Combining regulation with real-world security assurance: DORA and NIS2 

In a climate where almost every communication, transaction, and operation is increasingly conducted online, the need for stronger cybersecurity regulation and protocols is indisputable. Finding your cyber vulnerabilities, addressing your security weaknesses, and fortifying your security practices is no longer a recommendation, it’s a legal requirement.   

Whether you’re a local financial startup or a multinational enterprise, understanding how DORA and NIS2 may affect your organization is vital and with implementation dates just around the corner, here’s what you need to know:  

Similarities between DORA and NIS2  

• Scope: both frameworks aim to strengthen cybersecurity practices and resilience within organizations. 
• Action: they require entities to take appropriate measures to manage risks and prevent or minimize the impact of cyber incidents. 
• Testing: both frameworks require entities to conduct regular testing to ensure operational resilience and readiness against cyber threats. 
• Information sharing: both DORA and NIS2 promote the sharing of information and intelligence related to cybersecurity incidents.  
• Reporting: they establish reporting obligations for significant cybersecurity incidents that affect service provision. 

Differences between DORA and NIS2  

• Scope: DORA specifically targets financial institutions and their critical IT suppliers, while NIS2 applies to a broader range of ‘essential’ and ‘important’ entities across various sectors. 
• Aim: NIS2 focuses on ensuring the continuity of ‘essential’ services, while DORA primarily emphasizes digital operational resilience within the financial sector.  
• Timeline: DORA’s requirements are set to come into force on January 17, 2025, while NIS2 is expected to come into play by October 17, 2024; however, each EU member state must apply this to their local legislation so enforcement dates may vary.  
• Non-compliance: DORA penalties for Financial Entities are decided by competent authorities whereas IT suppliers are fined based on a percentage of their global revenue. NIS2 imposes fines based on turnover for both ‘essential’ and ‘important’ entities. 

Understanding DORA  

Now that we have delved into the similarities (and differences) between DORA and NIS2, let’s take a closer look at what each framework entails.  

What does DORA mean?  

The Digital Operations Resilience Act, or DORA for short, is a new EU regulation aimed at improving the cyber resiliency of EU-based financial institutions. This regulation will come into force across every Member State as of January 17, 2025.  

In essence, DORA produces a regulatory framework based upon digital operational resilience in which all organizations must ensure they can withstand, mitigate, and recover from cyber disruptions and threats.  

Who does DORA impact?  

Although there are many exceptions to the rule, at its base level, DORA primarily affects EU-based financial institutions and their ‘critical’ IT suppliers. This includes:  

• Financial institutions such as banks and credit institutions 
• Credit agencies and account information service providers 
• Pension funds and investment firms 
• Crypto-asset service providers  
• Insurance providers 
• Crowdfunding providers and alternative investment fund managers 
• Intermediaries and ICT service providers 

Does DORA apply to the UK?  

DORA doesn’t have direct jurisdiction over UK organizations. However, if your operations involve interactions with EU entities or occur within the EU, you may need to comply with its provisions. 

Regardless of whether DORA directly affects your organization, a similar framework is anticipated to arise within the UK. As DORA aims to bolster digital operational resilience, getting to grips with its requirements and adopting these best practices into your cybersecurity defense strategy is recommended.   

What are the 5 pillars of DORA regulation? 

Although the main requirements of DORA remain clear, greater details regarding technical standards will be published as part of the final draft in July. Nevertheless, the five regulatory pillars of DORA include:  

• ICT risk management: Financial Entities must establish internal governance and control frameworks to effectively identify, assess, and mitigate ICT risks.  
• ICT-related incident reporting: Financial Entities must classify and report ICT-related incidents that compromise their security and have adverse impacts on data integrity or service availability. 
• Digital operational resilience testing: All Financial Entities, except micro-enterprises, must periodically conduct advanced testing, known as ‘Threat Led Penetration Testing (TLPT), to prevent incidents. The frequency of testing may vary depending on the size and risk profile of the entity.  
• Management of ICT third-party risk: Financial Entities must safeguard against external vulnerabilities by ensuring their third-party providers are secure and compliant.  
• Information and intelligence sharing: Financial Entities are encouraged to share informative content about internal and external ICT-related incidents.  

What happens if you fail to comply with DORA?  

Financial institutions that fail to comply with DORA will be subjected to penalties determined by competent authorities. Depending on how each EU Member State decides to implement the penalty, organizations may face criminal and/or financial consequences.  

If an IT supplier fails to comply with DORA, they could risk a penalty of up to 1% of their average daily worldwide turnover in the preceding business year. This is applied every day for up to 6 months.  

