting, enforces a 24-hour reporting deadline for security incidents, and mandates follow-up reports to ensure comprehensive oversight.
• Enhanced Supervision and Enforcement: NIS2 implements Computer Security Incident Response Teams (CSIRTs) to improve supervision and enforcement, ensuring that organizations adhere to the required standards.
• Heavier Penalties: NIS2 imposes fines of up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year—whichever is higher—on non-compliant organizations.
• Stronger Supply Chain Security: NIS2 emphasizes supply chain security by requiring organizations to do business only with partners that are NIS2-compliant, thereby reducing vulnerabilities across the supply chain.

DORA

While NIS2 provides a broad framework, DORA is specifically focused on the financial sector. The Digital Operational Resilience Act (DORA) serves as a comprehensive risk management framework for entities in the information and communication technology (ICT) industry within the financial sector. The legislation, which will go into effect on 17 January 2025, is designed to enhance cybersecurity and operational resilience across the financial industry.

Who Does DORA Apply To? 

DORA applies to both traditional and nontraditional organizations within the financial ICT sector, including but not limited to:

• Banks
• Investment firms
• Credit institutions
• Crypto-asset service providers
• Crowdfunding platforms

In addition, DORA covers any third-party business partners affiliated with financial organizations, such as managed service providers (MSPs), data centers, and other vendors. As a result, financial companies must carefully select their business partners to ensure DORA compliance.

The Purpose of DORA

DORA’s purpose is twofold. Firstly, it aims to establish a comprehensive framework for financial institutions to conduct their ICT processes with enhanced cybersecurity measures. And, second, DORA seeks to standardize ICT operations within the financial sector across all EU member states.

To achieve these objectives, DORA addresses the following ICT processes:

• ICT Risk Management: DORA establishes principles and requirements through an ICT risk management framework, ensuring that organizations can effectively manage cyber risks.
• ICT Third-Party Risk Management: DORA mandates monitoring of third-party risk providers and the inclusion of key contractual provisions to mitigate risks posed by external partners.
• Digital Operational Resilience Testing: The legislation requires both basic and advanced testing of digital operational resilience to identify and address vulnerabilities.
• ICT-Related Incidents: DORA sets general requirements for detecting, responding to, and remediating cyberattacks, ensuring swift and effective incident management.
• Reporting: DORA provides guidelines for submitting major ICT-related incidents to competent authorities, ensuring timely and transparent reporting.
• Information Sharing: DORA facilitates the exchange of information and intelligence on cyber threats, enabling a coordinated response to emerging risks.
• Oversight of Critical Third-Party Providers: DORA establishes a framework for overseeing critical third-party providers, ensuring they adhere to stringent cybersecurity standards.

With its enhanced guidelines and policies, DORA helps financial organizations adopt a more consistent approach to cybersecurity, reducing their exposure to attack vectors across their entire supply chain.

Be Prepared for Upcoming Cybersecurity Policies

NIS2 and DORA represent the latest efforts to address the increasingly sophisticated threat landscape. These regulations aim to strengthen companies’ cybersecurity posture against the tactics employed by today’s threat actors. Organizations that equip their teams to comply with these laws will be better positioned to maintain compliance and reduce their attack surface. Conversely, those who fail to align with these frameworks may face costly compliance violations and risk losing their clientele.

Kiuwan’s Static Application Security Testing (SAST) and Software Composition Analysis (SCA) solutions enable developers and organizations to detect and remediate vulnerabilities in both proprietary and open-source code. These tools are essential for meeting the code-related requirements of NIS2 and DORA. Request a demo to discover how Kiuwan’s code security solutions can help your organization prepare for these upcoming regulatory changes.