Skip to content

Introducing the NIS2 directive and DORA regulation

Cybersecurity is taking centre stage for the EU, with two pieces of legislation coming into place. 

The NIS2 directive and Digital Operational Resilience Act (DORA regulation) both focus on cybersecurity. But the audiences and goals are different.

The NIS2 directive ensures a high cybersecurity standard across all EU member states. It targets organizations in sectors with a high impact on our daily lives – ‘essential entities’ such as energy, transport, and finance, and ‘important entities’ like postal services, manufacturing, and food production.

The DORA regulation has a narrow focus on financial services. It aims to increase resilience and cybersecurity for 21 types of financial entities and ICT third-party service providers. 

If you’ve already put two and two together, you’ll have spotted the overlap between these two pieces of legislation. So, do certain financial services firms need to maintain compliance with both?

In this guide, we provide a top-level overview of NIS2 and DORA, including who they apply to and how they overlap. We also share pointers on maintaining NIS2 and DORA compliance and keeping your business cybersecure.

Key differences between the NIS2 directive and DORA regulation

Cybersecurity is at the centre of both the NIS2 directive and DORA regulation. But there are several differences between the two.

Look deeper into DORA requirements, and you’ll see it focuses on key areas such as ICT and third-party risk management, ICT incidents, digital operational resilience testing, information sharing and third-party provider oversight.  

NIS2 requirements include 10 key elements all companies need to address. These include incident handling, supply chain security, and vulnerability handling and disclosure. 

Resilience testing looks different under both legislations – DORA demands annual resilience testing programs and a threat-led penetration test every three years. NIS2 only requires security audits every two years. 

Directive vs regulation

The biggest difference between NIS2 and DORA is their legal structures. NIS2 is a directive and DORA is a regulation, which means they’re enforced differently.  

Directives give you the direction of travel. But it’s down to member states to translate these into national law before they can be applied. In the case of NIS2, EU member states have 24 months from its publication in December 2022 to introduce national laws, giving a deadline of October 2024. 

This could mean mandated businesses based in two separate EU member states follow different standards for the same directive.

As a regulation, DORA needs to be applied uniformly across all EU states when it comes into force on 17 January 2025.

Where do NIS2 and DORA overlap?

Both the NIS2 directive and DORA regulation demand clear policies, processes and tools for handling cybersecurity risk.

Financial penalties

Fines are heavy for NIS2 and DORA non-compliance – up to 2% of total annual turnover.

Incident reporting

Reporting requirements for NIS2 and DORA are the same – Initial incident reports are due within 24 hours, detailed reports within 72 hours and final reports within one month for both. Business continuity, disaster recovery and backup requirements are also included in both.

Data backup and business continuity

Finding secure ways to back up and manage your business data will help you maintain DORA and NIS2 compliance.

Leadership and risk management

Both pieces of legislation require strong leadership. Start by assigning someone to lead on compliance, enforcing policies, procedures and behaviours, and reviewing cybersecurity gaps in your operations.

NIS2 or DORA – which legislation applies to me? 

The DORA regulation is ‘lex specialis’ – meaning more specific rules (like those laid out in DORA) take precedence over more general rules (like those in NIS2). If your organisation falls under NIS2 and DORA rules, prioritise DORA.

For 21 types of financial entities – including credit institutions, banks, payment institutions and investment firms – DORA is the primary legislation. Check whether your organisation is one of these 21 types so you know which rules to follow.

Ensure compliance with CloudM Backup

A reliable backup tool can help keep your business running smoothly and buffer the effects of a cybersecurity threat. 

CloudM Backup stores your vital business data reliably and securely. We’re industry leaders for data backups, with secure encryption in transit and at rest, and compliance with ISO 27001. You always get a clear view of important information – with access to a dashboard containing key stats and notifications about your data. 

Choose from broad or granular restoration options that enable you to mass restore an entire dataset, or single folders and items. Flexible, reliable data backups and recovery to fit you.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

What is HIPAA and how can you comply?

