Cyber security: Resiliency by Shoosmiths

The EU’s new Network and Information Systems Directive (NIS2) came into effect on 16 January 2023 and enhances the scope of the EU’s cyber security risk management regime. NIS2 aims to strengthen the cyber security posture of businesses across the EU and enhance cooperation between Member States. 

NIS2 Directive primarily targets organisations that provide key services in vital sectors including energy, transport, banking, financial market infrastructures, healthcare, utilities, and digital infrastructure. Additionally, it extends to critical suppliers within these sectors, encompassing both direct providers such as digital service and cloud computing services, as well as indirect suppliers whose services are integral to the digital infrastructure of those critical sectors.

EU Member States have until 17 October 2024 to transpose NIS2 (the Directive) into national law, and those measures will apply from 18 October 2024. Under the NIS2, organisations face substantial fines and sanctions for non-compliance, which can reach up to €10 million or 2% of global turnover (whichever is greater). Regulators are also granted robust audit and oversight powers, which include enhanced authority to conduct detailed on-site inspections.

The UK is currently introducing equivalent legislation aimed at enhancing the cyber security of both information systems and digital products. 

Download our helpful checklist to help you identify the compliance steps you need to take, such as preliminary scoping and assessment, governance and gap analysis, legal and registration, technical and security, incident management and breach response and also training, vendor management and audit and assurance. 

The Digital Operational Resilience Act (DORA) was enacted in 2023, representing a significant enhancement in the cyber security and operational resiliency framework across the EU’s financial sector.

DORA targets a wide range of financial entities, including banking providers, credit institutions, investment firms, insurance companies and crypto-asset service providers. It also directly applies to third-party service providers supplying 'critical' services to those financial entities, such as cloud providers. In addition, as a consequence of enhanced resiliency requirements and vendor management, it will also indirectly impact a significant proportion of the financial services digital supply chain.

At its core, DORA introduces new requirements that regulate how organisations implement cyber security and operational resiliency controls, enabling them to withstand, respond to, and recover from all types of digital disruptions and threats. Additionally, DORA introduces new mandatory registration and reporting criteria, significantly changing how in-scope organisations report incidents and outsource aspects of their services and infrastructure to third parties. 

Moreover, DORA introduces stringent oversight and audit requirements. It empowers regulators with enhanced supervisory tools, including the ability to conduct on-site digital operational resilience testing and mandatory incident reporting. This ensures that financial entities not only comply with robust cyber security standards but also continuously improve their ICT risk management frameworks. For critical third-party providers (TPPs), this will mean falling under the direct oversight of a supervisory authority who will engage in regular audits of TPPs cyber security and resiliency frameworks. TPPs will also be required to register and pay annual fees to cover the cost of the authority’s auditing and oversight role.

EU Member States are in the process of adopting and publishing national laws necessary to enact the supervisory aspects of DORA, with all organisations required to comply by 17 January 2025. Under DORA, non-compliant organisations and individuals may face significant penalties. The level of the penalty, set by each Member State's supervisory authority, is expected to include periodic penalty payments of up to 1% of the average daily worldwide turnover and fines of up to €1 million for individuals, with criminal penalties for individuals also anticipated.

In line with DORA, the UK is exploring similar regulations to strengthen the operational resilience of its financial services sector, focusing on mitigating ICT risks and enhancing system robustness.