
Tracing missing people through open source intelligence
Missing persons represent a serious and ongoing challenge to governments around the world. The size and complexity of this challenge prompted Opencast...
In today’s interconnected digital landscape, where information flows seamlessly across international borders, the need for robust cybersecurity measures has never been more pronounced.
Recognising the critical importance of a united front against cyber threats, European policymakers have taken a significant leap forward with the introduction of two new pieces of legislation designed to protect the digital infrastructure of member states.
The European Parliament has approved two new pieces of legislation – the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). Since 18 October 2024, European Union (EU) member states have been required to transpose NIS2 into national law, while DORA will come into force from 17 January 2025.
The UK’s departure from the EU in 2020 means that these new pieces of EU legislation will not apply in themselves to organisations operating services solely within the UK, but will apply to UK and other organisations that operate essential services inside the EU.
The UK government has signalled its intention to build on the foundations through a new Cyber Security and Resilience Bill, which aims to “strengthen our defences and ensure that more essential digital services than ever before are protected”.
The new UK legislation, while containing some key differences to the new EU laws, will expand the remit of regulation to protect more digital services and supply chains than existing UK cyber regulations. So it seems likely that, as it has with its own version of EU GDPR (General Data Protection Regulations), the UK government will adopt the principles of NIS2 in future and may even adopt NIS2 itself.
What NIS2?
This directive applies to operators of essential services (OES) in critical sectors such as energy, transport, banking, financial market infrastructures, health and digital infrastructure. It also covers digital service providers (DSPs), including online marketplaces, search engines, and cloud computing services.
NIS2 replaces the original NIS Directive (EU) 2016/1148. NIS2 is Directive (EU) 2022/2555, adopted in December 2022, which mandates enhanced cybersecurity requirements for member states and is stricter than its predecessor, expanding to cover more sectors and entities.
By focusing on critical sectors and digital service providers, the directive aims to mitigate the impact of cyber threats and incidents that could have wide-ranging consequences on essential services and the overall economy. NIS2 builds upon this directive.
What is DORA?
This focuses on ensuring the digital operational resilience of the EU’s financial sector, recognising the sectors increased reliance on digital technologies. It aims to ensure organisations providing these technologies identify and protect critical IT systems, have adequate incident response and business continuity plans, manage risk appropriately and ensure supply chain risks are identified and treated. For DORA, member states must implement compliance by 17 January 2025.
All organisations that fall under the scope of either piece of legislation (NIS2 or DORA) must comply with their individual requirements. And the new UK legislation will impose requirements on most organisations, including those in the public, private or non-profit organisations.
It is important to understand the gap between compliance and non-compliance to develop a manageable roadmap – and to explore and understand the comprehensive list of requirements for NIS2 and DORA.
Once organisations have established a roadmap, they will need to determine resource and competency requirements, then deliver against them.
Like GDPR, fines for non-compliance can be severe. Essential entities face fines up to €10 million or 2% of annual turnover and “Important entities”, a category defined within the NIS2 directive, may face up to €7 million or 1.4% of turnover.
DORA penalties might vary across member states since implementation details could differ. However, the maximum financial penalties are expected to align with other EU regulations to ensure a uniform compliance standard.
There are key steps any organisation can take to understand their risk landscape and to recognise the impact of this legislation. These include:
These two directives, with a core focus on fortifying critical infrastructure and promoting cross-border cooperation, embody the EU's commitment to a secure and resilient cyberspace.
As technology advances and cyber threats evolve, both NIS2 and DORA serve as beacons, guiding member states towards a harmonised approach in the face of digital challenges. NIS2 and DORA are essential in the EU’s broader digital resilience strategy, aligning with other initiatives like the EU Cybersecurity Act and EU Cybersecurity Strategy. Alongside these, when enacted in the UK, the new Cyber Security and Resilience Bill will strengthen defences and to cover more essential digital services than ever before.
By fostering risk management, incident reporting, and stringent enforcement, these new legislative changes transcend national borders, creating a collective defence that reinforces the foundations of our interconnected world.
Loading...