Cybersecurity is taking centre stage for the EU, with two pieces of legislation coming into place.
The NIS2 directive and Digital Operational Resilience Act (DORA regulation) both focus on cybersecurity. But the audiences and goals are different.
The NIS2 directive ensures a high cybersecurity standard across all EU member states. It targets organizations in sectors with a high impact on our daily lives – ‘essential entities’ such as energy, transport, and finance, and ‘important entities’ like postal services, manufacturing, and food production.
The DORA regulation has a narrow focus on financial services. It aims to increase resilience and cybersecurity for 21 types of financial entities and ICT third-party service providers.
If you’ve already put two and two together, you’ll have spotted the overlap between these two pieces of legislation. So, do certain financial services firms need to maintain compliance with both?
In this guide, we provide a top-level overview of NIS2 and DORA, including who they apply to and how they overlap. We also share pointers on maintaining NIS2 and DORA compliance and keeping your business cybersecure.
Key differences between the NIS2 directive and DORA regulation
Cybersecurity is at the centre of both the NIS2 directive and DORA regulation. But there are several differences between the two.
Look deeper into DORA requirements, and you’ll see it focuses on key areas such as ICT and third-party risk management, ICT incidents, digital operational resilience testing, information sharing and third-party provider oversight.
NIS2 requirements include 10 key elements all companies need to address. These include incident handling, supply chain security, and vulnerability handling and disclosure.
Resilience testing looks different under both legislations – DORA demands annual resilience testing programs and a threat-led penetration test every three years. NIS2 only requires security audits every two years.
Directive vs regulation
The biggest difference between NIS2 and DORA is their legal structures. NIS2 is a directive and DORA is a regulation, which means they’re enforced differently.
Directives give you the direction of travel. But it’s down to member states to translate these into national law before they can be applied. In the case of NIS2, EU member states have 24 months from its publication in December 2022 to introduce national laws, giving a deadline of October 2024.
This could mean mandated businesses based in two separate EU member states follow different standards for the same directive.
As a regulation, DORA needs to be applied uniformly across all EU states when it comes into force on 17 January 2025.
Where do NIS2 and DORA overlap?
Both the NIS2 directive and DORA regulation demand clear policies, processes and tools for handling cybersecurity risk.
Financial penalties
Fines are heavy for NIS2 and DORA non-compliance – up to 2% of total annual turnover.
Incident reporting
Reporting requirements for NIS2 and DORA are the same – Initial incident reports are due within 24 hours, detailed reports within 72 hours and final reports within one month for both. Business continuity, disaster recovery and backup requirements are also included in both.
Data backup and business continuity
Finding secure ways to back up and manage your business data will help you maintain DORA and NIS2 compliance.
Leadership and risk management
Both pieces of legislation require strong leadership. Start by assigning someone to lead on compliance, enforcing policies, procedures and behaviours, and reviewing cybersecurity gaps in your operations.
NIS2 or DORA – which legislation applies to me?
The DORA regulation is ‘lex specialis’ – meaning more specific rules (like those laid out in DORA) take precedence over more general rules (like those in NIS2). If your organisation falls under NIS2 and DORA rules, prioritise DORA.
For 21 types of financial entities – including credit institutions, banks, payment institutions and investment firms – DORA is the primary legislation. Check whether your organisation is one of these 21 types so you know which rules to follow.
Ensure compliance with CloudM Backup
A reliable backup tool can help keep your business running smoothly and buffer the effects of a cybersecurity threat.
CloudM Backup stores your vital business data reliably and securely. We’re industry leaders for data backups, with secure encryption in transit and at rest, and compliance with ISO 27001. You always get a clear view of important information – with access to a dashboard containing key stats and notifications about your data.
Choose from broad or granular restoration options that enable you to mass restore an entire dataset, or single folders and items. Flexible, reliable data backups and recovery to fit you.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.
Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.
By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.
With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.
