The European Union is considerably strengthening its cybersecurity regulatory arsenal with the adoption of two major texts: the NIS 2 (Network and Information Security) directive and the DORA (Digital Operational Resilience Act) regulation. These new regulations, which will gradually come into force from 2024, mark a decisive turning point in Europe's approach to digital security, imposing enhanced obligations on a considerably wider range of organizations.
In the face of this growing regulatory complexity, understanding the implications of these texts and adapting your cybersecurity strategy is becoming a strategic imperative.
If you need a cybersecurity lawyer, contact me!
Europe's new cybersecurity regulatory landscape
The European Union is deploying an ambitious strategy to strengthen the digital resilience of its economy and protect its critical infrastructures in the face of constantly evolving cyber threats. This strategy is embodied in two complementary legal instruments: NIS 2 and DORA.
The NIS 2 Directive: a considerably broader scope
Adopted in January 2023, the NIS 2 Directive replaces and considerably strengthens the first NIS Directive of 2016. Its aim is to raise the overall level of cybersecurity within the European Union by imposing harmonized requirements on a wide range of organizations considered critical to the economy and society.
Unlike its previous version, which only concerned Essential Service Operators (ESOs ) and certain digital service providers, NIS 2 considerably extends its scope to new sectors such as :
- Public administration
- Waste management
- The manufacturing industry
- Chemical production and distribution
- The postal sector
- The food industry
- Digital suppliers (marketplaces, search engines, social networks)
- The space sector
The strategic sector analysis that a cybersecurity lawyer can carry out for your organization is decisive in identifying whether you fall within the scope of this directive. This assessment, which requires a thorough understanding of the size and activity criteria defined by the text, is the first essential step in your compliance journey.
The DORA regulation: a specific framework for the financial sector
In parallel with NIS 2, the European Union has adopted the DORA (Digital Operational Resilience Act) regulation, specifically dedicated to the financial sector. This text, which will come fully into force in January 2025, aims to ensure that all entities in the financial system have the necessary guarantees to withstand incidents linked to information and communication technologies (ICT).
DORA concerns a wide range of financial players:
- Credit institutions and banks
- Investment firms
- Payment service providers
- Insurance and reinsurance companies
- Cryptoasset service providers
- Central securities depositories
- Central counterparties
A major innovation of DORA is its extension to third-party ICT service providers working for the financial sector, who will now be subject to direct supervision by the European financial supervisory authorities.
The targeted regulatory expertise that legal counsel can provide is crucial to navigating the intricacies of these two regimes, which can in some cases overlap. In-depth knowledge of the mechanisms linking these texts enables you to identify precisely the requirements applicable to your specific situation, thus avoiding redundancies or, worse still, blind spots in your compliance program.
New governance and security obligations
In addition to broadening their scope, NIS 2 and DORA impose enhanced obligations in terms of governance and technical security, placing cybersecurity at the heart of the strategic concerns of the organizations concerned.
Direct involvement of management bodies
One of the major innovations of these regulations is the explicit accountability of management bodies. From now on, board members and senior executives must :
- Approve cyber risk management measures
- Oversee their implementation
- Assume responsibility for the entity's failure to meet its obligations
- Take appropriate training to acquire the necessary cybersecurity knowledge
The structured legal education that a lawyer can provide to your management bodies is a major asset in facilitating this appropriation. His expertise enables him to translate complex technical concepts into understandable strategic issues, thus facilitating the effective involvement of management in cybersecurity governance.
Reinforcing technical and organizational measures
Both NIS 2 and DORA require the implementation of appropriate technical and organizational measures to manage network and information system security risks. These measures must cover :
- System and installation safety
- Incident management
- Business continuity
- Supply chain security
- Security testing and auditing
- The use of cryptography and encryption
The hybrid legal-technical approach offered by a cybersecurity lawyer brings unique value in this context. By combining his knowledge of regulatory requirements with an understanding of the technical issues at stake, he can guide you in the development of a security system that is both compliant with legislation and adapted to your operational reality.
The distinction between "essential" and "important" entities
A significant innovation in the NIS 2 directive is the classification of the entities concerned into two categories - essential and important - subject to partially differentiated obligation regimes.
Classification criteria
The classification of an entity as "essential" or "significant" depends primarily on its sector of activity and its size, using a risk-based approach. Overall, entities considered more critical to the economy and society are classified as essential, while other entities within the scope are considered significant.
A qualifying legal analysis carried out by an advisor will enable you to identify with certainty your classification with regard to these complex criteria. This qualification, which may require a detailed interpretation of the provisions of the directive and its national transposition, directly conditions the scope of your obligations.
Bond plan differences
While both categories of entity are subject to the bulk of cybersecurity obligations, there are some notable differences, particularly in terms of control and sanctions:
- Essential entities are subject to a proactive supervision regime with regular controls
- Large entities are mainly subject to reactive controls triggered by incidents or reports.
