DORA and NIS2 Explained: A Guide to Their Meanings, Scope, and Core Requirements
As more organizations embrace digital technology, the magnitude of potential cyber crimes continues to rise, making the need for robust cybersecurity measures more critical.
According to SonicWall, the number of cybersecurity intrusions rose by 20% from the total number in 2022 to 7.6 trillion in 2023. Since SonicWall started reporting on this in 2013, the number of intrusions has risen by 613%.
To address these challenges, the European Union (EU) has passed two major pieces of legislation: the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2 Directive).
NIS2 and DORA: A Directive and a Regulation
- NIS2 is a directive
- DORA is a regulation
What is a Directive?
A directive is a piece of legislation that, in its raw form, cannot be applied to every EU member state but must first be transposed to align with each country’s national laws.
What is a regulation?
A regulation is a piece of legislation applied in all EU member states as soon as it is enacted into law.
What is DORA?
DORA is a regulation that aims to bolster the digital operational resilience of financial institutions in the EU by setting clear standards for risk management, incident reporting, resilience testing, and third-party outsourcing. By mandating these standards, DORA mitigates operational disruptions in EU financial entities in the event of cyber attacks.
DORA will become effective in all EU member states from its entry into law, slated for 17 January 2025.
What is NIS2?
The NIS2 directive is an updated version of the previous Network and Information Security (NIS) directive. Its objective is to increase the overall level of cybersecurity in the EU. With an emphasis on network and information systems security, the NIS2 expands the scope of cybersecurity rules to new sectors and entities, enhancing supply chain security, streamlining reporting obligations, and enacting stricter cybersecurity measures throughout Europe.
The NIS2 directive entered into force on 16 January 2023 and will apply as of 17 January 2025.
Entities DORA covers
DORA applies to organizations that fall under any of the following 21 categories:
- Credit institutions;
- Payment institutions, including payment institutions exempted under Directive (EU) 2015/2366;
- Account information service providers;
- Electronic money institutions, including electronic money institutions, are exempted under Directive 2009/110/EC;
- Investment firms;
- Crypto-asset service providers and issuers of asset-referenced tokens;
- Central securities depositories;
- Central counterparties;
- Trading venues;
- Trade repositories;
- Managers of alternative investment funds;
- Management companies;
- Data reporting service providers;
- Insurance and reinsurance undertakings;
- Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries;
- Institutions for occupational retirement provision;
- Credit rating agencies;
- Administrators of critical benchmarks;
- Crowdfunding service providers;
- Securitization repositories;
- ICT third-party service providers.
Entities NIS2 covers
NIS2 applies to:
- Essential Entities (EE), specified in Annex I of the NIS2 text
- Important Entities (IE), specified in Annex II of the NIS2 text
NIS2 Directive core requirements
The NIS2 directive mandates that organizations meet the following requirements:
- Efficient risk assessment and management system
- Robust incident response and reporting system
- Business continuity measures
- Supply chain security measures
- MFA, secure voice, video, and text communication
How can you prepare your organization for NIS2 and DORA?
- Assess your existing infrastructure, processes, and data
- Optimize your risk management and information security processes
- Ensure you have a robust monitoring and optimizing system in place for your IT supply chain
- Back up your company’s data
- Set up a reliable restore & disaster recovery system
- Cultivate a cyber-conscious culture in your company
Why Backup of Your Critical Business Data is Important
Establishing regular data backups of your business data is essential to compliance with DORA and NIS2 legislations. Backing up your data protects you from data loss, ensures business continuity, earns you customer trust and loyalty, and saves you time and money in the long run.
With the stringent requirements of the NIS2 Directive and DORA Regulation, organizations must deploy reliable and secure tools to safeguard their critical business data.
While adhering to NIS2 and DORA regulations with compliant tools, users can also explore non-traditional solutions like decentralized cloud storage offered by StorX Network. StorX’s decentralized architecture enhances data integrity, confidentiality, and availability by securely distributing encrypted data across multiple nodes worldwide. This approach mitigates the risks associated with centralized points of failure, a key concern under these regulations, ensuring that, in the event of a cyber attack or operational disruption, critical business data remains accessible and secure.
To maximize these benefits, it’s essential to back up your data with a trusted IT solution. StorX is a decentralized cloud storage service that enables you to efficiently back up your data by splitting and distributing it across a global network of encrypted hosting nodes. It democratizes data storage through its decentralized storage network, eliminating the need for a centralized middleman and giving you complete control over your data.
