In recent months, EU institutions have reached agreement on two significant pieces of legislation relating to operational resilience and cybersecurity, namely: (i) the Regulation on digital operational resilience for the financial services sector, referred to as the "Digital Operational Resilience Act" ("DORA"); and (ii) the Directive on measures for a high common level of cybersecurity across the Union ("NIS 2").
DORA is part of the European Commission's Digital Finance Strategy and is designed to uplift existing information communications technology ("ICT") risk management requirements for financial entities and to consolidate these requirements into a single legislative instrument. It will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. Importantly, DORA will also result in certain major ICT service providers formally coming within scope of supervision by the European Supervisory Authorities1 ("ESAs") for the first time. We previously discussed the main provisions and impact of DORA at the time it was first published here.
Key Takeaways from DORA
Many regulated firms will currently face regulatory requirements similar to some aspects of DORA but other aspects will represent a step-up in the obligations they must meet in respect of operational resilience and cybersecurity. Examples of these elevated requirements include:
- ICT Risk Management: regulated firms must maintain a comprehensive and well-documented ICT risk management framework which should include strategies, policies, protocols and tools to effectively protect IT networks, infrastructure and systems. State of the art ICT technology and processes must also be identified and deployed to minimise the risk of loss or corruption of data.
- ICT-Related Incidents: regulated firms must put in place early warning indicators to help detect ICT-related incidents and take appropriate steps to ensure that the root causes of such incidents are identified and eradicated so as to prevent recurrence. Regulated firms are also subject to heightened reporting requirements, such as reporting an actual or suspected major ICT-related incident to the relevant competent authority within tight prescribed timeframes.
- ICT Third Party Risk: regulated firms must ensure that their third party ICT service providers meet appropriately high information security standards and maintain a register including certain information relating to such providers, including whether each provider is undertaking a critical or important function. Regulated firms must also ensure that their contract with each third party ICT service provider includes certain prescribed contractual terms such as a requirement on the provider to assist the regulated firm with ICT-related incidents.
DORA will also see ICT service providers designated as "critical" to the proper operation of the financial sector in the EU becoming subject to supervision by the ESAs for the first time. The criteria for determining whether an ICT service provider is critical are outlined in DORA, and the list of those providers designated as critical will be made public and updated on a yearly basis. The ESAs will also assess whether critical ICT service providers have in place sufficient rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to financial entities. In doing so, ESAs may request information and documents directly from such providers and impose significant fines for failures to comply with these requests. ESAs may also be able to impose requirements on critical ICT providers in relation to their contractual terms with financial entities and sub-contracting arrangements.
In response to criticism on the implementation of NIS 1 and the increased use of interconnected digital services together with a growth in the number and sophistication of cyber threats, the European Commission proposed NIS 2 to help enhance cybersecurity resilience in the EU.
Key Takeaways from NIS 2
- Increased scope: NIS 2 will result in a wider scope of application than NIS 1 by making new categories of entities subject to its cybersecurity rules. More specifically, NIS 2 moves away from the distinction between operators of essential services and digital service providers as appearing in NIS 1 and instead distinguishes between "essential" entities and "important" entities. "Essential" entities will include those in the following sectors: banking, energy, transport, health, cloud computing, domain name system services (as under the current NIS Directive) as well as data centre services, public administration and space. "Important" entities will include providers of digital services (including online marketplaces, search engines, and now social networking services) as well as entities in the food, medical devices, pharmaceuticals and motor vehicle sector.
- More stringent cybersecurity measures: Similarly to NIS 1, NIS 2 will require in-scope entities to implement technical and organisation measures to manage risk in respect of network and information systems but notably, NIS 2 specifies in more detail the type of measures that in-scope entities must take. These measures cover (amongst other things) risk analysis; incident handling; business continuity; supply chain security; cybersecurity training; encryption; and penetration testing.
- Expansion of reporting requirements: in-scope entities will be required to provide competent authorities with an initial report on incidents having a significant impact on the provision of their services without undue delay and in any event within 24 hours. This contrasts with a reporting timeframe of up to 72 hours under NIS 1. In addition, NIS 2 introduces a new requirement which may result in in-scope entities having to inform recipients of their services of significant cyber threats and any measures that such recipients may be able to take in response to the threat.
- Interaction with sector-specific legislation: NIS 2 provides that where sector specific EU legislation includes requirements on an in-scope entity to implement cyber security risk management measures or to notify incidents and those requirements are at least equivalent to the relevant obligations appearing in NIS 2, the NIS 2 obligations shall not apply to such entity. This provides helpful clarification for many organisations and by way of example, it means that where an organisation is subject to very similar and equivalent obligations under NIS 2 and DORA, that organisation will be obliged to comply with its obligations under DORA only.
- Enforcement and supervision: NIS 2 draws a distinction between the approach towards regulating "essential" entities and the approach in respect of "important" entities. In relation to "essential" entities, NIS 2 provides for a fully-fledged supervisory regime involving both proactive and reactive regulation by competent authorities. In respect of "important entities", NIS 2 provides for a reactive supervisory regime. In practice, this means that important entities should face a lower regulatory burden in terms of documenting their compliance with NIS 2 on an on-ongoing basis. NIS 2 will also result in a step-change in the level of fines that may be imposed on in-scope entities for non-compliance. For violations of certain NIS 2 requirements (e.g. risk management and reporting requirements), essential entities could face fines up to a maximum of 2% of global annual turnover or ?10 million (whichever is higher). For "important" entities, fines can reach up to a maximum of 1.4% of the global annual turnover or ?7 million (whichever is higher).
Timelines and next steps
The next steps for each of DORA and NIS 2 are formal approval by the European Parliament and Council before proceeding with the formal adoption process which is expected to occur for both pieces of legislation in Q4 2022. DORA is then due to come into force 24 months after its publication in the EU Official Journal while NIS 2 will afford Member States 21 months to transpose it into national law. As such, it seems likely DORA and NIS 2 will both come into force in H2 2024.
There are though a number of steps that organisations should begin to address now so as to help ensure that they are well placed to comply with the DORA and NIS 2 by the time they come into force. In particular, we recommend that organisations:
- Ensure they are clear on whether DORA and/or NIS 2 will apply to their business.
- Consider the existing regulatory regimes that apply to their organisation and consider whether it is possible to leverage policies, procedures and measures maintained in respect of those regimes to help compliance with DORA and/or NIS 2. For example, if your organisation is already subject to the CBI's guidance on operational resilience, it may be that your organisation can leverage some of the steps it is taking in response to this guidance to help compliance with DORA. For more information on the CBI's operational resilience guidance, see our previous briefing here.
- Consider whether your organisation already has in place any other information security policies, controls, measures or tools that might assist in compliance with DORA and/or NIS 2.
- Determine what new measures and steps will need to be taken by your organisation to comply with DORA and/or NIS 2 and seek early buy-in from management and key stakeholders.
- Consider the impact of DORA and NIS 2 (as applicable) on your current and future IT vendor contracts and take early action to uplift these contracts, as appropriate.
The authors would like to thank Fionn Henderson for his contribution to this briefing.
1. The European Supervisory Authorities are comprised of the European Banking Authority ("EBA"), the European Securities and Markets Authority ("ESMA") and the European Insurance and Occupational Pensions Authority ("EIOPA")
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.