It’s worth noting that penalties and fines under DORA will abide by the concept of proportionality. In other words, smaller financial institutions won’t be held to the same standards as larger, multinational companies.  

How offensive security testing drives DORA compliance 

Two components of DORA set it apart from other regulations, in that they mandate security testing to ensure both the appropriateness and effectiveness of your security controls. 

A key part of the regulation is to carry out regular Threat Led Penetration Testing (TLPT), which is far beyond today’s typical penetration testing regime; this starts by thinking like a real-world attacker, building an attack plan for your environment, and then carrying it out at depth throughout your infrastructure. The TLPT exercise should then fold back into your security program to address the discovered vulnerabilities discovered, whether these are people, process or technology-based. 

Article 25 of DORA mandates that applications and infrastructure are tested after each new deployment or change, therefore a great way to approach this is to move to a model of continuous testing; one where you have capacity on demand, and that can work in step with your SDLC and change management pipelines. 

Understanding NIS2  

Now that we’ve covered the basics of the DORA framework, including its implications for Financial Entities and critical IT service providers, let’s explore the broader NIS2 framework and how it affects organizations in varying sectors.  

What is NIS2?  

The NIS2 directive is an EU-wide legislation which assures that entities implement technical, operational, and organizational measures to mitigate the risk of cyber threats. Rather than enforcing regulations, the NIS2 directive provides guidelines to ensure the consistent adoption of local law across EU member states.

Who must comply with NIS2?  

NIS2 applies to entities operating in the EU, regardless of the organization’s geographical presence. Both ‘essential’ and ‘important’ entities will need to comply with the NIS2 directive. The industries affected by NIS2 include:  

‘Essential’ sectors:  

• Energy  
• Space 
• Transport  
• Banking  
• Public administration  
• Financial market infrastructure  
• Health  
• Drinking water 
• Wastewater  
• Digital infrastructure  
• ICT service management (B2B)  

‘Important’ sectors:  

• Postal and courier services  
• Waste management  
• Manufacturing  
• Digital providers  
• Research  
• Production, processing, and distribution of food  
• Manufacture, production, and distribution of chemicals  

Does NIS2 apply to the UK? 

No, NIS2 does not directly apply to the UK, however, it is expected that a NIS2 equivalent will be made in the UK shortly. However, if you operate within the EU, you are still expected to comply with its provisions.  

What are the requirements for NIS2? 

The NIS2 expands upon existing requirements from NIS, such as corporate accountability and business continuity. However, it also introduces new obligations for organizations, including risk management and reporting obligations.  

Here’s a closer look at the four overarching areas of NIS2 and what they entail:  

• Corporate accountability: corporate management must supervise, authorize, and undergo training on the entity’s cybersecurity measures.  
• Risk management: organizations must implement measures to mitigate cyber risks, such as incident management, supply chain security, network security enhancement, access control improvement, and encryption deployment. 
• Reporting obligations: ‘essential’ and ‘important’ entities must establish procedures for promptly reporting security incidents that significantly impact their service provision or recipients and adhere to specific notification deadlines.  
• Business continuity: organizations must strategize how to maintain business operations during major cyber incidents, incorporating plans for system recovery and establishing a crisis response team. 

What happens if you fail to comply with NIS2?  

For ‘essential’ entities, fines for non-compliance can range from 10 million EUR up to 2% of the total worldwide annual turnover. ‘Important’ entities may face fines from 7 million EUR up to 1.4% of the total worldwide annual turnover. 

 

How CovertSwarm can help 

CovertSwarm is expertly placed to assist with your compliance with DORA and NIS2; thanks to our continuous–attack mindset, any new issues are rapidly identified and remediated before they are exploited by a real-world attacker. 

A monthly CovertSwarm Constant Cyber Attack subscription covers all aspects of Threat Led Penetration Testing (TLPT), compliance attestations and Red Team requirements. 

Our expert team of ethical hackers help to assess your organization for any weak points by evaluating how effective your current controls are and helping to identify opportunities to improve them. This works seamlessly with DORA’s approach to risk management, ensuring you remain one step ahead of the attackers. 

Instead of waiting for annual pen testing which can’t cover the constant changes in your organization’s attack surface, subscribing to CovertSwarm will make sure your brand is continuously attacked by our expert red team to find vulnerabilities and help you mitigate the risk before the genuine bad actors can exploit them.   

YOU DESERVE TO BE HACKED.

Listen to our podcast to learn more about this topic from the experts – Episode 26 -Understanding DORA and NIS2.