DORA a NIS2 – two legislative instruments of the EU

DORA

DORA as a regulation creating a framework and setting out specific digital resilience requirements for regulated financial institutions and crypto-asset service providers (CASPs) also in corporates the general requirements of NIS2. These requirements aim to help relevant entities ensure that they are able to with stand, respond to and recover from all types of ICT-related breaches and threats.

DORA entered into force on January 16, 2023. Since then, individual entities have 24 months to take the new rules into account and implement them into their processes. This is also why it is necessary to start preparing early across all areas covered by DORA, including the classification and reporting of ICT-related incidents, testing the resilience of ICT tools and systems, changes in ICT-related risk management and third-party risk management, as well as sharing threat information.

NIS2

NIS2 follows upon the previous NIS directive and establishes both a framework for cooperation between EU member states, including the establishment of authorities for the area of digital resilience within the member states and their involvement and communication with European institutions, and at the same time a general framework of requirements for companies and public authorities to ensure digital resistance.

Unlike DORA, NIS2 is a directive, which means that it is up to the national governments to establish specific requirements for obliged entities, reflecting the directive. Thus, these requirements may differ partially within the limits defined by the directive. In the context of the Czech Republic, the requirements have been reflected within the new Act on Cyber Security. This new legislation is expected to enter into force in the second half of 2024 and provide 12 months as a transition period for sufficient adaptation and compliance.

What requirements need to be met – NIS2 or DORA?

If the area of your business falls under regulated financial services, or if it directly meets the definition of CASP, it will fall under the scope ofthe DORA regulation and the implementation of the regulation's requirements will therefore represent a lex specialis for you. However, the fulfillment of DORA will also de facto fulfill the requirements of the NIS2 directive, as they overlap.

If your business does not fall under the aforementioned, it is necessary to determine whether NIS2 is applicable for you. The scope of NIS2 is defined on the basis of the industry and on the basis of the enterprise size. In simple terms, the directive is applicable to medium and larger enterprises (50 or more employees or assets / annual turnover exceeding EUR 10 million) from various areas – public administration, energy, healthcare, transport, manufacturing, chemical and food industry, water and waste management, digital infrastructure and digital services and more.

Both legislative instruments represent significant progress in cyber
security, introducing the necessary requirements and standards to strengthen
the digital resilience of financial organizations and ensure the security of
critical services across various industries.

Organizations should act quickly to comply with these changing legal frameworks, as failure to comply can have serious consequences – from fines to business suspension. Deloitte's team of compliance, cybersecurity, legal andother industry experts offers you holistic services aimed at assessing your readiness, advising and implementing the necessary steps to fulfill your obligations under both regulations.

Introducing any changes to business practice often means aligning processes, making changes within the organizational structure and technological base. This is also why it is important to prepare a good plan and, through a nin-depth analysis of the current situation, propose an implementation roadmap and specific changes that will then need to be implemented.