The process of managing patient health data isn’t the same as it was a few years back. Records aren’t just stored in filing cabinets and on company devices anymore, they’re in the cloud.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) standardized how private health information (PHI) and electronic private health information (ePHI) is managed. The act details how organizations should keep patient information safe and secure, inside and outside healthcare practices.  

If you deal with PHI or ePHI – whether that’s as a healthcare provider or a business working with healthcare providers – you need to comply with HIPAA rules. This guide gives you a whistlestop tour of HIPAA compliance requirements

But before we dive into the details of how you can ensure you comply with HIPAA, let’s take a quick look at what’s at stake.

The cost of non-compliance

Failure to comply with HIPAA requirements can result in fines up to $68,928 per violation per year, civil lawsuits, and criminal charges.

 

4.9 million

people affected by a data loss at Tricare Management.
 
$115 million
settlement following a class action lawsuit against Anthem, Inc, in addition to a $15 million fine for HIPAA violations.
 
$2 billion
total HIPAA penalties issued since 2003.

Depending on the severity of the violation, HIPAA fines can seriously hurt an organization financially. But there’s more. If an organization is found to have been lax with keeping sensitive data safe, they will be the focus of public scrutiny which can severely damage the brand’s reputation and further hinder recovery and operations.

Let’s look at how you can avoid this by examining the rules and requirements of HIPAA.

HIPAA rules: an overview

The aim of HIPAA is to keep private health information, in all its forms, safe. For mandated organizations, this information must remain confidential both inside and outside healthcare facilities. If HIPAA rules are breached, organizations could face penalties ranging from a few hundred dollars to tens of thousands depending on the severity of the violation. 

Private health information could include a patient’s medical conditions, the healthcare they receive, and payment for this care. It’s health data that’s individually identifiable for the patient.  

There are five parts to HIPAA legislation, known as titles. Each section focuses on a different aspect of using healthcare data. Where the first title regulates group and individual health insurance policies, the second title establishes privacy and security standards for protected health information. Here’s the full list of titles: 

  1. Healthcare access, portability, and renewability 
  2. Preventing healthcare fraud and abuse, administrative simplification, and medical liability reform 
  3. Tax-related health provisions governing medical savings accounts 
  4. Application and enforcement of group health insurance requirements
  5. Revenue offsets governing tax deductions for employers 

In the next section, we focus on the second title because this is where guidance on keeping ePHI secure can be found under the Security Rule. 

HIPAA rules apply to two different groups: covered entities and business associates. Covered entities are organizations that provide treatment, healthcare plans, or deal in payments (healthcare clearinghouses). Business associates are companies working for covered entities that have access to PHI and ePHI – cloud storage companies, billing providers, and outsourced IT businesses. HIPAA compliance requirements for the Security Rule vary slightly between these two groups, but both must follow the safeguarding rules outlined in the next section.

The Security Rule

Effective HIPAA compliance relies on multiple policies, processes, and tools. The Security Rule is a core tenet of HIPAA legislation, which focuses solely on the protection of ePHI. This isn’t just relevant for healthcare providers, but for third parties that come into contact with electronic health data through their partners. 

The Security Rule requires organizations to protect ePHI through the following safeguards. 

Administrative safeguards include risk analysis and mitigation strategies (plus regular process and policy evaluations), assigning security personnel, enforcing access management policies, proper training, management, and sanctions for your workforce. 

Physical safeguards mean limiting access to physical data storage facilities, and policies that guide the use of devices and workstations. This could mean defining how work phones and laptops are used to access or manage ePHI, and how regularly passwords need to be updated.   

Technical safeguards focus on the use of technology and digital tools. This includes setting up access and audit controls and monitoring access using hardware, software, and procedures. It also includes controls that prevent ePHI from being altered or destroyed incorrectly and security measures that protect against unauthorized access to ePHI transmitted over an electronic network (encryption).

