The DORA regulation and the NIS2 directive approved by the EU raise cybersecurity requirements and increase the penalties for companies and management boards that fail to comply with the regulations
Cybersecurity is not a fad. On the contrary, it is an inescapable reality. Ransomware, phishing, smishing… The techniques used by criminals are becoming increasingly sophisticated, and attacks are the order of the day. Nowadays, it is already strange not to receive, from time to time, an SMS or an email pretending to come from companies we trust the most, from our bank to a parcel delivery company to our electricity or Internet provider. In light of this threat-ridden scenario, the European Union has just approved two regulatory packages that make it clear to medium and large companies and their managers that ignoring cybersecurity will be very costly.
Following the approval of the DORA regulation, which focuses on financial institutions, and the NIS2 directive, which affects companies in the EU’s strategic sectors, companies will have to redouble their efforts in designing, implementing and evaluating their security strategies and contracting cybersecurity services to avoid incidents that could jeopardize their business model and the protection of their customers.
Ignoring cybersecurity will be costly not only because of the economic and reputational consequences associated with successful cyberattacks. But also because of the penalties and fines that the competent authorities may impose on companies and their managers who fail to comply with the requirements of the DORA regulation and the NIS2 directive.
In this article, we will address the coercive measures to which tens of thousands of companies throughout the European Union and the professionals who make up their management boards may be exposed. From now on, ignoring cybersecurity will be very costly, substantially affecting a company’s results and its managers’ careers.
1. DORA: Management boards of financial institutions are responsible for cybersecurity
The DORA regulation on the digital operational resilience of the financial sector, approved by the European Parliament and Council, aims to ensure that banks and other financial institutions have the tools and protocols to withstand cyber-attacks.
Suppose there are some particularly interesting players for criminals. In that case, it is undoubtedly financial institutions because they hold the economic resources of companies and citizens and have the most sensitive data at their disposal: financial data.
For this reason, initiatives have been launched within the EU to secure the systems and assets of financial institutions, such as the ECB’s TIBER-EU program or the DORA regulation.
1.1. Who is affected by DORA?
The provisions of the DORA regulation are mandatory for almost the entire financial sector. Unlike NIS2, which will be discussed later, this regulation applies to large and medium-sized companies and aims at small and micro-enterprises. However, the scope of the measures and rules is not the same. Hence, for example, the digital operational resilience tests to be performed by companies will be more demanding for large entities and less ambitious for smaller organizations.
The regulation stipulates the different classes of organizations that must comply with its provisions:
- Credit institutions, payment institutions, electronic money institutions and central counterparties.
- Investment services firms.
- Providers of account information, crypto assets and data provision services.
- Central securities depositories and central counterparties.
- Trading venues.
- Trade repositories.
- Alternative investment fund managers.
- Management companies.
- Insurance and reinsurance companies, as well as intermediaries in these areas.
- Occupational pension funds.
- Credit rating agencies.
- Managers of critical benchmark indexes.
- Providers of participative financing services.
- Securitization registries.
Beyond the financial sector, the DORA regulation also focuses on a key player in cybersecurity: third-party ICT service providers.
1.2. The three keys to DORA
Concerning the obligations that DORA imposes on financial sector entities, we can highlight three major items:
- ICT risk management framework. Entities must have a solid framework that allows them to cover the key areas of threat management: identification of vulnerabilities, protection and prevention against cyber-attacks, detection of incidents and their remediation, with the emphasis on business continuity and recovery to normality in the shortest possible time.
- Notification of serious incidents. The new regulation obliges financial institutions to report serious security incidents. This measure aims to increase the flow of information on cyber-attacks and increase the prevention and response capacity of the European financial system as a whole.
- Obligation to conduct digital operational resilience tests. These tests, which must form part of the ICT risk management framework, are intended to detect vulnerabilities, prioritize their remediation and reliably verify each financial institution’s security mechanisms, controls and plans.
1.3. The obligations of the management body in the management of ICT risks
The DORA regulation stipulates that the management boards of financial institutions shall define, approve and supervise all provisions related to the ICT risk management framework. It also makes them responsible for such management. The boards of directors of companies in the financial sector are thus given a central role in security strategy.
1.3.1. From the resilience strategy to the creation of a position to channel cybersecurity information
Among the functions that the DORA regulation assigns to the governing body of financial institutions, we can highlight the following:
- Adoption of policies and governance mechanisms. They will have to adopt policies to maintain high data availability, authenticity, integrity and confidentiality. They will also have to establish governance mechanisms to facilitate communication and coordination among all those involved in security management.
