NIS2 preparation advised as guide explains how cyber law interacts with DORA

NIS2 is the second Network and Information Security Directive. The legislation came into force in the EU in January this year, but EU member states have until 17 October 2024 to implement it into national frameworks.

NIS2 strengthens existing cybersecurity requirements that organisations subject to the original NIS Directive face currently, while many organisations that are not in-scope of the existing rules will find that the new rules – which place a particular emphasis on board-level governance of cyber risk and on ensuring appropriate standards of cybersecurity throughout the supply chain, among other things – apply to them.

Stuart Davey, Luke Scanlon, and Dragana Dujak of Pinsent Masons said that the approaching one-year-to-go milestone for NIS2 should act as a catalyst for businesses to act to bolster their compliance programmes. They said a significant task for businesses will be to understand just how NIS2 will apply to them.

Davey and Scanlon said recent guidance issued by the European Commission can help financial institutions and their technology providers in this regard. The guidance provides clarification on how NIS2 interacts with the Digital Operational Resilience Act (DORA), another piece of forthcoming EU legislation.

DORA was finalised by EU law makers last November and is due to begin to apply from 17 January 2025. It applies to banks, insurance companies, investment fund managers, e-money institutions, cryptoasset service providers, crowdfunding platforms and investment firms. Some of the provisions of DORA also apply directly to certain ‘critical’ third party ICT service providers, while all ICT service providers that contract with financial entities subject to DORA can expect the compliance obligations on those entities to flow down into their contractual agreements.

The focus of the DORA package – which includes both an EU regulation and directive – is on boosting business’ resilience to technology-related risk, such as disruption to operations and data loss that can be caused by cyber criminals.

Stuart Davey said: “There is significant overlap between NIS2 and DORA, which the European Commission has addressed in its guidance. It has made clear that certain specific provisions of DORA – including in relation to ICT risk management; the management of ICT-related incidents and, in particular, the reporting of major such incidents; digital operational resilience testing; information-sharing arrangements; and with regards to third-party ICT risk – take precedence, and that therefore equivalent requirements financial entities or technology providers may face under NIS2 should not be applied to those businesses.”

Luke Scanlon added: “DORA applies widely across financial services, bringing within its scope almost all authorised financial services providers operating within the EEA, with only a very limited list of types of entities exempted. As there is a close relationship between the measures financial entities should take in order to promote best practices for operational resilience and cybersecurity, DORA sets out requirements which directly relate to cybersecurity governance, controls and contractual protections in addition to those which apply to preparing for and responding to severe disruption.”

“Four draft regulatory technical standards under DORA, concerning ICT risk in financial services, were proposed in the summer, and a second batch is expected over the next few months. Those standards will cover guidelines on the estimation of losses caused by major ICT incidents, reporting details for major ICT incidents; specifications for the threat-led penetration testing, and subcontracting requirements. The publication of the NIS guidelines ahead of this DORA second batch will help financial entities gain a clearer understanding of the level of granularity to be expected from that forthcoming set of standards,” he said.

Dujak said that many businesses beyond those operating in financial services will be impacted by NIS2 too and need to begin preparing for the legislation, if they have not already done so, including supplier companies.

Under NIS2, organisations classed as ‘essential entities’ will be subject to the strictest requirements and most comprehensive regulatory oversight – including, potentially, on-site inspections and targeted, independent, security audits.

It is likely that most organisations classed as ‘operators of essential services’ under the original NIS directive will be classed as ‘essential entities’ under NIS2. However, the concept of an ‘essential entity’ is much broader and will also capture many organisations that have, to-date, not been subject to the NIS regime – for example, pharmaceutical companies and operators of hydrogen production, storage and transmission.

Equally, the concept of ‘essential entity’ also extends to some businesses that may, until now, have only been subject to the lighter touch framework under the original NIS directive as digital service providers. This is the case, for example, with cloud computing providers. Other technology providers, including data centre service providers, managed service providers, and content delivery network providers, are also classed as ‘essential entities’ under NIS2.

The lighter touch regime under NIS2 will apply to ‘important entities’. Among other things, organisations classed as ‘important entities’ will face less burdensome record keeping duties in respect of the cybersecurity measures they must take to comply with the legislation. The concept of an ‘important entity’ captures not only providers that have been subject to the original NIS directive, but a raft of other categories of organisation too. It includes manufacturers of computers and vehicles, businesses engaged in food production and processing, chemicals companies and waste management providers.

Though there are specified exceptions to this listed in NIS2, generally the scope of the legislation is limited to organisations fitting within the definitions of essential or important entities that have at least 50 employees and/or an annual turnover of at least €10 million.

Dujak said: “Critical infrastructure operators will not only have to consider the security of the supply chain in the context of the risk measures to be identified, but the supplier itself may be in-scope of NIS2 and, if so, will also have to ensure the security of the relevant electronic communication networks of its critical products.”

“NIS2 cannot be seen in isolation, however. As part of its comprehensive cyber strategy, the EU has adopted or plans to adopt a number of other cybersecurity regulations – including the proposed new Cyber Resilience Act, which would impose additional obligations on manufacturers of digital products; the delegated Act to the Radio Equipment Directive; the Machinery Regulation; and the General Product Safety Regulation,” she said.

“Suppliers need to check which regulations are relevant to their business to understand how this may impact on the requests they are likely to receive from customers in respect of cybersecurity requirements in their contracts – and the extent to which there will be room to negotiate on those points,” Dujak said.