DORA a NIS2 – two legislative instruments of the EU

DORA

DORA as a regulation creating a framework and setting out specificdigital resilience requirements for regulated financial institutions andcrypto-asset service providers (CASPs) also incorporates the generalrequirements of NIS2. These requirements aim to help relevant entities ensurethat they are able to withstand, respond to and recover from all types ofICT-related breaches and threats.

DORA entered into force on January 16, 2023. Sincethen, individual entities have 24 months to take the new rules into account andimplement them into their processes. This is also why it is necessary to startpreparing early across all areas covered by DORA, including the classificationand reporting of ICT-related incidents, testing the resilience of ICT tools andsystems, changes in ICT-related risk management and third-party riskmanagement, as well as sharing threat information.

NIS2

NIS2 follows upon the previous NIS directive and establishes both aframework for cooperation between EU member states, including the establishmentof authorities for the area of digital resilience within the member states andtheir involvement and communication with European institutions, and at the sametime a general framework of requirements for companies and public authoritiesto ensure digital resistance.

Unlike DORA, NIS2 is a directive, which means that itis up to the national governments to establish specific requirements forobliged entities, reflecting the directive. Thus, these requirements may differpartially within the limits defined by the directive. In the context of theCzech Republic, the requirements have been reflected within the new Act onCyber Security. This new legislation is expected to enter into force in thesecond half of 2024 and provide 12 months as a transition period for sufficientadaptation and compliance.

What requirements need to be met – NIS2 or DORA?

If the area of your business falls under regulated financial services,or if it directly meets the definition of CASP, it will fall under the scope ofthe DORA regulation and the implementation of the regulation's requirementswill therefore represent a lex specialis for you. However, thefulfillment of DORA will also de facto fulfill the requirements of the NIS2directive, as they overlap.

If your business does not fall under the aforementioned, it is necessaryto determine whether NIS2 is applicable for you. The scope of NIS2 is definedon the basis of the industry and on the basis of the enterprise size. In simpleterms, the directive is applicable to medium and larger enterprises (50 or moreemployees or assets / annual turnover exceeding EUR 10 million) from variousareas – public administration, energy, healthcare, transport, manufacturing,chemical and food industry, water and waste management, digital infrastructureand digital services and more.

Both legislative instruments represent significant progress in cyber
security, introducing the necessary requirements and standards to strengthen
the digital resilience of financial organizations and ensure the security of
critical services across various industries.

Organizations should act quickly to comply with these changing legalframeworks, as failure to comply can have serious consequences – from fines tobusiness suspension. Deloitte's team of compliance, cybersecurity, legal andother industry experts offers you holistic services aimed at assessing yourreadiness, advising and implementing the necessary steps to fulfill yourobligations under both regulations.

Introducing any changes to business practice often means aligningprocesses, making changes within the organizational structure and technologicalbase. This is also why it is important to prepare a good plan and, through anin-depth analysis of the current situation, propose an implementation roadmapand specific changes that will then need to be implemented.