How does the implementation of European NIS2 and DORA legislation affect business operations

Recognizing the challenges faced by European businesses, the European Union issued the DORA (Digital Operational Resilience Act) regulation and the NIS2 (Network and Information Security 2) directive, with the aim of shielding the operation of financial entities and companies that offer critical infrastructure related services, respectively.

The European Union, by developing and implementing the specific regulations, aims to:

• determine the minimum requirements that the obliged companies should implement in the field of Information Security,
• institute the framework through which it will ensure their implementation and
• develop the organizational mechanism required to share information related to Information Security incidents and threats.

So, it is now imperative to take measures and adopt operating frameworks by businesses, both for reasons of substance (protection from cyber threats) and for legislative ones (DORA & NIS2).

The DORA regulation comes into effect in January 2025 and aims to ensure the smooth operation of companies that offer financial services, by addressing cyberthreats that may affect critical business processes.

At the same time, the NIS2 directive (coming into force in October 2024) replaces the NIS1 directive, aiming to improve the framework established by the member states of the European Union based on NIS1. It has an extremely widened scope (it covers a multiple number of companies) compared to its predecessor, while it prescribes additional actions and measures for the supervision regime of the directive.

The following main pillars can be distinguished in the structure of both regulatory texts:

• Information Security Requirements,
• Information sharing framework,
• Supervision framework.

DORA and NIS2 require the implementation of integrated management systems through which it is possible to identify and effectively deal with Information Security risks.

A characteristic of the DORA regulation is that it specifies the measures that the obliged companies must implement. The technical measures related to the design of network infrastructures, the carrying out of specialized technical controls, the ability of the infrastructures to operate under load conditions, the monitoring of their operation, but also the organizational measures, such as the determination of the dependence of critical functions on Information Technology and Communications, as well as from service providers in the specific field.

Based on NIS2, it is possible that additional requirements or application clarifications may arise through the implementing laws that will be passed by the member states, as was done in Greece in the case of NIS1 with Law 4577/2018 and Decision 1027/2019.

Obliged companies, regardless of the degree of maturity of the Information Security Frameworks they apply, should carry out studies, through which they will identify possible deviations in relation to the new regulatory requirements and will take the necessary corrective actions. Information Security requires continuous self-evaluation and improvement, while new regulations should be considered as tools that contribute in this direction.

The adaptation of businesses to the new regulatory framework is a difficult bet, which companies must win, either alone or with the help of specialized consultants.