- Establishment of the digital operational resilience strategy. They must approve this strategy, guaranteeing an adequate tolerance to ICT risks. In addition, they must allocate a budget for it, including items for the training of all personnel.
- Approval, supervision and review of business continuity, response and recovery plans. As well as internal ICT audit plans and ICT audits of the entity.
- Approval and review of the policy on agreements related to the use of services provided by third-party ICT service providers. As well as establishing communication channels to be informed about such agreements, their modifications and the consequences thereof. In addition, there must be an optimal communication channel regarding security incidents and response, recovery and remediation measures.
- Creation of a position to monitor agreements with third-party suppliers. Or designation of a member of senior management responsible for ICT who will report to the management body on digital operational resilience testing, actual cyber-attacks and issues identified when activating business continuity, response and recovery plans. It will also make recommendations to optimize the company’s resilience capability.
- Continuous training of all members of the management body in cybersecurity matters.
1.4. Administrative sanctions and corrective measures
To ensure compliance with the regulatory obligations and measures imposed on financial institutions, the DORA regulation stipulates that states must adopt rules providing for administrative sanctions and corrective measures. These sanctions must be effective, proportionate and dissuasive. Among the actions that can be taken, the following can be highlighted:
- Issuing requirements addressed to the natural or legal persons who are infringing the regulation so that they put an end to their conduct and do not repeat it in the future.
- Demand the cessation of any practice contrary to the regulations.
- Adopt any measure, including fines, to ensure financial institutions comply with their obligations.
- Following national law, require data traffic records from telecommunications operators if there are reasonable suspicions of violations.
- Publish notices, including public statements, listing the natural or legal persons infringing the regulations.
- Concerning legal persons, states must empower the competent authorities to apply administrative sanctions and corrective measures against the members of the management body and other persons responsible for the infringement committed by the financial institution.
In addition, DORA stipulates that states may decide to establish criminal sanctions for breaches of the regulation.
This set of measures has a clear objective: to raise awareness among the boards of directors and management boards of financial institutions that ignoring cybersecurity will be very costly.
2. NIS2: Millions of dollars in penalties to ensure the management of cybersecurity risks
Practically in parallel with the adoption of the DORA regulation, the NIS2 directive was adopted. This standard represents a much more ambitious update of the original directive, which was a pioneer in cybersecurity in the most important sectors of the European Union.
NIS2, being, as we have already pointed out, a directive, does not come into force automatically, as is the case with the DORA regulation. Instead, EU member states will have 21 months from the regulation’s publication to transpose it into their legal systems.
This timeframe is vital for the many companies that must comply with the directive’s provisions to undertake the necessary transformations in cybersecurity.
On the other hand, the fact that NIS2 is not directly applicable does not mean that it is not valid. If states fail to comply with their duty to transpose their provisions, the European judiciary can take action employing judgments upholding the mandatory nature of the measures required.
2.1. Who is affected by NIS2?
The requirements included in NIS2 are not addressed to the European business community and public administrations. Rather, the directive sets out the 16 critical sectors to be secured.
Moreover, not all companies operating in any of these sectors, ranging from energy to waste management, will be affected by NIS2. This is because the directive is aimed at large and medium-sized companies in the EU.
According to the definition approved by the European Commission, large companies are those with an annual turnover of more than 50 million euros or 250 or more employees.
To give us an idea of the impact of NIS2, in Spain alone, around 4,000 companies have a turnover of more than 50 million euros, according to the INE.
On the other hand, medium-sized companies have 50 or more professionals and/or a turnover of more than 10 million euros. The number of organizations that fit these characteristics in our country amounts to tens of thousands of companies. Therefore, if we open the focus to the entire European Union, hundreds of thousands of companies will have to adjust their cybersecurity strategies to the requirements of the NIS2 directive.
Furthermore, the new standard divides the organizations to which it is addressed into two groups with different obligations and administrative penalties: essential and important entities.
2.1.1. Essential entities according to NIS2
The NIS2 directive defines as essential entities large companies that carry out their activities in one of the following ten strategic sectors:
- Energy
- Transportation
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Wastewater
- Digital infrastructure. Paying special attention to the management of ICT services.
- Public administrations. Excluding the Judiciary, Parliaments and Central Banks.
- Space
To these organizations, the directive adds other entities that are also considered essential:
- Providers of qualified trust services, top-level domain name registration and DNS service providers, regardless of their size.
- Providers of public electronic communications networks or publicly available electronic communications services whose size is within the upper limit for medium-sized companies, i.e., 250 employees and whose turnover exceeds 50 million euros.
- Other entities in critical sectors, established by EU Member States, based on national risk assessments.
