Prepare for the future of cybersecurity regulation

Four key pieces of new legislation are introducing additional requirements for business:

• the Network and Information Security Directive Revision 2 (NIS2)
• the Digital Operational Resilience Act (DORA)
• the Digital Services Act (DSA)
• the Digital Markets Act (DMA)

What do these new regulations mean for your business, and what steps can you take now to get ready?

NIS2

NIS2 aims to supplement the existing NIS Directive (NIS1) by expanding its scope and requirements. NIS2 will introduce a standardised, high level of cybersecurity across all EU member states by:

• removing the distinction in NIS1 between ‘operators of essential services’ and ‘digital service providers’, defining and assessing security requirements for ‘essential entities’ (EEs) and ‘important entities’ (IEs)
• standardising third-party risk management and incident reporting obligations for EEs and IEs
• requiring member states to develop national cybersecurity strategies, introducing additional obligations for businesses to meet these strategic visions

While entities such as banks and providers of utilities and healthcare were in scope for NIS1, the definition of ‘essential’ services was set at the national level by member states. As a result, inconsistencies in the application of NIS1 requirements arose across the EU, leading to a fragmented implementation.

NIS2 both standardises and expands the sectors in scope of the regulation, with EU competent authorities proactively supervising EEs and IEs subject to reactive supervision.

DORA

Financial services organisations have become increasingly reliant on ICT to function. DORA aims to standardise how organisations address and report ICT risks, while ensuring that providers of critical services have appropriate resilience measures in place. It is expected that businesses in the financial sector will be required to be in full compliance with DORA in H2 2024.

The Act will harmonise the legal requirements for businesses to:

• manage and report ICT risk

• assess third-party ICT risks consistently and in detail

• regularly test the organisation’s resilience and business continuity controls

The primary focus of DORA is to establish the regulatory basis for businesses to verify the resilience of their operations. Effective ICT risk management will help organisations understand the most pertinent threats to their business. In addition, DORA will require the regular testing of cyber and ICT security controls to confirm that they are ready to operate if such risks are realised. The Act brings a step change in how businesses verify the resilience of their organisation at the enterprise level.

Many businesses will be within the scope of both NIS2 and DORA. DORA will apply to firms in the financial sector, some of which will be considered to be EEs under NIS2 and will be subject to enhanced scrutiny by competent authorities. Other organisations considered to be IEs will still need to comply with NIS2, although IEs will be subject to less stringent monitoring.

DSA and DMA

Coming fully into force in H1 2024, the DSA and DMA both provide regulatory frameworks for digital service providers. Digital platforms provide new ways to communicate, purchase goods and services, and access information online. The DSA and DMA seek to regulate this space to ensure that consumer rights are always protected.

Through the DSA and DMA, the EU aims to:

• create a safe digital environment, which respects the fundamental rights of all users

• establish equity in the European single market and globally to encourage competition among digital service providers

EU legislative bodies are more aware than ever of the need to develop regulations that keep pace with digital innovations and online practices. Enactment of the DSA and DMA signals the EU’s recognition of the power some online service providers hold over the choices of consumers.

An important point to note is that, while NIS2 and DORA will both apply explicitly to businesses in the financial sector, banks are growing increasingly akin to digital platforms themselves. While most banks are users of third-party platforms, the European Banking Federation foresees future situations where banks develop their own digital platforms, offering services supplied by third-parties to the bank’s customers. As such, businesses in the banking sector will need to monitor their digital presence and determine whether they will be required to comply with the DSA and DMA, both now and in the future.

The four key actions to take now

How can your business best prepare to comply with these legislative changes? By taking the following key actions, you can ensure that your organisation is ready ahead of time.

1. Assess the maturity of your organisation’s cybersecurity

Reviewing the security of your business’s systems and information is critical to prepare for the upcoming regulations. An assessment of your organisation’s cybersecurity and ICT risk management controls can provide executives with valuable information regarding the business’s cyber risk profile. By finding potential compliance gaps in their cybersecurity, firms can improve their posture before legislation comes into force, mitigating the risk of non-compliance and subsequent consequences, such as brand damage and financial penalties.

2. Test your business’s operational resilience at the enterprise level

As part of a cyber maturity assessment, an evaluation of the organisation’s resilience to disruptive events will be key in preparing for upcoming regulations. While executives may believe that their business is robust and can continue to operate in adverse circumstances, the testing of business continuity and disaster recovery plans allows businesses to measure their resilience and continuously enhance their cybersecurity posture.

The first step is to ensure that the organisation has contingency plans for different scenarios. These scenarios should be exercised and iteratively improved to ensure that they are fit-for-purpose. Examples include switching failing systems to backups or simulating a response to a malware attack on your network. All relevant stakeholders, including third parties, should participate in the testing of contingency plans because in today’s world of sophisticated threat actors, executives must ensure that their entire business is ready to respond.

3. Enhance your incident reporting processes

A cornerstone of NIS2 and DORA is the reporting of ICT and cyber incidents. Businesses need to review their existing reporting channels and procedures, implementing processes to monitor, log, classify and report on incidents consistently.

An effective way to ensure that reporting is standardised and complies with regulatory requirements is to centralise incident reporting across the organisation. Establishing formalised processes for managing reported incidents can support businesses in fulfilling their regulatory obligations.

Furthermore, the DSA and DMA will require organisations to regularly report to authorities. National Digital Service Coordinators will be established, and they will be responsible for compliance monitoring. Reporting to new supervisory bodies will be a feature of these upcoming legislative changes—a trend that is likely to be seen in future regulations also.

4. Analyse and understand your ICT and cyber third-party risk

Today’s business world is deeply interconnected, with organisations often relying on a wide network of suppliers to conduct business. Reliance on third parties can increase the organisation’s susceptibility to cyber attack, increasing both the attack surface available to threat actors and the potential for attacks to significantly affect operations.

Regulators have grown concerned in recent years about gaps in organisations’ third-party risk management processes as businesses become increasingly reliant on third parties. NIS2 and DORA build on existing guidance and legislation, such as NIS1 at the EU level and the Central Bank of Ireland’s Operational Resilience Guidelines and Guidance on Outsourcing at the national level. In particular, DORA will set out many provisions for businesses to report on the ICT risks stemming from their dependency on third parties, requiring them to describe this reliance in detail. Analysing your business’s exposure to cyber risk through the lens of third parties is a key means of securing your customers’ data, as well as satisfying regulators.

We are here to help you

We understand that the regulatory landscape and its ever-changing nature can be daunting for businesses of all kinds. With a team of over 40 experts in cybersecurity regulation, we help organisations navigate their complex regulatory requirements—and we’re ready to help you too. Contact us today.