EU NIS2 & DORA

raj.atwal
raj.atwal Member Posts: 4
in General Community

Hello everyone,

It would be good to discuss the impacts of the two EU based regulations affecting you and if there are any key tips on readiness you can share?

My company operates within (mainly) the financial services sector but we are not regulated. We fully expect our clients to start pushing vendor due diligence requests asking about compliance with the above.

Thanks in advance,
Raj.

( https://www.nis-2-directive.com/
https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora )

Comments

  • josem.serrano
    josem.serrano Member Posts: 68 admin

    Great question @raj.atwal! While we wait for some other members to potentially share any impacts or tips, I'll also ask around internally to see if we have any advice for you as well. 😄

  • richard.moormann
    richard.moormann Member Posts: 19

    @raj.atwal, Just wait for those regulations to mature. In the big picture, They are very fresh and don't hold much weight yet. The way they are written, like many things EU, appears for political posturing.

    FWIW the site quoted is a private company under "cyber-risk-gmbh.com " which likes to generate a lot of traffic based on EU cyber regulation, and sell training!

    Look at the real EU website which actually lists controls we can build policy and procedures to support, which also correlate to existing standards we are familiar with: https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new/minimum-security-measures-for-operators-of-essentials-services

    image.png

    Also note, the NIS 2 states that where sector policy exists, such as DORA, there will not be duplicity, but they will accept the sector regulations as sufficient [i.e. DORA]

    "Article 4(1) of the NIS 2 Directive provides that, where sector-specific Union legal acts (like DORA, that applies in the financial sector) require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply to such entities. The sector-specific provisions will apply."

    So, selcting your sector should filter down to your essential requirements.

    image.png

    Best of success!

    @richard.moormann

  • raj.atwal
    raj.atwal Member Posts: 4

    @richard.moormann thanks for the reply. Apologies for my delay in acknowledging it. I have been out of office for a little bit.

    I hadn't picked up on the duplicity point - really helpful to save a lot of misguided effort in replicating for different regulations.

  • richard.moormann
    richard.moormann Member Posts: 19

    @raj.atwal Community for the win! 😎

Categories