As we usher in 2025, the European Union’s regulatory landscape for cybersecurity is undergoing significant transformations. The introduction of new directives and regulations, such as the Cyber Resilience Act (CRA), Digital Operational Resilience Act (DORA), the updated Network and Information Systems Directive (NIS2), and the AI Act, marks a pivotal shift in how organizations across various sectors must approach cybersecurity and compliance. These regulations aim to fortify the EU’s digital infrastructure, ensuring that products and services are not only innovative but also secure and resilient against the ever-evolving landscape of cyber threats.
DORA focuses on the financial sector, requiring robust ICT risk management frameworks and operational resilience testing to safeguard against severe disruptions. Simultaneously, NIS2 broadens its scope to include more sectors, such as healthcare and digital infrastructure, demanding enhanced risk management and incident reporting protocols. The Cyber Resilience Act mandates stringent cybersecurity standards for products with digital elements, from smart home devices to industrial control systems, enforcing a ‘security by design’ approach. Together, these regulations represent a comprehensive strategy to bolster the EU’s cyber defenses and ensure that businesses and consumers can trust the digital ecosystem they rely on.
More specifically, the Digital Operational Resilience Act (DORA) is another crucial Regulation of EU legislation aimed at strengthening the cybersecurity and operational resilience of the financial sector. DORA was enacted on January 16, 2023, and will come into full effect on January 17, 2025 (no specific legislation required, as it is a Regulation). It aims to ensure that financial entities such as banks, insurance companies, and investment firms can withstand severe operational disruptions.
Key Provisions
- ICT Risk Management: DORA establishes principles and requirements for managing information and communication technology (ICT) risks within financial entities.
- ICT Third-Party Risk Management: It includes provisions for mitigating risks associated with ICT third-party service providers.
- Operational Resilience Testing: Financial entities must implement a comprehensive testing program, including advanced testing, to ensure operational resilience.
- Incident Management: DORA requires the management and reporting of ICT-related incidents, including major incidents and significant cyber threats, to competent authorities.
- Information Sharing: It promotes the exchange of information and intelligence on cyber threats among financial entities and authorities.
- Oversight of Critical Third-Party Providers: DORA establishes an oversight framework for critical ICT third-party providers, designated by the European Supervisory Authorities (ESAs), namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
- Penalties: up to 2% of their total annual worldwide turnover or up to 1% of the company’s average daily turnover worldwide.
The Network and Information Systems Directive 2 (NIS2) is an updated version of the original NIS Directive, aimed at enhancing cybersecurity across the EU. NIS2 was signed on December 14, 2022, and it should be incorporated into local legislation of each member state until October 17, 2024, to transpose its measures into national law. The directive aims to build cybersecurity capabilities, mitigate threats to network and information systems, and ensure the continuity of essential services.
Key Provisions
- Expanded Scope: NIS2 covers a broader range of sectors, including energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure.
- Strengthened Measures: The directive introduces stricter requirements for both public and private organizations to improve their cybersecurity posture.
- Incident Reporting: Organizations must report significant cyber incidents to national authorities within 72 hours.
- Risk Management: NIS2 emphasizes the importance of risk management and requires organizations to implement measures to prevent and minimize the impact of cyber incidents.
- Accountability: Senior management is held accountable for ensuring cybersecurity is integrated into the organizational strategy and that compliance is maintained.
- Penalties: Non-compliance with NIS2 can result in substantial fines, with a maximum fine of €10 million.
To comply with new cyber regulations, companies should start by conducting a gap analysis of the applicable regulations’ requirements against their current status, as well as initiate a thorough risk assessment to identify potential cyber threats and vulnerabilities. This involves prioritizing risks and developing strategies to mitigate them. Creating a comprehensive cybersecurity plan is essential, incorporating safeguards in areas like identity and access management, threat intelligence, encryption, third parties risk management, etc. Employees’ training on cybersecurity best practices and incident response is also critical to ensure staff are aware of threats and how to handle them.
Regular audits and penetration tests can help assess the effectiveness of cybersecurity measures and identify areas for improvement. Establishing clear procedures for reporting and responding to cyber incidents is crucial for timely communication with relevant authorities, as required by regulations like DORA and NIS2. Staying informed about the latest regulatory changes and cybersecurity trends will help companies adapt to new requirements and maintain ongoing compliance, ultimately enhancing their overall cybersecurity posture and protecting both operations and customer data.
Our Cyber Framework Radar in Baker Tilly South East Europe is helping our clients identify their needs, prioritize their actions and formulate a comprehensive action plan for their cybersecurity strategy.
And let’s not forget the cybersecurity impact of quantum computing, approaching with a fast pace, where the traditional encryption methods will no longer enough to secure information assets. NIST has already published new encryption methods in the Post Quantum Cryptography (PQC) era, the NSA in USA has already mandated that national security systems adopt PQC by 2030, and the UK’s National Cyber Security Council also strongly recommends implementing the standards.
Interesting times for cybersecurity, compliance, risk management…Ho-Ho-Ho, have a secure, reliable and resilient 2025!