NIS2 (Network and Information Security)
What is the principle objective? To elevate the level of digital security in France and beyond by enabling companies to better protect themselves against threats.
This overhauled NIS Directive builds on what NIS1 achieved and marks a substantial change on a national and EU level. Up against cybercriminals that are ever more successful and better equipped, compromising a greater number of organisations, the NIS2 directive expands the NIS objectives for increased and more extensive security.
What does the NIS2 Directive actually consist of in detail?
This Directive is important from a strategic point of view for EU members states as its implementation forces a large number of entities to better protect themselves. It will come into effect in the second half of 2024, allowing comprehensive mobilisation of the French economy and the public sector. Member state cooperation will also be strengthened in terms of cyber crisis management.
The NIS2 Directive now includes a proportionality mechanism that places entities into one of two categories depending on how critical they are—essential and important. This will be considered when defining appropriate and proportional requirements for both categories.
Another key element of the NIS2 that is different from the original directive is a stricter penalty system that applies to all concerned entities and will see fines imposed for infractions calculated as a percentage of the entities’ global annual revenue.
Who is the NIS2 Directive aimed at?
The Directive will apply to entities across more than 18 sectors on a national and international scale. Some 600 different types of entity will be affected, including all sizes of companies from SMEs and corporations to CAC40 corporate groups.
The supply chain, administrative offices, local and regional authorities, as well as digital stakeholders will also all be affected by the planned legislation. Increasingly targeted by cybercriminals, they will all need to boost their level of digital security.
To find out more about the NIS2 Directive, please read our guide on the subject.
CRA (Cyber Resilience Act)
In parallel to the NIS2 Directive, the President of the European Commission announced that new legislation on cyber resilience was being prepared—the Cyber Resilience Act (CRA).
Designed on the basis of the EU’s 2020 Cybersecurity Strategy, the CRA is set to introduce common cybersecurity rules for manufacturers and developers of products with digital components i.e. hardware and software. The objective is to protect consumers and companies from cybersecurity threats in their use of wired and networked equipment and software.
What are the new obligations?
The series of measures have two main objectives. To reinforce product cybersecurity and boost the level of information available to consumers and companies..
The new measures will define:
- Rules to adhere to when bringing to market products subject to the regulation on cybersecurity,
- Manufacturer obligations spanning design through to product development and production;
- Essential requirements that apply to manufacturers throughout the entire product lifecycle.
- Information related to product security, technical support offered by the supplier, and installation of security updates, all of which will be required on all product documentation.
It should be highlighted that the legislator intends to monitor application of these new obligations. The plan is for member states to appoint market surveillance authorities responsible for ensuring the obligations of the CRA are upheld. These authorities’ power will be supported by the ability to impose fines equalling up to 2.5% of a company’s revenue or 15 million euros.
DORA (Digital Cyber Resilience Act)
What is DORA (Digital Cyber Resilience Act)?
This European regulation on operational digital resilience in the financial sector—DORA—is a law introduced by the European Commission to reinforce operational resilience in the EU’s financial sector.
DORA was created as a response to the growing digitalisation of the financial world and the need to manage the associated risks. It comprises 5 principle pillars—governance and risk management, which are crucial in an era where the financial sector has become a prime target for cybercriminals; incident reporting, resilience testing, management of third-party risk, and sharing of information.
Despite the urgency of the situation in terms of the threat, the European Commission has authorised a transition period of two years from 16 January 2023. Companies are therefore advised to start preparing to ensure compliance with the raft of measures which will come into force on 17 January 2025. Non-conformity could incur considerable financial sanctions.
Which entities will be affected?
DORA applies to virtually all financial entities in the European Union. This includes banks, of course, but also numerous other types of businesses (see Article 2).