CYBERSECURITY
|NETWORK AND INFORMATION SECURITY 2 DIRECTIVE (NIS2)
|DIGITAL OPERATIONAL RESILIENCE ACT (DORA)
|DRAFT CYBER RESILIENCE ACT (CRA)*
|WHO WILL BE IN SCOPE?
|
Operators of essential and important services across various sectors including energy, transport, banking, health, medical devices, chemicals and digital. In-scope entities in the digital sector include infrastructure providers (including cloud computing) as well as other digital providers such as online marketplaces, search engines and social networks.
Extraterritorial Application: NIS2 applies to in-scope operators if they offer 'Essential' or 'Important' goods and services to the EU, irrespective of their place of establishment.
|
Financial entities and FinTechs, including credit and payment institutions, e-money institutions, cryptoasset service providers, alternative investment funds managers and insurance undertakings.
Third party providers of critical internet and communication technology (ICT) services to in-scope financial entities.
Extraterritorial Application: DORA applies to financial entities that provide services in the EU, irrespective of their place of establishment.
|
Manufacturers of products with digital elements, including software, IoT and hardware devices and their remote data processing solutions. Certain products that are already subject to cybersecurity requirements in sectoral legislation are outside the scope of the CRA, such as medical devices, aviation or certain connected vehicles.
Extraterritorial Application: The CRA will apply to products with digital elements sold in the EU, irrespective of where the manufacturers are established or where the products are manufactured.
|WHAT ARE THE KEY OBLIGATIONS?
|
NIS2 outlines cybersecurity risk management obligations, including supply chain due diligence and amended incident notification obligations.
Board Responsibilities: Senior management will be responsible for approving and overseeing the cybersecurity framework, and can be held liable for non-compliance.
|
Obligations include requirements for operational resilience, third-party risk management (including IT outsourcing), testing of ICT tools (including threat-led penetration testing), and incident notification obligations.
Board Responsibilities: Senior management will be responsible for approving and overseeing the cybersecurity framework, and can be held liable for non-compliance.
|New cybersecurity requirements, including cybersecurity risk assessments, supply chain due diligence, security and functionality updates and vulnerability management processes.
|TIMELINE
|EU Member States are required to implement NIS2 by October 18, 2024, with significant penalties for non-compliance. National implementing legislation will likely start applying on or around that date
|DORA will generally start applying by January 17, 2025, with significant penalties for non-compliance.
|Formal adoption pending; obligations would likely apply by 2025-2026 at the earliest, with significant penalties for non-compliance.
Originally Published 13 March 2024
