In this two-part series, we will take a closer look at each of these new legislations, summarising the necessary actions and emphasising the key points for each piece of new legislation.
Cybercrime today is a well-organised multi-billion-dollar business, and as digitalization continues to integrate deeply into the fabric of companies’ operations, the vulnerability to cybercrime increases exponentially. The European Union, recognising the magnitude of these risks, has introduced several critical regulations aimed at bolstering cyber resilience and securing the economy. Among these are the Digital Operational Resilience Act (DORA), the NIS2 Directive, the Cyber Resilience Act (CRA), and the AI Act.
In this two-part series, we will take a closer look at each of these new legislations, summarising the necessary actions and emphasising the key points for each piece of new legislation.
Part One: Understanding DORA and NIS2
Welcome to Part One of our series on EU Cybersecurity Legislation in which we will focus on understanding DORA and NIS2, exploring their implications and the steps required to ensure compliance and cyber resilience. By understanding these regulations, organisations can better prepare to navigate the complex landscape of cybersecurity governance, ultimately safeguarding their operations and maintaining trust with their stakeholders.
DORA (Digital Operational Resilience Act)
The regulation, which came into effect on 16 January 2023, and has been applicable since 17 January 2025, is directly enforceable in all EU member states without requiring national transposition. Its goal is to enhance the IT security of financial entities like banks, insurance companies, and investment firms. It aims to ensure that Europe’s financial sector remains resilient during severe operational disruptions, because the digitalization of the financial sector makes entities prone to cyberattacks, which can disrupt services and impact other businesses.
DORA includes key cybersecurity requirements such as:
Fines are applicable to those who don’t comply
Institutions not complying with the legislation can be fined up to two percent of their total annual turnover worldwide or up to one percent of the company’s average daily turnover worldwide. Furthermore, providers can be fined daily for up to six months until they comply with the regulations, and members of management can be held liable for gross negligence or wilful misconduct.
NIS2 (Network and Information Security)
NIS2 is a directive which helps protect critical infrastructure, essential services, and key sectors from cyber threats. It requires each EU Member State to implement necessary measures to meet the directive’s objectives within their national law and operational frameworks. The deadline for this implementation was 17 October 2024. So far, Belgium, Croatia, Greece, Hungary, Italy, Latvia, Lithuania, Romania, and Slovakia have enacted these laws.
Affected sectors and why you should seek legal guidance:
There are two core sectors affected by NIS2. The first is classified as essential entities and the second as important entities.
Essential entities vary by sector, but generally have 250 employees, an annual turnover of 50 million EUR or a balance sheet of 43 million EUR. These entities include those in the energy, health, transport, finance, water supply, digital infrastructure, public administration, and space sectors.
Important entities also vary by sector, but generally have 50 employees, an annual turnover of 10 million EUR or a balance sheet of 10 million EUR. This category includes digital providers, postal service, waste management, foods, manufacturing, chemicals, and research.
It is recommended to seek legal guidance to see if your company falls under NIS2 because an entity may still be considered essential or important even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.
Critical NIS2 requirements:
NIS2 requirements encompass several critical aspects to ensure the security and integrity of essential and important entities. Organisations must minimise risks through measures such as incident management, stronger supply chain security, network security, access control, and encryption. In addition, corporate accountability mandates that management oversee, approve, and be trained on the entity’s cybersecurity measures, with penalties imposed for breaches. Similarly to DORA, reporting obligations require the prompt reporting of security incidents that significantly impact the entity’s service provision or recipients, with specific notification deadlines, such as a 24-hour “early warning”. Nd last but by no means least, a business continuity plan and crisis management procedures must be in place, including system recovery, emergency procedures, and the establishment of a crisis response team.
NIS2 has a basic security measurement which include the following:
Hefty fines for non-compliance
As with DORA there are hefty fines applicable to those who fail to meet the necessary requirements. For essential entities, NIS2 mandates Member States to fine essential entities at least €10 million or 2% of global revenue, and important entities at least €7 million or 1.4% of global revenue, whichever is higher. In both cases, senior management is personally liable and responsible for gross negligence in the event of a security incident.
It is important to note that neither DORA nor NIS2 will replace GDPR, which remains the standard for managing personal data within EU member states.
Adopting an integrated compliance strategy for DORA and NIS2
In conclusion, compliance with both DORA and NIS2 is non-negotiable for organisations with essential and important functions within the EU. By developing an integrated compliance strategy, businesses can effectively address the overlapping requirements of these regulations and mitigate the risk of severe penalties. It is crucial to recognize that while DORA and NIS2 focus on different aspects of cybersecurity, their combined impact on financial institutions and other critical infrastructures necessitates a comprehensive approach to security and regulatory adherence.
As we transition to the next part of our series, we will explore the Cyber Resilience Act and the Artificial Intelligence Act, which further shape the landscape of EU cybersecurity legislation.
Anita Molitor
Cyber Specialist
T +43 664 962 40 08