With the help of these safeguards, you must: 

  • Uphold the confidentiality, integrity, and availability of the ePHI you create or manage as an organization
  • Identify and protect against reasonably anticipated threats to the security and integrity of information
  • Protect against reasonably anticipated impermissible uses or disclosures of this information
  • Ensure compliance from your workforce

Organizations also need to have a data backup plan, complete with procedures – like an established backup schedule – to create, maintain and restore exact copies of ePHI. This should be supported by documentation, which verifies the creation of backups and their secure storage. And data should be stored in a physical location, separate from the data source. 

 You might find it helpful to create an HIPAA compliance checklist, complete with the guidance above, so you can make sure your organization is hitting the mark. And don’t forget to take a few moments to review the full HIPAA security rule guidance on the US Department of Health and Human Services website, too. 

Make HIPAA compliance seamless with CloudM Backup

Keeping a clear view of the private information you create and maintain is essential for HIPAA compliance. But you can’t have eyes everywhere – and without sturdy tools and processes in place, risks can slip through the net. 

This was the case for a behavioral healthcare provider in Maryland. The organization failed to provide good risk assessment evidence, implement robust security measures, and enforce policies and procedures for reviewing records after 14,000 patients had sensitive information stolen. This breach resulted in a $40,000 fine for violating multiple HIPAA rules.

You can avoid similar costly errors by implementing CloudM Backup. Our software helps you maintain HIPAA security rule compliance by enabling you to create regular, secure, and retrievable backups of ePHI. Information is stored in your infrastructure, and you can restore data quickly should a malicious or accidental loss occur. 

Automation features mean data retention and backup policies can be applied automatically – saving you and your team time on manual admin while ensuring consistent and reliable data management. We use the encryption standard AES-256 and are ISO 27001 certified – so you can trust us to take your and your customers’ data seriously. 

Our product is robust but flexible. You can set up bespoke policies that meet local data retention requirements, and tailor CloudM Backup to meet the needs of your organization (and HIPAA rules).  

Find out about HIPAA-compliant cloud backup and disaster recovery software

Book a call with our Backup specialists today.
Book a call

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

Are your Google AU license costs adding up? Here’s what to do

Businesses are in a bind. Keeping employee information secure is essential for data protection. But, following the introduction of Google Archive User (AU) licenses, it’s a major expense. 

Before this change there was a free option: the Vault Former Employee (VFE) license. Now, AU licenses offer a replacement, but at a cost of between $4-$7 per person, per month. 

While this is cheaper than full Google licenses, it’s still an additional charge for ex-employees. In this short guide, we explore alternative options for archiving employee data that keep information safe but don’t cost a fortune.

Why is archiving employee data so important? 

In many countries, businesses are legally required to keep staff data – often for years after an employee leaves. 

For US employers, the length of time information should be kept depends on the type of data and local rules. Many businesses use seven years as a baseline, because this covers most state and federal rules. 

Similarly, rules vary for UK businesses depending on the kind of information kept. The key message is that the length of time you keep data depends on the reason it was collected. Should a previous employee make a claim against your company after leaving, you may need access to their records as evidence.  

Proper archiving means you can retrieve data for specific situations such as legal disputes, freedom of information requests, or restoring access should the person become an employee again. 

What’s the alternative to Google AU licenses? 

You don’t need Google AU licenses to ensure data is stored securely, easily retrievable and restorable, and deleted after a set period. Because CloudM Archive does all this and more.  

Our archiving tool has an optional offboarding step to automatically send the leaver’s data straight to your chosen GCP storage bucket, where this information will be deleted after a set time (in line with your data retention policies). 

You get full visibility of the data in your storage bucket with CloudM Archive. This comes in handy if you receive a freedom of information request. Instead of spending hours hunting down a single email, you can view storage buckets indexed by user and restore the information in a few clicks. 

