CYBER LAW
0

Tick, Tock: Countdown Begins To EU Cyber Laws – Security

Table of Contents


To print this article, all you need is to be registered or login on Mondaq.com.

Two years can feel like a long time, but it’s really
not.  The Beatles
released Help!Rubber
Soul
Revolver and Sgt.
Pepper’s Lonely Hearts Club Band
 in 21
months.  Shackleton spent about the same amount of time
floating around in the Weddell Sea.

Businesses in the European Union now face their own two-year
voyages, thanks to the entry into force of two cybersecurity laws
that will apply to a wider range of industries than ever before and
significantly increase their security and incident reporting
obligations.

The laws entered into force on Monday: one, a regulation —
the Digital Operational Resilience Act, or “DORA”
— that will be directly effective across member states from
17 January 2025; and the other, a directive — the NIS2
Directive, or “NIS2” — that gives member states
more wiggle room as to how the law should be set out in their
country by 18 October 2024.  This article only considers the
EU position, but the UK plans to introduce similar legislation to
DORA and NIS2 and so organisations will have to comply with dual
regimes that are likely to be broadly similar albeit with some key
points of difference.

DORA

DORA is designed to strengthen the financial sector’s
resilience to IT-related incidents and introduces prescriptive
requirements that are intended to be homogenous across the EU.
 A wide range of entities are in scope, including banks,
credit and investment firms, trading venues and repositories, and
credit ratings agencies and electronic money
institutions. 

The law is based on five pillars: (1) setting up and maintaining
resilience of systems and tools that minimise IT risk; (2)
identifying sources of IT risk, on an ongoing basis, in order to
implement risk prevention measures; (3) promptly detecting
anomalous activities; (4) having in place dedicated and
comprehensive business continuity policies and disaster recovery
plans; and (5) establishing mechanisms to learn and evolve from
external and internal events within the institution.  In
practice, this will mean complying with the following
obligations:

  • Internal governance and control frameworks.
     Management must define, approve and oversee the
    implementation of all measures relating to IT risk management.
     They will determine the entity’s tolerance for IT risk
    and agree its policy on arrangements relating to the use of
    third-party service providers.  Notably, management must
    undertake regular training to keep their knowledge and skills up to
    date in order to understand and assess IT risks.  In a
    fast-moving area, this will not be straightforward. 

  • Risk management.  Entities must have an
    appropriate and well-documented IT risk management framework in
    place that enables them to address risks quickly and
    comprehensively.  This should include the procedures,
    protocols and tools necessary to protect all physical components,
    which should be reviewed at least annually.

  • Incident management.  Entities must
    implement processes to detect, manage and notify IT-related
    incidents (including to competent authorities and affected clients)
    and put in place systems to generate early warning indicators.
     The Joint Committee of the European Supervisory Authorities
    is mandated to develop common regulatory technical standards to
    establish the content of reporting for major IT-related incidents,
    and may also draft implementing technical standards to establish
    standard forms for reporting these incidents.

  • Operational resilience testing.  Entities
    must establish and maintain a comprehensive digital operational
    resilience testing programme.  Although a risk-based approach
    is permitted, testing must be undertaken by independent parties,
    whether internal or external.  Entities that are classified as
    “significant” are required to carry out threat-led
    penetration testing at least once every three years.  Once the
    testing is carried out, all reports and remediation plans must be
    submitted to the competent authority.

  • Managing third-party risk.  Entities must
    manage third-party risk in a proportionate way that takes into
    account the scale, complexity and importance of IT-related
    dependencies.  In practice, this will require maintaining a
    register of information relating to all contractual arrangements on
    the use of IT services provided by third parties, conducting
    diligence on prospective vendors before engaging their services,
    and including the contractual terms prescribed by DORA.

NIS2

NIS2 repeals and replaces the previous iteration of the Network
and Information Systems Directive, which readers may recall took
effect in May 2018 but has largely been overshadowed by the GDPR in
the minds of businesses, individuals and regulators.  NIS2
broadens scope of the previous Directive, including by applying to
a wider range of organisations, tightening incident reporting
obligations, and requiring in-scope entities to flow down security
obligations to their supply chains.

The previous Directive applied to operators of essential
services and digital service providers.  NIS2 takes a
different tack and will apply to (1) entities in
“essential” and “important” sectors, in
certain cases regardless of the organisation’s size, and (2)
medium and large entities (i.e., those with less than 250 employees
and an annual turnover below €50 million) in those sectors.
 Small entities — being those with less than 50
employees and annual turnover below €10 million — are
largely exempt, unless the entity is important to the functioning
of the member state.

The following sectors are considered “essential”:
energy; transport; banking; financial market infrastructures;
health; drinking water; digital infrastructure (i.e., software and
hardware companies); ICT service management; public administration
entities (but excluding the judiciary, parliaments and central
banks); and space.  Organisations in the following sectors are
considered “important”: postal and courier services;
waste management; manufacturing, production and distribution of
chemicals; food production, processing and distribution;
manufacturing of medical devices, electronic products and
transport; digital providers (including social media platforms);
and research.

As mentioned above, NIS2 introduces a range of new and enhanced
obligations, including:

  • Cybersecurity obligations.  Organisations
    must take appropriate technical, organisational and operational
    measures to manage cybersecurity risks faced by their network
    systems.  These measures can include: risk analysis and
    information system security policies; incident handling procedures;
    business continuity planning, such as backup management, disaster
    recovery and crisis management; supply chain security; and the use
    of encryption, multi-factor authentication and cryptography, where
    appropriate.

  • Governance obligations.  Managers of
    essential and important entities (i.e., board of directors and
    other senior officers) must approve the cybersecurity risk
    management measures taken by their organisations and oversee the
    implementation of the cybersecurity risk management measures.
     Importantly, an organisation’s management can be liable
    for non-compliance with these governance requirements.

  • Incident management obligations.  NIS2
    streamlines incident reporting obligations by differentiating
    between “incidents” (an event compromising the
    availability, authenticity, integrity or confidentiality of stored,
    transmitted or processed data or of the services offered by, or
    accessible via, network and information systems) and “cyber
    threats” (any potential circumstance, event or action that
    could damage, disrupt or otherwise adversely impact network and
    information systems, the users of such systems and other persons).
    Entities are required to make an initial report of significant
    incidents to the relevant Computer Security Incident Response Team
    or other competent authority within 24 hours — a shorter
    timeframe than under the previous Directive — and submit a
    final report to the CSIRT within one month of the incident.

  • Sanctions and enforcement.  The
    supervisory remit of competent authorities depends on whether the
    organisation is an essential or an important entity.  For
    essential  entities, authorities are empowered to
    carry out random inspections at the entities’ sites, carry
    out regular audits of their compliance programme and issue fines of
    up to the greater of €10 million or 2% of annual worldwide
    turnover.  For important entities, authorities may take action
    when they are provided with evidence or indications of an
    organisation’s non-compliance, particularly with respect of
    the NIS2 notification requirements, and issue fines of up to the
    greater of €7 million or 1.4% of annual worldwide turnover.
     In addition, authorities may order entities to publicise
    details of their infringing behaviour, to stop certain conduct and
    — in the case of essential entities — temporarily ban
    members of the management team from discharging their functions if
    the authority’s deadlines are not met.

Next Steps

Organisations with security and data governance programmes in
place to comply with the GDPR and NIS1 have a head start in meeting
some of their obligations under DORA and NIS2.  That said,
both laws have requirements that go over and above the current
regimes, meaning that businesses should start putting plans in
place now.  Two years goes quickly, after all.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Leave a Reply