Stay resilient: EU reaches agreements to improve the cybersecurity of businesses operating in critical sectors of the economy

A consequence of the Paris Cyber Summit? Maybe, maybe not, but last week saw two cyber files rapidly progressing at EU level. On May 10, 2022, the Council of the EU and the EU Parliament reached a provisional agreement on the proposed Digital Operational Resilience Act (DORA). The purpose of DORA is to promote cyber resilience in the financial sector. A few days later on May 13, the co-legislators also reached a provisional agreement on the revision of what was the first piece of cybersecurity legislation in the European Union; the NIS Directive 2016/1148 on security of network and information systems (NIS 1, and its revision NIS 2). Now that the texts are close to finalization, it is time to prepare for their implementation, as well as how these will interplay with the UK's (upcoming) revised cybersecurity framework.

Interplay Between DORA and EU & UK Cybersecurity Legislation

For now, both DORA and NIS 2 still need to be formally adopted and then implemented into national laws. This is not expected before 2024 at the earliest. But once this is completed, entities that are caught up by both EU and UK laws will need to navigate between the different frameworks; what the rules will be in the UK remains subject to speculation, as the UK has only recently started to revamp its cybersecurity framework.

It is intended that NIS 2 will improve the harmonization of baseline cybersecurity risk management requirements. NIS 2 will apply to all organizations within the sectors that are in its scope; however actual requirements may vary depending on the organization and sector. NIS 2 will replace the categories of essential services (OES) and digital service providers (DSPs) with the categories ''essential entities (EEs)'' and ''important entities (IEs).'' Credit institutions and financial market infrastructures will fall within the scope of NIS 2 and DORA. Potential overlap between the two acts will be addressed by a lex specialis exemption. DORA will in most circumstances prevail over NIS 2 in relation to financial entities. It is expected that most ICT service providers which are currently categorized as DSPs will continue to be subject to NIS 2. All ICT service providers which are contracted to work for financial entities will also need to adapt their contractual set up to meet the statutory obligations of DORA.

The UK has also started the process of updating its own Network & Information Systems Regulations 2018 (UK NIS) which implemented NIS 1. This will mark a departure from the EU’s direction of travel on cyber resilience. The financial sector would remain out of scope of UK NIS, but it will continue to be partially covered by the requirements of the UK financial authorities. ICT service providers will be subject to UK NIS if found within its scope. Those that are contracting with EU financial entities will most likely need to arrange their contractual setup in line with either NIS 2 or DORA (or both).

The attached table (click here) sets out some of the key differences between the three proposed legislations that businesses should be aware of.

How Should Businesses Avoid Cybersecurity Headaches in the Future?

Some of the above requirements will already be fairly familiar to certain entities (by virtue of existing contractual requirements or otherwise). However, the broadening of the sectors that will be required to comply with NIS 2, as well as the widening of actors within those sectors means that a far higher number of entities will be caught by those laws. This will be in addition to DORA's new set of cyber resilience rules for the financial sector. These new laws will mean new responsibilities and thus, the need to implement a strong cyber resilience strategy. This new approach raises the bar from the US NIST Cybersecurity Framework which is recommended practice and less stringent than the proposals for DORA and NIS 2. Cross-border entities will also need to comply with the forthcoming Strengthening American Cybersecurity Act 2022 and, as the UK appears to depart from the EU's standards on this matter, the fragmented framework that lies ahead.

In terms of next steps, entities must navigate and comprehend the applicable legislations, audit their current status and identify gaps, develop a new strategy and establish a list of actions, and finally, test and train ahead of time. The time to act is now.