RGPD
The European Union is considerably strengthening its regulatory arsenal in matters of cybersecurity with the adoption of two major texts: the NIS 2 directive (Network and Information Security) and the DORA regulation (Digital Operational Resilience Act). These new regulations, which will gradually come int
Reading time:
10 min
The European Union is considerably strengthening its regulatory arsenal in matters of cybersecurity with the adoption of two major texts: the NIS 2 directive (Network and Information Security) and the DORA regulation (Digital Operational Resilience Act). These new regulations, which will gradually come into application from 2024, mark a decisive turning point in the European approach to digital security, imposing strengthened obligations on a considerably broadened number of organizations.
Faced with this growing regulatory complexity, understanding the implications of these texts and adapting your cybersecurity strategy becomes a strategic imperative.
If you wish to call on a cybersecurity lawyer, contact me!
The European Union is deploying an ambitious strategy to strengthen the digital resilience of its economy and protect its critical infrastructures against constantly evolving cyber threats. This strategy is notably embodied by two complementary legal instruments: NIS 2 and DORA.
Adopted in January 2023, the NIS 2 directive replaces and considerably strengthens the first NIS directive of 2016. Its objective is to raise the overall level of cybersecurity within the European Union by imposing harmonized requirements on a wide range of organizations considered critical for the economy and society.
Unlike its previous version, which only concerned Operators of Essential Services (OES) and certain digital service providers, NIS 2 considerably extends its scope of application to new sectors such as:
The sectoral strategic analysis that a cybersecurity lawyer can carry out for your organization is decisive in identifying whether you fall within the scope of this directive. This assessment, which requires a thorough understanding of the size and activity criteria defined by the text, constitutes the first essential step of your compliance journey.
In parallel with NIS 2, the European Union adopted the DORA regulation (Digital Operational Resilience Act), specifically dedicated to the financial sector. This text, which will fully come into application in January 2025, aims to ensure that all entities of the financial system have the necessary safeguards to withstand incidents related to information and communication technologies (ICT).
DORA concerns a wide range of financial players:
A major innovation of DORA lies in its extension to third-party ICT service providers working for the financial sector, who will henceforth be subject to direct supervision by the European financial supervisory authorities.
The targeted regulatory expertise that legal counsel can provide is crucial to navigate the subtleties of these two regimes, which may, in certain cases, overlap. Their thorough knowledge of the mechanisms for articulating these texts allows you to precisely identify the requirements applicable to your specific situation, thus avoiding redundancies or, worse, blind spots in your compliance program.
Beyond the broadening of their scope of application, NIS 2 and DORA impose strengthened obligations in matters of governance and technical security, placing cybersecurity at the heart of the strategic concerns of the organizations involved.
One of the major innovations of these regulations lies in the explicit accountability of management bodies. Henceforth, board members and executives must:
The structured legal pedagogy that a lawyer can deploy with your management bodies constitutes a major asset in facilitating this appropriation. Their expertise allows them to translate complex technical concepts into understandable strategic stakes, thus facilitating the effective engagement of executives in the governance of cybersecurity.
Both NIS 2 and DORA require the implementation of appropriate technical and organizational measures to manage the risks related to the security of networks and information systems. These measures must cover:
The hybrid legal-technical approach proposed by a cybersecurity lawyer brings unique value in this context. By combining their knowledge of regulatory requirements with an understanding of technical stakes, they guide you in developing a security framework that is both compliant with the texts and adapted to your operational reality.
Let's discuss your need for 15 min!
A significant innovation of the NIS 2 directive lies in the classification of the entities involved into two categories - essential and important - subject to partially differentiated obligation regimes.
The classification of an entity as "essential" or "important" depends primarily on its sector of activity and its size, with a risk-based approach. Broadly, entities considered more critical for the economy and society are classified as essential, while the other entities falling within the scope are considered important.
The qualifying legal analysis carried out by a counsel allows you to identify with certainty your classification with regard to these complex criteria. This qualification, which may require a fine interpretation of the provisions of the directive and its national transposition, directly conditions the extent of your obligations.
While both categories of entities are subject to the bulk of cybersecurity obligations, certain notable differences exist, particularly in matters of supervision and sanctions:
The adaptive compliance strategy developed by a lawyer takes into account your specific classification to effectively prioritize your compliance efforts. This personalized approach allows you to optimize the allocation of your resources while ensuring compliance with all of your legal obligations.
The NIS 2 and DORA regulations considerably strengthen the obligations to notify cybersecurity incidents, with precise requirements in terms of deadlines and content.
NIS 2 introduces a multi-level notification system:
DORA also provides for strict deadlines for financial entities, with an initial notification within 24 hours and regular updates until the resolution of the incident.
