NIS 2 – Transposing legislation
DATE OF UPDATE: 30 AUGUST 2024
APPLICABLE DATES:
Member States are required to transpose NIS 2 by 17 October 2024, with measures to apply from 18 October 2024
LINKS
gov.ie - General Scheme of the National Cyber Security Bill 2024 (www.gov.ie)
Are you Cyber Ready? Key Points of the NIS2 Directive
Network and Information Security Directive (NIS2) - Arthur Cox LLP
CURRENT STATUS
The Department of the Environment, Climate and Communications published the General Scheme of the National Cyber Security Bill 2024, which will transpose Directive (EU) 2022/2555 ("NIS 2") into Irish law. It will incorporate relevant provisions to establish the National Cyber Security Centre ("NCSC") on a statutory basis and provide for related matters including clarity around its mandate and role in general and in relation to other actors in the cyber area. Heads of Bill were approved in July 2024.
WHY IS THIS APPLICABLE TO CLIENTS?
NIS 2 imposes obligations across a range of sectors whether public or private entities. It defines two categories of entities: "Essential Entities" in critical sectors like energy and transport, and "Important Entities" in sectors with a high cyber risk profile (such as waste management, postal services).
NEXT STEPS
Review the General Scheme to assess its applicability and if applicable, necessary compliance measures.
DORA - Dry Run FAQ
DATE OF UPDATE: 29 JULY 2024
LINKS
DORA Dry Run FAQ (Updated).pdf (europa.eu)
Digital Operational Resilience Act (DORA) - Arthur Cox LLP
CURRENT STATUS
The European Banking Authority ("EBA") published an updated version of the DORA Dry Run FAQ. The Digital Operational Resilience Act (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector) ("DORA") will apply from 17 January 2025.
WHY IS THIS APPLICABLE TO CLIENTS?
DORA applies to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. Importantly, DORA will also result in certain major ICT service providers formally coming within scope of supervision by the European Supervisory Authorities for the first time.
DORA - Regulatory Technical Standards on subcontracting
DATE OF UPDATE: 26 JULY 2024
LINKS
JC 2024 53 Final Report on draft RTS ob subcontracting DORA (europa.eu)
CURRENT STATUS
The three European Supervisory Authorities (European Banking Authority, EIOPA and ESMA) ("ESAs") published their Final Report on the Draft Regulatory Technical Standards ("RTS") on subcontracting under DORA.
WHY IS THIS APPLICABLE TO CLIENTS?
DORA will be supported by technical standards that provide regulatory guidance in respect of certain key areas under the Act and will be helpful for many organisations as they continue to ramp up their DORA compliance projects.
NEXT STEPS
Review the RTS where appropriate to the organisation.
DORA - Second batch of policy products
DATE OF UPDATE: 17 JULY 2024
LINKS
Delivery of First batch of policy products
ESAs published second batch of policy products under DORA (europa.eu)
DORA Spotlight: Practical insights on the second batch of draft technical standards - Arthur Cox LLP
Commission Letter signed 23/07/2024
CURRENT STATUS
The ESAs published the second batch of policy products under DORA. This batch consists of four final draft regulatory technical standards, one set of Implementing Technical Standards and two guidelines, all of which aim at enhancing the digital operational resilience of the EU's financial sector.
Later in July, the European Commission rejected the draft Implementing Regulation with regard to implementing technical standards on standard templates for the register of information ("ITS"). The ESAs sent the ITS to the Commission on 17 January 2024 with the first batch of policy products under DORA. It specifies the standard templates for the purposes of the register of information in relation to contractual arrangements on the use of ICT services provided by ICT third-party service providers.
The current implementing and delegated acts in the official journal are set out below:
- Regulatory Technical Standards on ICT risk management framework
- Regulatory Technical Standards on ICT incidents classification
- Regulatory Technical Standards on ICT third-party policy
- Delegated Regulation on CTPPs designation criteria
- Delegated Regulation on DORA oversight fees
WHY IS THIS APPLICABLE TO CLIENTS?
As part of DORA compliance efforts, financial entities will need to pay particular attention to the technical standards that will sit alongside DORA.
DORA - EU - SCICF
DATE OF UPDATE: 17 JULY 2024
LINKS
CURRENT STATUS
The ESAs announced that they will establish the EU systemic cyber incident coordination framework ("EU-SCICF"), in the context of DORA.
WHY IS THIS APPLICABLE TO CLIENTS?
The EU-SCICF will facilitate an effective financial sector response to a cyber incident that poses a risk to financial stability, by strengthening the coordination among financial authorities and other relevant bodies in the European Union, as well as with key actors at international level.
DORA - CASPs
DATE OF UPDATE: 3 JULY 2024
LINKS
ESMA75-453128700-1229_Final_Report_MiCA_CP2.pdf (europa.eu)
CURRENT STATUS
ESMA published its Final Report on Draft Technical Standards specifying certain requirements of the Markets in Crypto Assets Regulation (MiCA). The report notes that Crypto-asset service providers ("CASPs") are subject to DORA.
WHY IS THIS APPLICABLE TO CLIENTS?
The Report demonstrates a robust regulatory framework for crypto assets, ensuring better operational resilience and security in the digital financial sector.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.