RGPD

NIS 2 and DORA: understanding the impact of the new European regulations on your cybersecurity strategy

The European Union is considerably strengthening its regulatory arsenal in matters of cybersecurity with the adoption of two major texts: the NIS 2 directive (Network and Information Security) and the DORA regulation (Digital Operational Resilience Act). These new regulations, which will gradually come int

Contents
Schedule a discussion

Reading time:

10 min

The European Union is considerably strengthening its regulatory arsenal in matters of cybersecurity with the adoption of two major texts: the NIS 2 directive (Network and Information Security) and the DORA regulation (Digital Operational Resilience Act). These new regulations, which will gradually come into application from 2024, mark a decisive turning point in the European approach to digital security, imposing strengthened obligations on a considerably broadened number of organizations.

Faced with this growing regulatory complexity, understanding the implications of these texts and adapting your cybersecurity strategy becomes a strategic imperative.

If you wish to call on a cybersecurity lawyer, contact me!

The new European regulatory landscape in matters of cybersecurity

The European Union is deploying an ambitious strategy to strengthen the digital resilience of its economy and protect its critical infrastructures against constantly evolving cyber threats. This strategy is notably embodied by two complementary legal instruments: NIS 2 and DORA.

The NIS 2 directive: a considerably broadened scope

Adopted in January 2023, the NIS 2 directive replaces and considerably strengthens the first NIS directive of 2016. Its objective is to raise the overall level of cybersecurity within the European Union by imposing harmonized requirements on a wide range of organizations considered critical for the economy and society.

Unlike its previous version, which only concerned Operators of Essential Services (OES) and certain digital service providers, NIS 2 considerably extends its scope of application to new sectors such as:

  • Public administration
  • Waste management
  • Manufacturing industry
  • The production and distribution of chemical products
  • The postal sector
  • The agri-food sector
  • Digital providers (marketplaces, search engines, social networks)
  • The space sector

The sectoral strategic analysis that a cybersecurity lawyer can carry out for your organization is decisive in identifying whether you fall within the scope of this directive. This assessment, which requires a thorough understanding of the size and activity criteria defined by the text, constitutes the first essential step of your compliance journey.

The DORA regulation: a specific framework for the financial sector

In parallel with NIS 2, the European Union adopted the DORA regulation (Digital Operational Resilience Act), specifically dedicated to the financial sector. This text, which will fully come into application in January 2025, aims to ensure that all entities of the financial system have the necessary safeguards to withstand incidents related to information and communication technologies (ICT).

DORA concerns a wide range of financial players:

  • Credit institutions and banks
  • Investment firms
  • Payment service providers
  • Insurance and reinsurance companies
  • Crypto-asset service providers
  • Central securities depositories
  • Central counterparties

A major innovation of DORA lies in its extension to third-party ICT service providers working for the financial sector, who will henceforth be subject to direct supervision by the European financial supervisory authorities.

The targeted regulatory expertise that legal counsel can provide is crucial to navigate the subtleties of these two regimes, which may, in certain cases, overlap. Their thorough knowledge of the mechanisms for articulating these texts allows you to precisely identify the requirements applicable to your specific situation, thus avoiding redundancies or, worse, blind spots in your compliance program.

The new obligations in matters of governance and security

Beyond the broadening of their scope of application, NIS 2 and DORA impose strengthened obligations in matters of governance and technical security, placing cybersecurity at the heart of the strategic concerns of the organizations involved.

The direct involvement of management bodies

One of the major innovations of these regulations lies in the explicit accountability of management bodies. Henceforth, board members and executives must:

  • Approve cyber risk management measures
  • Oversee their implementation
  • Assume responsibility for the entity's non-compliance with obligations
  • Undergo appropriate training to acquire the necessary knowledge in matters of cybersecurity

The structured legal pedagogy that a lawyer can deploy with your management bodies constitutes a major asset in facilitating this appropriation. Their expertise allows them to translate complex technical concepts into understandable strategic stakes, thus facilitating the effective engagement of executives in the governance of cybersecurity.

