Navigating the Impact of DORA (Digital Operational Resilience Act)
05/12/2023The 12 Day of Christmas Security Tips
13/12/2023I recently received a request to anticipate upcoming technology trends for 2024, set to be featured in our UiQ Edition 5 publication in January of that year.
Whilst a comprehensive analysis may not be necessary, it’s worth remembering that AI and Machine Learning tools such as Apple Vision Pro, Augmented Reality, and the Metaverse are still high on everyone’s radar. In this blog I will provide a sneak peek. These sophisticated tools, or shall we say, ‘toys,’ are poised to integrate into the workplace to some extent. However, based on my expectations, the bulk of our discussions with IT managers, sys admins, CIOs, and CISOs in the coming year will likely center around a more captivating topic: compliance.
In 2024/25 we have a number of new Directives and Regulations* coming into force that will affect several of our customers who operate in the applicable industries and geographies. For example – the NIS2 Directive – Network and Information Systems (iteration 2) – replaces NIS (1) in October 2024. The UK currently adheres to NIS, but as we left the EU before NIS2 was drafted if you don’t operate in the EU, it won’t actually affect you when NIS1 is replaced in October 2024. Lots of our customers do though. NIS2 is pretty each to navigate – it applies to the below organisations:
(*There’s a difference: a regulation is law, a directive is a guideline from the European Commission to each member state to enforce locally. Interesting fact: GDPR is a regulation – EU law, which to date has racked up over €20bn in fines. NIS, under which non-compliant organizations can be fined up to £17m has to date netted a grand total of £0 (zero) in fines since its inception in May 2018. You should certainly look closely at both Directives and Regulations, but you are far more likely to be fined for non-compliance of a Regulation than a Directive).
NIS2 affects all entities that provide essential or important services to the European economy and society, including companies and suppliers. We highly recommend you to carefully assess the following categories to determine if NIS2 is applicable for your organisation.
Thankfully, the guidelines for how to be NIS2 compliant are refreshingly clear. Straight from the source (https://nis2directive.eu/nis2-requirements/). Here are some highlights:
- Risk Management
To comply with the new Directive, organisations must take measures to minimise cyber risks. These measures include incident management, stronger supply chain security, enhanced network security, better access control and encryption.
- Corporate Accountability
NIS2 requires corporate management to oversee, approve and be trained on the entity’s cybersecurity measures to address cybersecurity risks. Breaches may result in penalties for management, including liability and a potential temporary ban for management roles.
- Reporting Obligations
Essential and important entities must have processes in place for prompt reporting of security incidents with significant impact on their service provision or recipients. NIS2 sets specific notification deadlines such as 24-hour early warning.
- Business Continuity
Organisations must plan for how they intent to ensure business continuity in the case of major cyber incidents. This plan should include considerations about system recovery, emergency service procedures, and setting up a crisis response team.
10 Minimum Measures
In addition to the four overarching areas of requirement, NIS2 mandates that essential and important entities implement baseline security measures to address specific forms of likely cyberthreats. These include:
- Risk assessments and security policies for information.
- Policies and procedures for the use of cryptography and, when relevant, encryption.
- Security around procurement of systems and the development and operations of systems. This means having policies for handling and reporting vulnerabilities.
- Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organisations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.
- The use of multi-factor authentication, conscious authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication when appropriate.
- Policies and procedures for evaluating the effectiveness of security measures.
- A plan for handling security incidents.
- Cybersecurity training and a practice for basic computer hygiene.
- A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.
- Security around supply chains and the relationship between the company and direct suppliers. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers.
That is all pretty clear, right? If it applies to you (and NIS, which is already in force, doesn’t) make sure you’re ready before October 2024. Need a hand? Contact us today.
Our Partnerships
For services like our partners Hitachi, alignment with DORA is crucial, especially if they provide information and communication technology (ICT) services to organisations falling under DORA’s jurisdiction. Hitachi needs to ensure that its services comply with the specific requirements outlined in DORA to support its clients in meeting regulatory standards and avoiding potential fines. Find out more of our service with Hitachi here.
Author: Geoff Clemow
DORATPro Certified Specialist