Best of all, you don’t need to pay for full or AU Google licenses for your team. You just need to pay for CloudM Archive and the cost of holding data in your Google storage buckets. Which, even when combined, works out much cheaper than the AU license fees.

Switching to CloudM Archive: how it works

The transition to CloudM comes in two parts:

1

Reduce what you pay for existing licenses

First, move Google AU license holders to CloudM Archive using our Migrate tool. The CloudM team is on hand to make this transition smooth and easy for you.
2

Control your current spend with automation

Next, set up CloudM Archive so that future leavers have their information stored here instead of incurring new Google AU license fees. With CloudM Archive, leavers data is automatically archived and licenses can be reassigned.

We know you might need to approach data management more flexibly, too. So if you’d rather keep a specific power user’s data on an AU license, you can add a bespoke offboarding step that keeps it there instead.

Combining CloudM Migrate and Archive is a winning formula for cutting license costs. Just ask Paul Young, Head of Collaboration and Communications Digital Solutions at Holcim Group:

“We’ve saved millions of dollars by using CloudM to archive users to a secure storage area. The product has worked since day one. But, if something isn’t working as expected or needs a tweak, CloudM listens and finds a solution with a level of thought and care you don’t always see.” 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

CloudM chooses Royal Manchester Children’s Hospital as 2024 charity partner

CloudM has chosen Royal Manchester Children’s Hospital as its charity partner of the year in 2024. As a Manchester-based business, CloudM was keen to support local organisations and help make a difference in its local community. 

Royal Manchester Children’s Hospital is the largest children’s hospital in the country, and the work of the Manchester Foundation Trust Charity helps maintain the hospital as one of the best. The hospital provides specialist treatments and care for children from the local community and across the country. 

Among the reasons for choosing the Royal Manchester Children’s Hospital as its charity of the year, was the inspiring story of local lad, Hughie Higginson and his friend Freddie. Hughie was diagnosed with leukaemia when he was just 10 years old and was treated at the hospital. While he was undergoing treatment, Freddie set out to raise money to support his friend by running 2 kilometres per day for 50 days. Hughie is now cancer-free, and alongside Freddie ‘Hughie & Freddie’s Play Appeal’ has raised a staggering £340,000 for the charity. 

It is the support of community and corporate fundraisers that allow the hospital to go beyond the treatment offered on the NHS and improve the experience of the children, and their families, that they treat. Fundraising helps provide state-of-the art equipment, support the very best research and help to deliver exceptional care.  

“Over the years CloudM has supported lots of charities, this year we really wanted to support a local organisation. It was an easy choice to support a charity in Royal Manchester Children’s Hospital that really goes above and beyond to ensure that poorly children receive the very best treatment and care possible. We’re really excited to support and raise funds in a real variety of ways.”

CloudM employees will be supporting the charity in a variety of ways, from raising funds and taking part in some of the hospital’s existing fundraising events, to holding our own fundraising efforts. Employees will also be giving up their time to help volunteer within the charity. 

When Hughie and Freddie discovered they were the inspiration behind CloudM choosing Royal Manchester’s Children Hospital, they were keen to say “A massive thank you, it will help so many patients and families, thank you so much!”

 

“We are so very grateful for CloudM colleagues choosing to support Manchester Foundation Trust Charity as their new Charity of the Year, raising funds for Royal Manchester Children’s Hospital,” said Jack Bright, Relationship Manager at Manchester NHS Foundation Trust Charity. “We can’t wait to meet more of the CloudM team as they get stuck in with their fundraising, which will make a difference to thousands of patients and their families who need our hospital each and every year. Welcome to our family of fantastic supporters and we look forward to working with you!”

We’ll provide regular updates on activities and our fundraising events throughout the year, and if any customers or partners would like to get involved, please reach out to your account manager.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

Vault doesn’t cut it: why you need a backup solution for Google Workspace

For organizations looking for an affordable, scalable productivity suite, Google Workspace is a great option. Designed with security in mind, it also has several features that promise to keep your organization’s most valuable asset – your data – safe.  