The strengthening of technical and organizational measures

Both NIS 2 and DORA require the implementation of appropriate technical and organizational measures to manage the risks related to the security of networks and information systems. These measures must cover:

  • The security of systems and facilities
  • Incident management
  • Business continuity
  • Supply chain security
  • Security testing and auditing
  • The use of cryptography and encryption

The hybrid legal-technical approach proposed by a cybersecurity lawyer brings unique value in this context. By combining their knowledge of regulatory requirements with an understanding of technical stakes, they guide you in developing a security framework that is both compliant with the texts and adapted to your operational reality.

Let's discuss your need for 15 min!

The distinction between "essential" and "important" entities

A significant innovation of the NIS 2 directive lies in the classification of the entities involved into two categories - essential and important - subject to partially differentiated obligation regimes.

Classification criteria

The classification of an entity as "essential" or "important" depends primarily on its sector of activity and its size, with a risk-based approach. Broadly, entities considered more critical for the economy and society are classified as essential, while the other entities falling within the scope are considered important.

The qualifying legal analysis carried out by a counsel allows you to identify with certainty your classification with regard to these complex criteria. This qualification, which may require a fine interpretation of the provisions of the directive and its national transposition, directly conditions the extent of your obligations.

Differences in obligation regimes

While both categories of entities are subject to the bulk of cybersecurity obligations, certain notable differences exist, particularly in matters of supervision and sanctions:

  • Essential entities are subject to a proactive supervision regime with regular controls
  • Important entities are primarily subject to reactive control triggered following incidents or reports
  • The requirements relating to the supply chain may be stricter for essential entities
  • The sanction regime may be modulated according to the classification

The adaptive compliance strategy developed by a lawyer takes into account your specific classification to effectively prioritize your compliance efforts. This personalized approach allows you to optimize the allocation of your resources while ensuring compliance with all of your legal obligations.

The new requirements in matters of incident reporting

The NIS 2 and DORA regulations considerably strengthen the obligations to notify cybersecurity incidents, with precise requirements in terms of deadlines and content.

A multi-level notification system

NIS 2 introduces a multi-level notification system:

  • An early warning within 24 hours of becoming aware of a significant incident
  • An intermediate report within 72 hours
  • A detailed final report within one month

DORA also provides for strict deadlines for financial entities, with an initial notification within 24 hours and regular updates until the resolution of the incident.

The anticipated operational preparation that a cybersecurity lawyer can provide constitutes a decisive asset in meeting these binding deadlines. By developing notification procedures and templates adapted to your context, they enable you to react effectively in a crisis situation, when every hour counts.

Assessing the significance of incidents

One of the major difficulties lies in assessing the "significance" of an incident, which determines the notification obligation. This assessment must take into account various factors such as:

  • The number of affected users
  • The duration of the incident
  • The geographical extent
  • The scale of the service disruption
  • The impact on economic and societal activities

The contextualized analytical expertise of a legal counsel helps you develop an assessment grid adapted to your specific activity. This structured methodology allows you to quickly and objectively assess the significance of an incident, thus avoiding the risks of over-notification or, even more problematic, under-notification.

I want reliable legal documents!

The strengthened sanctions regime

To ensure the effectiveness of these new obligations, NIS 2 and DORA introduce a considerably strengthened sanctions regime, inspired by the approach adopted by the GDPR.

Dissuasive fines

The NIS 2 directive provides for essential entities fines of up to 10 million euros or 2% of annual worldwide turnover, whichever is higher. For important entities, these ceilings are set at 7 million euros or 1.4% of turnover.

The DORA regulation, for its part, establishes administrative fines of up to 1% of annual turnover for financial institutions.

The legal risk analysis carried out by a lawyer allows you to assess your potential exposure to these sanctions. This quantification of risks, translated into financial terms, constitutes a weighty argument to justify the necessary investments in matters of cybersecurity to your management bodies.

The personal liability of executives

Beyond the sanctions targeting the organization, NIS 2 explicitly allows Member States to provide for rules concerning the personal liability of executives in the event of a breach of cybersecurity obligations.

The personalized legal support that a cybersecurity lawyer can provide to your executives allows them to precisely grasp the extent of their personal liability. This clarification constitutes a powerful lever for awareness and engagement at the highest level of the organization.

Application timeline and key steps to prepare

Faced with the scale of the changes introduced by these new regulations, methodical and anticipated preparation is essential.

