Regulatory frameworks are being tightened across Europe to ensure organisations are equipped to withstand the risks of cyber attacks. There will be two key pieces of legislation coming into place in the EU: the Network and Information Systems 2 (NIS2) Directive and the Digital Operational Resilience Act (DORA).
NIS2
This comes into effect in October 2024 and replaces the original Network and Information System (NIS) Directive created in 2018. The goal of NIS2 is to standardise and enhance cybersecurity measures across EU member states, ensuring that organisations meet a baseline of security practices.
Requirements include:
- Conducting risk assessments to identify vulnerabilities
- Implementing policies and procedures for cryptography and security
- Enforcing multifactor authentication (MFA) for sensitive systems
- Providing cybersecurity training for employees handling critical data
- Developing incident handling and reporting plans to maintain operational continuity during security breaches
Impact on the finance sector
The Digital Operational Resilience Act (DORA), which will be effective from January 2025, seeks to improve the security of banks, insurance companies, and investment firms. DORA covers:
- Risk management processes for identifying and mitigating potential cyber threats
- Third-party risk management, ensuring vendors and partners meet security standards
- Digital operational resilience testing to validate system defences
- Reporting of relevant incidents to the appropriate authorities
Implications for organisations in the UK
Although the UK is no longer part of the EU, and therefore will not directly be subject to NIS2 or DORA, the regulations could still have implications here. UK organisations remain subject to the NIS Regulations (2018), and may face pressure to align with the new higher standards introduced by the 2024 EU directives in order to do business globally.
Higher standards in one territory can make it more efficient to adopt them universally, rather than managing different standards across various regions. As a result, NIS2 could drive a broader update of cybersecurity standards beyond its immediate EU scope.
Similarly, whilst DORA is aimed at financial institutions, its focus on operational resilience could influence organisations in other sectors, particularly those reliant on critical digital infrastructure or third-party service providers. Recent high profile cyber attacks, such as the data breach at the Internet Archive and the polyfill.io supply chain attack, underscore the importance of implementing preventative measures and reacting efficiently to threats.