Within a few months, the European Union has published two important pieces of legislation to strengthen cybersecurity: NIS-2 and DORA. Both are intended to strengthen companies in the financial sector and other businesses that are critical to the economy and society against cyberattacks.
Although the background for the publication of NIS-2 and DORA may seem similar at first glance, the two pieces of EU legislation have different objectives and differ in other crucial aspects as well. Where exactly are these differences and which of the two pieces of legislation applies to your company? Our experts have summarized the most important information on DORA and NIS-2 for you in this article.
A refresher: What are DORA and NIS-2?
The NIS-2 Directive (Network and Information Security Directive 2, NIS-2), is the directive on measures for a high common level of cybersecurity in the Union. Growing threats in recent years have highlighted the critical importance of improving overall cybersecurity in the EU and, in particular, ensuring the security and resilience of critical sectors. Revised regulations for more cybersecurity became necessary. Thus, in late 2020, the EU Commission proposed to revise the existing NIS Directive. NIS-2 was published for the first time in December 2022 and will replace the NIS Directive as the previously applicable regulations for the security of network and information systems in EU member states.
The Digital Operational Resilience Act (DORA), is a regulation introduced by the European Parliament and Council to close existing regulatory gaps for the entire European financial sector. The DORA regulation adds rules for handling ICT-related incidents and thus contributes to improving the operational resilience of digital systems in the financial sector. Prior to its introduction, at least parts of operational resilience were addressed via the EBA Guidelines on ICT and security risk management, but there was a need for a comprehensive framework for managing all components of operational resilience. DORA therefore goes deeper into the existing aspects of operational resilience. For example, it expands the requirements on business continuity management (BCM), threat-led penetration testing (TLPT) and third party risk management (TPRM), and looks at operational resilience not only from the perspective of financial institutions, but also systemically from the perspective of Europe.
Although the background for the publication of NIS-2 and DORA may initially appear similar, the two pieces of EU legislation do not share the same objectives and differ in other important aspects.
NIS-2 was published to standardize the overall level of cybersecurity in the EU. The goal of the directive is to ensure that organizations vital to the proper functioning of our society achieve a high level of digital security.
DORA, in turn, aims to strengthen the operational resilience of digital systems in the financial sector. The implementation of the requirements in affected institutions aims at ensuring that financial institutions are able to withstand a cyber attack and continue to operate. Therefore, the regulation puts a focus on the availability and integrity of financial services.
The different objectives are reflected in different manifestations of similar requirements. Here are some examples to illustrate:
- NIS-2 focuses on supply chain security, while DORA focuses on risk management of third-party ICT providers.
- NIS-2 provides high and already defined financial penalties for non-compliance. DORA leaves the assessment of sanctions to member states and their competent authorities (in Germany, the Federal Financial Supervisory Authority).
- Organizations regulated by NIS-2 in Germany must demonstrate compliance every two years through a security audit. DORA sets even stricter requirements for security audits: a threat-based pentest must be conducted at least every 3 years and a resilience testing program at least once a year..
Another clear difference between the two pieces of EU legislation is their legal form: NIS-2 is a directive, DORA is a regulation.
An EU directive sets certain targets that must be achieved. However, it is not directly applicable; each European member state can determine for itself the form in which it will transpose the contents of the directive into national law. As a rule, the member states have two years to do this. In Germany, the provisions of NIS-2 will probably be reflected in the NIS2UmsuCG, the NIS2 Implementation Act.
Unlike a directive, a regulation such as DORA enters into force simultaneously for all member states at a specific point in time. It is binding and must be enforced unchanged in its entirety.
The scope of NIS-2 covers 18 sectors that are of critical importance to the economy and society. In Germany, some of these sectors are already regulated by existing legislation either partially (+) or in full (*):
- Energy *
- Transport *
- Banking *
- Financial markets *
- Health *
- Water *
- Waste water *
- Digital infrastructure *
- ICT service management
- Public administration
- Space +
- Postal and courier services +
- Waste management *
- Chemicals +
- Food *
- Industry (manufacturing) +
- Digital services +
In addition, member states have a decision-making framework regarding smaller facilities with a high security profile that are to be included in the scope of the Directive.
The scope of DORA is precisely defined in Article 2 of the regulation:
- Credit institutions
- Payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366
- Account information service providers
- Electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC
- Investment firms
- Crypto-asset service providers and issuers of asset-referenced tokens
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
- ICT third-party service providers
But now the interesting question arises: if your company is part of the financial sector and therefore falls under both scopes, which EU law takes precedence, DORA or NIS-2?
The answer is clear: DORA. This is because DORA is a "lex specialis" for the financial sector and thus, as a specific law, takes precedence over NIS-2 as a general law. Within DORA, this precedence is noted as follows:
"This Regulation constitutes lex specialis to Directive (EU) 2022/2555*. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity framework as currently laid out in Directive (EU) 2022/2555."
*Directive (EU) 2022/2555 is the official name for NIS-2.
Verifying authorities and validation
Since NIS-2 is an EU directive that must be transposed into national law by the individual member states, the member states are responsible for the concrete formulation of the legal requirements and the verification of their compliance. In Germany, the Federal Office for Information Security (BSI) will presumably be responsible for auditing the majority of the sectors regulated by NIS-2. The Federal Network Agency (BNetzA), on the other hand, is responsible for designing and auditing the requirements for the energy sector, and the Federal Financial Supervisory Authority (BaFin) is responsible for credit institutions.
Article 46 of the DORA Regulation contains a whole list of authorities responsible for ensuring compliance with the Regulation by the various institutions and companies affected by DORA. In the case of credit institutions classified as "significant," this is generally the ECB; for other credit institutions in Germany, for example, it is BaFin.
Entry into force
The NIS-2 Directive was published in the Official Journal of the European Union (EU Official Journal) on December 27, 2022. Since then, member states have been working on implementing the requirements into national law, which must be completed by October 2024. However, this deadline only concerns the transposition into national law, it does not mark the point in time from which the requirements are valid for affected companies. Our experts assume a reasonable implementation period for affected companies to comply with the national directive.
As described above, DORA will enter into force as an EU regulation on a fixed date: January 17, 2025, 24 months after its publication in the EU Official Journal. This date is irrevocable, as it is written into Article 64 of DORA. Thus, financial institutions are given a preparatory period of two years to align their governance and practices with the Regulation's resilience pillars and to develop a roadmap for implementation. DORA requires, among others, the European Supervisory Authorities (ESAs), the European Union Agency for Cybersecurity (ENISA), the European Central Bank (ECB), and other bodies to develop draft technical standards for concretization. The ESAs published initial drafts for consultation in June of this year.
We will monitor for you the implementation in the Nis2umsuCG , as well as updates from ESA and ENISA, and keep you informed on relevant news.
In the meantime, do you have questions or need assistance? Contact us, our experts are happy to assist you.