- Supply chain requirements may be more stringent for essential entities
- The penalty system can be modulated according to classification
The adaptive compliance strategy developed by an attorney takes into account your specific classification to effectively prioritize your compliance efforts. This customized approach enables you to optimize the allocation of your resources while ensuring that all your legal obligations are met.
New incident reporting requirements
The NIS 2 and DORA regulations considerably strengthen the obligations for reporting cybersecurity incidents, with precise requirements in terms of deadlines and content.
A multi-level notification system
NIS 2 introduces a multi-level notification system:
- Early warning within 24 hours of learning of a significant incident
- An interim report within 72 hours
- A detailed final report within one month
DORA also sets strict deadlines for financial entities, with initial notification within 24 hours and regular updates until the incident is resolved.
The advance operational preparation that a cybersecurity lawyer can provide is a decisive asset in meeting these tight deadlines. By drawing up procedures and notification models adapted to your context, he or she will enable you to react effectively in a crisis situation, when every hour counts.
Assessing the significance of incidents
One of the major difficulties lies in assessing the "significance" of an incident, which determines the obligation to notify. This assessment must take into account various factors such as :
- Number of users affected
- Duration of incident
- Geographical scope
- The extent of service disruption
- Impact on economic and social activities
The contextualized analytical expertise of a legal advisor helps you to draw up an evaluation grid tailored to your specific activity. This structured methodology enables you to quickly and objectively assess the significance of an incident, thus avoiding the risks of over-notification or, even more problematically, under-notification.
Reinforced sanctions regime
To ensure the effectiveness of these new obligations, NIS 2 and DORA introduce a considerably strengthened sanctions regime, inspired by the approach adopted by the RGPD.
Deterrent fines
The NIS 2 Directive provides for fines of up to 10 million euros or 2% of worldwide annual sales, whichever is greater, for essential entities. For large entities, these ceilings are set at 7 million euros or 1.4% of sales.
The DORA regulation sets administrative fines of up to 1% of annual sales for financial institutions.
A legal risk analysis carried out by a lawyer enables you to assess your potential exposure to these sanctions. This quantification of risk, translated into financial terms, is a powerful argument for justifying the necessary cybersecurity investments to your management bodies.
Directors' personal liability
In addition to sanctions targeting the organization, NIS 2 explicitly allows Member States to lay down rules concerning the personal liability of managers in the event of a breach of cybersecurity obligations.
The personalized legal support that a cybersecurity lawyer can provide to your executives enables them to understand precisely the extent of their personal liability. This clarification is a powerful lever for raising awareness and commitment at the highest level of the organization.
Application timetable and key stages of preparation
Faced with the scale of the changes introduced by these new regulations, methodical preparation in advance is essential.
Application timetable
- NIS 2: The directive had to be transposed into national law by October 17, 2024. Companies will then have additional time to comply, generally between 12 and 21 months depending on the provisions.
- DORA: The regulation will come into force on January 17, 2025, with direct application in all member states, with no need for national transposition.
Staged strategic planning by an expert legal advisor enables you to anticipate these deadlines with peace of mind. By establishing a precise, prioritized roadmap, it guides you in the gradual implementation of the necessary measures, thus avoiding hasty last-minute efforts.
The key stages of compliance
To meet these new requirements effectively, a structured, multi-stage approach is required:
- Assessing the applicability of texts to your organization
- Diagnose your current level of compliance
- Analyze deviations from new requirements
- Develop a prioritized action plan
- Implement the necessary technical and organizational measures
- Training teams and raising awareness among managers
- Test the effectiveness of our systems
The global compliance architecture designed by a cybersecurity lawyer forms the backbone of your approach. His cross-functional vision, combining legal expertise and understanding of operational issues, enables you to draw up a coherent and effective compliance program, seamlessly integrating NIS 2 and DORA requirements into your existing security management system.
Conclusion
The entry into force of NIS 2 and DORA undeniably marks a new era in cybersecurity regulation in Europe. The ambitious and rigorous nature of these texts means that the organizations concerned must significantly raise their level of digital security maturity.
However, over and above the regulatory constraint, these new requirements also represent a unique opportunity to sustainably strengthen your resilience in the face of constantly evolving cyber threats. By fully integrating cybersecurity into your governance and global strategy, you can transform a legal obligation into a genuine competitive advantage, boosting the confidence of your customers, partners and investors.
Our firm supports organizations in their compliance with these new European regulations, offering a tailored approach that takes into account your sector specificities and current cybersecurity maturity. Thanks to our combined expertise in cybersecurity law and understanding of technical issues, we guide you effectively through the complexities of NIS 2 and DORA, transforming these regulatory requirements into an opportunity to strengthen your market position.
