The global implications of DORA and NIS 2 Directive are significant, extending beyond the European Union.
Amongst others, the webinar covers:
• DORA and its Implications
• Nis 2 Directive and its Implications
• How to leverage directive and regulation as a marketing tool and competitive advantage
• How to use new compliance framework to request additional budget
Presenters:
Christophe Mazzola - Senior Cyber Governance Consultant
Armed with endless Excel files, a meme catalog worthy of the best X'os (formerly twittos), and a risk register to make your favorite risk manager jealous, I swapped my computer scientist cape a few years ago for that of a (cyber) threat hunter with the honorary title of CISO.
Ah, and I am also a quadruple senior certified ISO27001/2/5, Pas mal non ? C'est francais.
Malcolm Xavier
Malcolm Xavier has been working in the Digital Industry for over 18 Years now. He has worked with Global Clients in South Africa, United States and United Kingdom. He has achieved Many Professional Certifications Like CISSP, Google Cloud Practitioner, TOGAF, Azure Cloud, ITIL v3 etc.
His core competencies include IT strategy, cybersecurity, IT infrastructure management, data center migration and consolidation, data protection and compliance, risk management and governance, and IS program development and management.
Date: April 25, 2024
Tags: Information Security, Digital Operational Resilience Act (DORA)
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: Digital Operational Resilience Act (DORA) - EN | PECB
NIS 2 Directive - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
4. Decoding the differences
Directive (NIS2) vs Regulation (DORA)
Key Differences
1. Definition
• Directive: A legislative act that sets out a goal that all EU countries must achieve.
• Regulation: A binding legislative act that must be applied in its entirety across the EU
without requiring member states to pass any enabling legislation.
2. Implementation
• Directive: Must be transposed into national law by member states within a set deadline.
• Regulation: Automatically becomes law in all member states simultaneously.
3. Enforcement
• Directive: Depends on national authorities and the specificities of national laws.
• Regulation: Enforced uniformly across the EU by relevant EU-wide and national bodies.
5. Decrypting the brand-new EU Regulation
DORA Overview
The strategic mission of DORA is to ensure that the financial sector
in Europe can handle and recover quickly from any type of
technology-related disruptions or attacks, aiming to keep the
financial system stable and trustworthy.
The Digital Operational Resilience Act is a European Union
regulation enacted in December 2022 and entered into force in
January 2023. It will apply to financial institutions starting on 17
January 2025.
7. NIS2, GDPR and CRA
Relations with other EU regulations/directives
• DORA and NIS2 aims to enhance digital resilience and mitigate
cyber incidents in the EU.
• DORA will take precedence over NIS2 avoiding overlap.
• DORA is built on GDPR requirements and does not overwrite them.
• The Cyber Resilience Act aims to increase cybersecurity posture
across a large range of industries while DORA focus on Financial
entities
8. Using ISO 27k family to aim compliance
Relations with standard
• ISO27001 to leverage governance, structure and global approach of
Information Security
• ISO27005 to leverage Information Security Risk Management
• ISO22301 to leverage business resilience
9. A revolution in Risk Management
ICT (Third Party) Risk Management
DORA mandates strict oversight and management of third-party ICT service
providers
Impact:
• Introduces a requirement for financial entities to maintain a register of all
information regarding their ICT third-party relationships and risk
management policies.
• Requires due diligence processes and ongoing monitoring to manage and
mitigate risks associated with third-party service providers.
10. A revolution in Risk Management
ICT (Third Party) Risk Management
Revolutionary Aspect
DORA's regulatory framework brings critical ICT third-party service providers
under strict regulatory oversight for the first time.
Impact:
• Addresses key vulnerabilities in the financial sector’s supply chain, ensuring
that
critical service providers meet robust security standards.
• Complements the focus of the NIS 2 Directive on enhancing supply chain
security, highlighting modern digital ecosystems and the need for holistic
security approaches.
11. A revolution in Risk Management
ICT (Third Party) Risk Management
12. Marketing tool and competitive advantage
How to leverage Directive and Regulations
1.Historical Context with GDPR:
• Companies prominently display GDPR compliance as a trust factor.
• Public claims of GDPR compliance helped companies gain initial trust.
• Organizations that adopted a proactive approach to GDPR compliance
benefited from reduced stress and enhanced business opportunities.
2.Leveraging Early Compliance:
• First Mover Advantage: Use the period leading up to full enforcement of
new directives/regulations to position yourself as a leader in compliance.