The anticipated operational preparation that a cybersecurity lawyer can provide constitutes a decisive asset in meeting these binding deadlines. By developing notification procedures and templates adapted to your context, they enable you to react effectively in a crisis situation, when every hour counts.
One of the major difficulties lies in assessing the "significance" of an incident, which determines the notification obligation. This assessment must take into account various factors such as:
The contextualized analytical expertise of a legal counsel helps you develop an assessment grid adapted to your specific activity. This structured methodology allows you to quickly and objectively assess the significance of an incident, thus avoiding the risks of over-notification or, even more problematic, under-notification.
I want reliable legal documents!
To ensure the effectiveness of these new obligations, NIS 2 and DORA introduce a considerably strengthened sanctions regime, inspired by the approach adopted by the GDPR.
The NIS 2 directive provides for essential entities fines of up to 10 million euros or 2% of annual worldwide turnover, whichever is higher. For important entities, these ceilings are set at 7 million euros or 1.4% of turnover.
The DORA regulation, for its part, establishes administrative fines of up to 1% of annual turnover for financial institutions.
The legal risk analysis carried out by a lawyer allows you to assess your potential exposure to these sanctions. This quantification of risks, translated into financial terms, constitutes a weighty argument to justify the necessary investments in matters of cybersecurity to your management bodies.
Beyond the sanctions targeting the organization, NIS 2 explicitly allows Member States to provide for rules concerning the personal liability of executives in the event of a breach of cybersecurity obligations.
The personalized legal support that a cybersecurity lawyer can provide to your executives allows them to precisely grasp the extent of their personal liability. This clarification constitutes a powerful lever for awareness and engagement at the highest level of the organization.
Faced with the scale of the changes introduced by these new regulations, methodical and anticipated preparation is essential.
The phased strategic planning developed by an expert legal counsel allows you to anticipate these deadlines with serenity. By establishing a precise and prioritized roadmap, they guide you in the gradual implementation of the necessary measures, thus avoiding rushed last-minute efforts.
To effectively address these new requirements, a structured approach in several steps is essential:
The overall compliance architecture designed by a cybersecurity lawyer constitutes the backbone of your approach. Their cross-cutting vision, combining legal expertise and an understanding of operational stakes, allows you to develop a coherent and effective compliance program, harmoniously integrating the requirements of NIS 2 and DORA into your existing security management system.
The entry into force of NIS 2 and DORA undeniably marks a new era in matters of cybersecurity regulation in Europe. These texts, through their ambition and rigor, impose on the organizations involved a significant elevation of their level of maturity in matters of digital security.
However, beyond the regulatory constraint, these new requirements also constitute a unique opportunity to durably strengthen your resilience against constantly evolving cyber threats. By fully integrating cybersecurity into your governance and your overall strategy, you transform a legal obligation into a genuine competitive advantage, strengthening the confidence of your clients, partners and investors.
Our firm supports organizations in their compliance with these new European regulations, by offering a tailor-made approach that takes into account your sectoral specificities and your current maturity in matters of cybersecurity. Thanks to our combined expertise in cybersecurity law and in understanding technical stakes, we guide you effectively through the complexities of NIS 2 and DORA, transforming these regulatory requirements into an opportunity to strengthen your position in the market.
To learn more
NIS 2 is a directive aimed at strengthening the cybersecurity of a wide range of organizations in key sectors. DORA is a regulation targeting the digital operational resilience of the financial sector. Both texts strengthen cybersecurity obligations, but with distinct scopes.
The NIS 2 directive (Network and Information Security) strengthens cybersecurity within the European Union by broadening the scope of the entities involved and their obligations. It marks a turning point in the European approach to digital security, applicable gradually from 2024.
The DORA regulation (Digital Operational Resilience Act) aims at the digital operational resilience of the financial sector. It imposes on financial entities and their IT providers strict obligations of risk management, testing and incident notification.
NIS 2 concerns a wide range of organizations in key sectors, from administrations to companies. DORA specifically targets the financial sector and its IT providers. Identifying the applicable text(s) is an essential first step of compliance.
NIS 2 and DORA come gradually into application from 2024. This timeline requires the organizations involved to anticipate compliance, by adapting their cybersecurity strategy to the strengthened obligations of these European texts.
Adaptation involves identifying the applicable texts, assessing the gaps with the requirements, implementing security and governance measures, and contractually framing providers. This structured approach makes it possible to meet the strengthened obligations.
Yes. Certain organizations, notably in the financial sector or as providers, may fall under both frameworks. A coordinated approach is then necessary to articulate the obligations of NIS 2 and DORA and avoid redundancies or gaps.
A cybersecurity lawyer helps to identify the applicable texts, to assess the obligations, to structure compliance and to frame provider contracts. This support makes it possible to adapt the cybersecurity strategy to these complex regulations.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin