EXPERT SPEAK
HOW NIS2 , DORA WILL MAKE RISK AND GOVERNANCE A TEAM EFFORT
While eyes may roll at the introduction of new pieces of legislation , they are the most important legislative updates in history , not necessarily for depth or breadth , but for the new security standards they aim to establish . Steve Purser and Nadine Hoogerwerf deep dive into the strategic benefits of these legislations .
From GDPR to CRA , NIS2 to DORA , the number of acronyms connected to data compliance and regulation is becoming quite overwhelming for businesses . These legislative instruments are not designed to make life difficult for organisations , but to standardise cybersecurity and risk management to create a more secure landscape for all .
While some eyes may roll at the introduction of two new pieces of legislation , they are the most important legislative updates in history , not necessarily for their depth or breadth , but for the new security standards they aim to establish and preserve across the entire digital landscape .
The Network and Information Security Directive , NIS is a sector-agnostic directive that aims to standardise a set of goals that all organisations within the EU must achieve . Those goals include the need for proactive risk management frameworks , incident reporting protocols , and new to NIS2 , supply chain security measures .
NIS2 brings stronger enforcement and greater penalties for non-compliance , and shifts responsibility and accountability to those at the top of the organisation . It will be
Nadine Hoogerwerf , Chief Information Security Officer , Zivver down to individual EU countries to translate the NIS2 directive into actionable laws , but it will soon become an EU standard .
The Digital Operational Resilience Act , DORA , on the other hand , specifically targets the finance sector , requiring financial entities to establish comprehensive frameworks to manage ICT risks , including risk identification , anomaly detection , response and recovery procedures , and continuous testing .
Like NIS2 , this also includes a renewed focus on third parties , requiring organisations to conduct thorough assessments before they enter new ICT partnerships . DORA will come into force for every organisation it applies to at the same time , regardless of which EU country they operate in . This is currently planned to occur on January 17 , 2025 .
Culture of compliance
The ideas behind NIS2 and DORA are not revolutionary ; both focus on well-established cybersecurity practices such as detecting
DORA specifically targets the finance sector , requiring financial entities to establish comprehensive frameworks to manage ICT risks .
54 Steve Purser is Former Head of Core Operations , EU Agency for Cybersecurity www . intelligenttechchannels . com