2.1.2. Major entities according to NIS2
The category of a significant entity includes medium-sized companies in the sectors mentioned above and medium-sized and large companies in the other six critical sectors listed in the NIS2 directive:
- Postal and courier services
- Waste management
- Chemical manufacturing, production and distribution
- Food production, processing and distribution
- Manufacture of sanitary, computer, electronic and optical products, electrical material, machinery and equipment, motor vehicles and other means of transportation.
- Digital suppliers
2.2. What is the role of management boards?
The NIS2 directive stipulates that states are responsible for ensuring that the management boards of critical entities comply with their obligations in two main areas: the management of the security risks faced by the company and the training of the members of these boards.
2.2.1. Cybersecurity risk management
The management boards must approve and supervise the implementation of the measures necessary to carry out effective risk and threat management. NIS2 states that such measures shall include, as a minimum:
- Risk analysis and information systems security policies.
- Incident management: incident prevention, detection, response and recovery plans.
- Business continuity and crisis management.
- Supply chain security. Including security aspects related to relationships with suppliers, such as those who provide data processing services.
- Security in acquiring, developing and maintaining networks and information systems.
- Evaluation of the effectiveness of cybersecurity risk management measures.
- Policy on the use of cryptography and encryption. Human resources security, access control policies and assets management must also be ensured.
Likewise, persons who are part of the management boards shall be held responsible for the companies’ non-compliance with these measures.
2.2.2. Cybersecurity training
Members of management boards must be continuously trained in cybersecurity. In addition, they should encourage companies to offer similar training to all the professionals who make up their workforces.
NIS2’s commitment to training aims to ensure that all company employees acquire the knowledge and skills to assess and evaluate cybersecurity:
- Acquire knowledge and skills to assess security risks.
- Follow the best practices in the sector.
- Become aware of the impact of cybersecurity on the services provided by the company they work for.
2.3. Report significant incidents
In addition to implementing effective security risk management, which must be evaluated periodically, companies for which NIS2 is mandatory must inform the CSIRT of any significant security incidents they experience.
Thus, they will have 24 hours from the detection of the incident to submit an initial report on the incident to the competent authority.
In the second phase, they must submit a final report on the incident before the end of one month. This report should include more information about the incident, thus contributing to the generation of knowledge about the threats to the EU’s critical sectors.
2.4. Measures to ensure compliance with the standard: From warning to CEO debarment.
The NIS2 directive includes a package of actions available to the competent authorities in each state to ensure compliance by organizations. These actions must be effective, proportionate, and dissuasive and consider each organization’s circumstances.
Concerning essential entities, the authorities may:
- Issue warnings for non-compliance with obligations.
- Issue binding instructions with measures to be implemented to prevent or remedy a security incident. Including deadlines for implementation and the duty to report on their implementation.
- Order entities to remedy the deficiencies detected, cease their non-compliance with the obligations stipulated in the NIS2 directive or bring their cybersecurity risk management measures in line with the provisions of the regulations.
- Order the implementation of the recommendations made following the preparation of a security audit. To this end, a reasonable timeframe should be established to implement these recommendations.
If these actions do not take effect, states should ensure that the competent authorities have the power to:
- Temporarily suspend or request the relevant Justice or certification entity to temporarily suspend a certification or authorization relating to all or some of the services and activities provided by the company.
- To request the imposition by the relevant courts or entities of the temporary disqualification of the professional exercising the functions of CEO or acting as legal representative of the non-compliant entity. Such temporary disqualification will entail they may not perform managerial duties in the company until it complies with the regulations.
Concerning large entities, the authorities may initiate the actions of issuing orders mentioned above. However, they may not request the suspension of the activities of the companies or the functions of the CEO or the legal representative.
2.5. Administrative fines in the millions of dollars
In addition to the measures outlined in the previous section, states must ensure the possibility of imposing administrative fines on non-compliant companies regarding cybersecurity risk management and incident reporting.
In the case of essential entities, these financial penalties can amount to €10 million or 2% of the sanctioned company’s global turnover, depending on which figure is higher.
To give you an idea, a company with an annual turnover of 50 million euros can be fined 1 million euros for not having a plan for recovering from security incidents. If we are talking about a large company with a turnover of 10 billion euros, the fine could amount to 200 million.
While for large entities, violations of the NIS2 directive should be punishable by at least a maximum of 7 million euros or 1.4% of their worldwide turnover.
Because of all that we have explained in this article, it is clear that the business community and public administrations must assume that ignoring cybersecurity will be very costly from now on.
Not only because of the economic and reputational repercussions of a serious security incident. But also because of the EU’s regulatory effort and the implementation of coercive measures and million-dollar fines, not only against the offending companies but also against their boards of directors and executives.