• Marketing and Sales Synergy: Direct your marketing team to highlight
your early compliance, and orient sales strategies to target sectors such
as finance and banking.
13. Marketing tool and competitive advantage
How to leverage Directive and Regulations
1.Professional Development:
• DORA Lead Manager Training
• Early certification benefits
2. Marketing Strategy:
• Differentiation through expertise
• Training opportunities
14. The hidden truth behind DORA and NIS2
DORA and NIS2 are two sides of the same coin
Both DORA and NIS 2 represent the European Union's effort to standardize
cybersecurity and operational resilience across key sectors.
Both DORA and NIS 2 will serve as benchmarks for global cybersecurity
standards, influencing policies beyond Europe with their approach to digital
resilience.
Just as GDPR revolutionized data privacy and protection standards globally,
DORA and NIS 2 are poised to do the same for cybersecurity and resilience.
Initial skepticism about GDPR’s impact parallels the reception to DORA and NIS
2.
15. The hidden truth behind DORA and NIS2
DORA and NIS2 are two sides of the same coin
Both DORA and NIS 2 are PRAGMATIC, and measures shall be REASONABLE or
PROPORTIONATE.
How to demonstrate pragmatism?
You can’t. You demonstrate that you effectively mitigate risks.
16.
17. Introduction & Overview of the NIS 2.0 Directive
NIS2 Directive
Introduction
The purpose and significance of the NIS 2
Directive.
NIS 2 Timelines
Key changes from the previous NIS
framework.
The relevance of cybersecurity in today’s
interconnected world.
what organizations need to do to comply
with the updated NIS requirements.
Practical steps, best practices, and
challenges.
18. NIS
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to
boost the overall level of cybersecurity in the EU.
The Network and Information Security (NIS) Directive was the first EU-wide legislation on
cybersecurity.
Its primary goal was to achieve a high common level of cybersecurity across the EU Member
States.
27
Member States
46 articles in
the NIS2
Directive
10 EUR Million
or up to 2% of
the Total
worldwide
turnover of an
entity for non-
Deadlines for
transposition
into national
Law –Oct 17-
2024
19. NIS 2 Timelines and Important Dates
Jul
2016
May
2022
Nov
2022
Dec
2022
Jan
2023
Oct 17
2024
NIS 2
Enters into
Force
NIS 1
Enters into
Force
Post-October 17, 2024: EU authorities will
continue to carry out regular work to review
and cement aspects of the Directive, such as
establishing a list of the Essential and
Important entities by Member States.
Deadline for
transposition
into Law
EU
Parliament
Votes to
Adopt NIS 2
Official
Journal of the
EU as Directive
EU 2022/2555
NIS 2
Approved
20. The purpose and significance of the NIS 2 Directive
The NIS 2 Directive, officially known as the Directive (EU) 2021/250 of the European Parliament and of the
Council, aims to enhance the cybersecurity and resilience of critical infrastructure and digital services across the
European Union (EU).
It builds upon the original NIS Directive (NISD) and addresses the evolving threat landscape, technological
advancements, and the increasing reliance on digital systems.
The primary purpose of NIS 2 is to establish a harmonized framework for managing cybersecurity risks and
incidents, thereby safeguarding essential services and ensuring trust in the digital economy.
21. Significance
Strengthened Scope: NIS 2 extends the scope beyond just essential services to include a broader range of digital service
providers (DSPs), such as online marketplaces, cloud computing services, and search engines.
Risk Management: It emphasizes risk-based approaches, requiring organizations to assess and manage cybersecurity
risks effectively.
Incident Reporting: NIS 2 mandates timely reporting of significant cybersecurity incidents to national authorities,
promoting transparency and collaboration.
Cooperation and Information Sharing: The directive encourages cross-border cooperation among EU member states
and facilitates information sharing to respond swiftly to threats.
Penalties and Enforcement: NIS 2 introduces stricter penalties for non-compliance, ensuring accountability and
incentivizing organizations to invest in cybersecurity measures.
Digital Single Market: By enhancing cybersecurity resilience, NIS 2 contributes to a secure and competitive digital single
market within the EU.
22. Key changes from the previous NIS framework.
Expanded Scope: It includes more sectors and types of entities, broadening
the range of companies that must adhere to cybersecurity requirements.
Stricter Security Requirements: The directive imposes more rigorous
security and incident reporting obligations.