Application timeline

  • NIS 2: The directive was to be transposed into national laws before 17 October 2024. Companies will then have an additional period to comply, generally between 12 and 21 months depending on the provisions.
  • DORA: The regulation will come into application on 17 January 2025, with direct application in all Member States, without the need for national transposition.

The phased strategic planning developed by an expert legal counsel allows you to anticipate these deadlines with serenity. By establishing a precise and prioritized roadmap, they guide you in the gradual implementation of the necessary measures, thus avoiding rushed last-minute efforts.

The key steps of compliance

To effectively address these new requirements, a structured approach in several steps is essential:

  1. Assess the applicability of the texts to your organization
  2. Carry out a diagnosis of your current level of compliance
  3. Analyze the gaps with regard to the new requirements
  4. Develop a prioritized action plan
  5. Implement the necessary technical and organizational measures
  6. Train teams and raise awareness among executives
  7. Test the effectiveness of the implemented measures

The overall compliance architecture designed by a cybersecurity lawyer constitutes the backbone of your approach. Their cross-cutting vision, combining legal expertise and an understanding of operational stakes, allows you to develop a coherent and effective compliance program, harmoniously integrating the requirements of NIS 2 and DORA into your existing security management system.

Conclusion

The entry into force of NIS 2 and DORA undeniably marks a new era in matters of cybersecurity regulation in Europe. These texts, through their ambition and rigor, impose on the organizations involved a significant elevation of their level of maturity in matters of digital security.

However, beyond the regulatory constraint, these new requirements also constitute a unique opportunity to durably strengthen your resilience against constantly evolving cyber threats. By fully integrating cybersecurity into your governance and your overall strategy, you transform a legal obligation into a genuine competitive advantage, strengthening the confidence of your clients, partners and investors.

Our firm supports organizations in their compliance with these new European regulations, by offering a tailor-made approach that takes into account your sectoral specificities and your current maturity in matters of cybersecurity. Thanks to our combined expertise in cybersecurity law and in understanding technical stakes, we guide you effectively through the complexities of NIS 2 and DORA, transforming these regulatory requirements into an opportunity to strengthen your position in the market.

To learn more

What is the difference between NIS 2 and DORA?

NIS 2 is a directive aimed at strengthening the cybersecurity of a wide range of organizations in key sectors. DORA is a regulation targeting the digital operational resilience of the financial sector. Both texts strengthen cybersecurity obligations, but with distinct scopes.

What is the NIS 2 directive?

The NIS 2 directive (Network and Information Security) strengthens cybersecurity within the European Union by broadening the scope of the entities involved and their obligations. It marks a turning point in the European approach to digital security, applicable gradually from 2024.

What is the DORA regulation?

The DORA regulation (Digital Operational Resilience Act) aims at the digital operational resilience of the financial sector. It imposes on financial entities and their IT providers strict obligations of risk management, testing and incident notification.

Who is concerned by NIS 2 and DORA?

NIS 2 concerns a wide range of organizations in key sectors, from administrations to companies. DORA specifically targets the financial sector and its IT providers. Identifying the applicable text(s) is an essential first step of compliance.

When do these regulations come into application?

NIS 2 and DORA come gradually into application from 2024. This timeline requires the organizations involved to anticipate compliance, by adapting their cybersecurity strategy to the strengthened obligations of these European texts.

How to adapt your cybersecurity strategy to NIS 2 and DORA?

Adaptation involves identifying the applicable texts, assessing the gaps with the requirements, implementing security and governance measures, and contractually framing providers. This structured approach makes it possible to meet the strengthened obligations.

Can a company fall under both NIS 2 and DORA?

Yes. Certain organizations, notably in the financial sector or as providers, may fall under both frameworks. A coordinated approach is then necessary to articulate the obligations of NIS 2 and DORA and avoid redundancies or gaps.

Is a lawyer useful for NIS 2 and DORA compliance?

A cybersecurity lawyer helps to identify the applicable texts, to assess the obligations, to structure compliance and to frame provider contracts. This support makes it possible to adapt the cybersecurity strategy to these complex regulations.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

Prendre rendez-vous
Book an appointment