What you need to know about NIS2 and DORA
What is NIS2?
NIS2 expanded the scope of the original NIS directive to tighten security standards and create a common level of cybersecurity across the EU. It requires digital service providers across ‘essential’ sectors like healthcare, energy, transport, finance, and digital infrastructure, as well as ‘important’ sectors like postal services and waste management, to implement robust measures, safeguarding our critical services. These measures relate to incident response, risk management, supply chain security, and information sharing.
What is DORA?
DORA is focused specifically on the financial sector. It requires banks, investment firms, payment providers, and other financial institutions to ensure they are able to withstand, respond to, and recover from IT-related threats. Related measures include cybersecurity, continuity plans, and response strategies. There’s a big emphasis on third-party risk management too – making sure your external IT providers are meeting the same standards.
When do NIS2 and DORA come into effect?
NIS2 was formally adopted by the EU in 2022, and by October 2024 all member states were required to transpose it into national law, which means it’s already in effect. DORA was adopted in 2022 as well, and it’s coming into effect on 17 January 2025 – so that’s the date financial institutions will need to be compliant by.
Why should you care about NIS2 and DORA regulations?
Prioritising these regulations is not just a good idea, it’s essential. NIS2 applies to a vast array of EU companies. While DORA is focused on financial institutions. If you’re an EU business or a non-EU business that serves customers in the EU, at least some of these regulations probably apply to your organisation.
Compliance isn’t just about avoiding financial and legal penalties – although failure to meet regulations can result in substantial fines and operational restrictions. There are plenty of other reasons to make sure you’re playing by the rules:
- Mitigate cybersecurity risks – protect your business against ransomware, data breaches, and attacks on your supply chain, which can be costly and damaging.
- Build customer and stakeholder trust – show you’re committed to security and reliability to maintain business relationships and grow your customer base.
- Enhance operational resilience – build more resilience so you can withstand disruptions from incidents and supply chain instability and recover quickly.
- Stay competitive – compliance might be a point of difference over your competitors, opening new doors and partnerships.
- Streamline internal processes – put best practices in place, from service management to governance, to drive efficiency and improve decision-making.
- Align with EU-wide standards – smooth cross-border operations by reducing compliance complexity across the wider European market.
How can you make sure you’re compliant?
The precise measures you’ll need to put in place for NIS2 and DORA will depend on your organisation’s size, its exposure to risk, and the cost of implementing technology. But taking a strategic approach to cybersecurity, risk management, and operational resilience can help make sure you meet the necessary obligations. Here are some simple steps to consider for each regulation.
For NIS2 compliance:
- Know whether your organisation is ‘essential’ or ‘important’ under NIS2, as this will impact what you have to do.
- Implement a cybersecurity risk management framework that includes threat detection, prevention, and incident response – and regularly update these measures in line with NIS2.
- Establish a structured incident response process with clear roles and reporting procedures that mean NIS2’s timeframes.
- Assess your suppliers’ and service providers’ security practices to make sure they meet NIS2 standards too.
- Keep your team trained up in threat awareness and response to improve resilience against cyberthreats.
- Work with other businesses across your sector and government agencies to communicate threat intelligence.
For DORA compliance:
- Put a digital resilience strategy in place that identifies potential IT risks and plans for recovery.
- Assess and manage risk from your external IT providers and put contracts in place that enforce DORA’s standards.
- Establish a system for monitoring, detecting, and responding to cyber incidents in a timely manner.
- Carry out testing (like penetration testing and disaster recovery drills) to prove your resilience measures are working.
- Set up a team (or individual) to take care of DORA compliance for your organisation with a clear oversight process.
- Keep your team trained up in responding to digital risks, like phishing, ransomware, and social engineering tactics.
How can service management make compliance easier?
Service management can be really useful when it comes to NIS2 and DORA compliance. ITSM practices and tools help build a structured, systematic approach to IT operations, making it much easier for you to implement the security, resilience, and reporting standards that these regulations demand.
Here’s how it helps:
Incident management
Both NIS2 and DORA have clear incident reporting requirements. ITSM frameworks like ITIL help you define processes for incident management, enabling you to carry out regular audits, respond quickly and consistently, notify authorities in line with the regulations, and produce incident reports. ITSM tools can also let you know whether a service is functioning properly, alerting you to potential incidents, and predict how long it will take to recover from an outage.