Enhanced Enforcement: It establishes stricter supervisory measures and
higher sanctions for non-compliance.
23. The relevance of cybersecurity in today’s
interconnected world.
Protection of Sensitive Data
Business Continuity
National Security
Economic Impact:
Privacy Preservation
Global Collaboration
Emerging Technologies
Individual Responsibility
24. What organizations need to do to comply with the
updated NIS requirements.
Risk Management Corporate Accountability
Reporting Obligations Business Continuity Planning
Baseline security measures
25. Practical steps, best practices, and challenges related
to NIS 2 Directive compliance
• Risk Assessment
• Policy
Development
• Incident Response
Plan
• Employee Training
• Vendor
Management
• Regular Audits
• Secure
Development
• Patch
Management:
• Multi-Factor
Authentication
• Defense in Depth:
• Continuous
Monitoring:
• Encryption
• Access Controls
• Threat Intelligence
• Collaboration
• Incident
Communication:
• Privacy by Design
• Complexity
• Resource
Constraints
• Cross-Border
Coordination:
• Rapidly Evolving
Threats
• Balancing Security
and Usability
• Vendor
Compliance
• Employee
Awareness
Practical Steps Best Practices Challenges
The Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cybersecurity across the Member States. While it increased the Member States' cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The proposed expansion of the scope covered by NIS2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term. Within the European Parliament, the file was assigned to the Committee on Industry, Research and Energy. The committee adopted its report on 28 October 2021, while the Council agreed its position on 3 December 2021. The co-legislators reached a provisional agreement on the text on 13 May 2022. The political agreement was formally adopted by the Parliament and then the Council in November 2022. It entered into force on 16 January 2023, and Member States now have 21 months, until 17 October 2024, to transpose its measures into national law. Fourth edition. The 'EU Legislation in Progress' briefings are updated at key stages throughout the legislative procedure.
Although the UK is no longer part of the EU (meaning that NIS2 does not directly apply), many businesses operate within the EU, which will require them to comply with NIS2 in order to maintain the same level of security standards as other member states.
UK NIS Directive Expansion Proposal: On November 30, 2022, the UK government announced a proposal to expand the scope of the UK NIS Directive (referred to as “UK NIS”). While NIS 2 itself won’t be implemented in the UK, some changes similar to NIS 2 are expected in the UK NIS1.
In summary, the NIS 2 Directive plays a crucial role in fortifying Europe’s digital infrastructure, protecting citizens, businesses, and critical services from cyber threats
In today’s interconnected world, where digital networks span continents and information flows seamlessly across borders, cybersecurity has become a critical pillar for individuals, organizations, and nations alike. Let’s explore its significance:
Protection of Sensitive Data:
Our lives are intricately woven into digital fabric. From personal emails to financial transactions, sensitive data resides online.
Cybersecurity ensures the confidentiality, integrity, and availability of this data. It shields us from identity theft, financial fraud, and unauthorized access.
Business Continuity:
Organizations rely on interconnected systems for operations, communication, and supply chains.
A cyberattack can disrupt services, halt production, and lead to financial losses. Robust cybersecurity safeguards business continuity.
National Security:
Nations depend on interconnected infrastructure—power grids, transportation, healthcare, and defense systems.
Cyber threats can compromise national security, disrupt essential services, and even endanger lives.
Economic Impact:
Cyber incidents cost trillions of dollars annually. Attacks on businesses affect stock markets, investor confidence, and economic stability.
Investing in cybersecurity is an investment in economic resilience.
Privacy Preservation:
Our interconnected devices collect vast amounts of personal information.
Cybersecurity measures protect our privacy by preventing unauthorized surveillance, data breaches, and misuse of personal data.
Global Collaboration:
Cyber threats transcend borders. International cooperation is essential.
Cybersecurity frameworks, information sharing, and joint efforts combat cybercrime collectively.
Emerging Technologies:
The Internet of Things (IoT), artificial intelligence, and quantum computing bring immense opportunities.
They also introduce new vulnerabilities. Cybersecurity research ensures safe adoption of these technologies.
Individual Responsibility:
Each of us contributes to the interconnected ecosystem. Our actions impact others.
Practicing good cyber hygiene—using strong passwords, updating software, and being cautious online—protects everyone.
In summary, cybersecurity is not merely a technical concern; it’s a shared responsibility that underpins our modern way of life