Your data is under constant threat – and the consequences can be costly

The safety of your data is under attack from many directions: cybercriminals as well as disgruntled users, accidental human error, programmatic errors and more pose a threat.  Cyberattacks especially are an ever growing challenge: incidents have doubled in some sectors due to the advances in AI enabling criminals to conduct increasingly sophisticated attacks. 

Data loss often comes with severe consequences for your business. The time and effort required to recover from the event and get critical operations running safely again can be significant. Being able to demonstrate business continuity in the event of a cyberattack is a legal requirement of regulations such as the Digital Operational Resilience Act (DORA) and the upcoming NIS 2 directive, and fines for non-compliance are hefty. Lastly, your reputation is on the line, too, especially when it is found that data security protection was lacking.

Google’s protection is not enough

Google’s safety mechanisms include end-to-end encryption and two factor authentication. However, Google’s built-in backup and recovery solution is insufficient, leaving you and your data at risk. There are two main reasons for this: 

  • Google’s built-in backup functionality provides only temporary and limited protection

Google constantly backs up your data to meet their service level agreements (SLA) in the event of a major service outage on their part. Your data is “sharded” (partitioned horizontally) and split between multiple regions and data centers so that in the event of a catastrophic failure or cyber attack on a single data center, your “live” data will still be available to you when you open up Google Workspace.

However, there are no automatic backups beyond 25 days, and only limited protection against accidental deletion and malicious users. 

  • Google Vault is not a backup solution

Some organizations use Google Vault, a protective layer to provide data retention and eDiscovery for compliance purposes, to backup their data, however Vault is not designed as a backup tool. It only stores the latest versions of your data and is not designed for recovery.

In fact, you are responsible if your data is lost or changed in many common circumstances such as:

  1. A user has modified content and you need to restore it back to a previous state.
  2. A malicious user has been able to modify and delete data because you have given them access to it through sharing and delegation policies.
  3. An admin has incorrectly set a policy or process (such as a Vault retention policy) leading to unwanted changes to your data such as pre-emptive deletion

Google Workspace and Google Vault lack basic backup functionality

Further limitations that disqualify Google Workspace and Google Vault as effective backup and recovery methods include:

  1. No mass restoration process – Google does not provide an easy, direct and effective method of restoring data in bulk. 
  2. Data restored may not be in the format required – For example, Google Vault will only allow you to restore emails in MBOX format with no label preservation.
  3. Limited time and no version control when restoring from Google Workspace Trash – Whilst you can retrieve deleted items from Trash, you only have a limited amount of time to do so (25 – 30 days) before it is permanently deleted. You will only be able to restore the latest version of the file or email with no granular version control.

How can you protect your data from the consequences of data loss?

In summary, relying on Google and Google Vault for backup and recovery exposes your organization to significant risk from data loss. Noncompliance, reputational damage and ultimately the cost of restoring your data and recovering from the loss further strengthen the case for implementing a robust backup and recovery solution.

CloudM Backup a simple yet powerful backup and recovery solution for Google Workspace that protects your data against accidental deletion and malicious users whilst providing quick and easy mass restoration should data loss occur.

Find out how CloudM backup can protect your organisation.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CloudM
CloudM is an award-winning SaaS company whose humble beginnings in Manchester have grown into a global business in just a few short years.

Our team of tech-driven innovators have designed a SaaS data management platform for you to get the most from your digital workspace. Whether it’s Microsoft 365, Google Workspace or other SaaS applications, CloudM drives your business through a simple, easy-to-use interface, helping you to work smarter, not harder.

By automating time-consuming tasks like IT admin, onboarding & offboarding, archiving and migrations, the CloudM platform takes care of the day-to-day, allowing you to focus on the big picture.

With over 35,000 customers including the likes of Spotify, Netflix and Uber, our all-in-one platform is putting office life on auto-pilot, saving you time, stress and money.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×