DORA and NIS2 have just been published on the EU’s official journal, and these two instruments alongside the Cybersecurity Act (which is already law) are transformational.

DORA in particular will be a game changer for the financial services industry as it will push licensed entities and their management who retain ultimate responsibility, to understand fully how their ICT, operational resilience, cyber, and third party risk management practices impact the resilience of their critical functions and to develop operational resilience capabilities, which in certain cases would also include advanced scenario testing methods. The implementation period will begin 20 days after the official journal’s publication. Licensed entities will face a relatively tight 24-month implementation period in order to do this. DORA will also affect certain ICT third‑party service providers who might likewise be regulated. NIS2 replaces and repeals the NIS Directive (Directive 2016/1148/EC). Member states must incorporate the provisions of the NIS2 into national law in 21 months from the entry into force of the directive. This will further strengthen EU‑wide cybersecurity with a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sectors and the EU as a whole. NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure and aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures in different member states. To achieve this, it sets out minimum rules for a regulatory framework and lays down mechanisms for effective cooperation among relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement.

For further information and assistance kindly contact Dr Ian Gauci.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content