“Is it AI or IA? What’s the difference?”
29/11/2023Navigating the Future: A Comprehensive Guide to NIS2 Compliance
11/12/2023I was recently asked to make some predictions about technology trends for 2024 which will be released in our UiQ Edition 5 publication in January 2024 but here is a sneak peak. It doesn’t take analysing a large language dataset to know that at the top of everyone’s list is Artificial Intelligence and Machine Learning – Apple vision pro, Augmented Reality, the Metaverse – all very exciting. These toys – I mean ‘tools’ – these tools will find their way into the workplace in some capacity I’m sure, but I suspect that the majority of our conversations with IT managers, sys admins, CIOS and CISOs this year will be about something far more exciting: compliance.
In 2024/25 we have a raft of new Directives and Regulations* coming into force that will affect several of our customers who operate in the applicable industries and geographies. For example – the Digital Operational Resilience Act or ‘DORA’ comes into force on January 17th 2025. DORA is a new Regulation that applies to organisations operating in the Finance, Insurance, Credit and Payment industries who operate in the EU. Additionally, any ICT providers who provide critical services to applicable organisations will need to be DORA compliant too.
(*There’s a difference: a regulation is law, a directive is a guideline from the European Commission to each member state to enforce locally. Interesting fact: GDPR is a regulation – EU law, which to date has racked up over €20bn in fines. NIS, under which non-compliant organizations can be fined up to £17m has to date netted a grand total of £0 (zero) in fines since its inception in May 2018. You should certainly look closely at both Directives and Regulations, but you are far more likely to be fined for non-compliance of a Regulation than a Directive).
For example: you’re a bank with branches in Spain. DORA will apply to you.
Or you’re a private cloud provider operating solely in the UK, but you host a payment system for a bank with branches in Spain. Whilst it is the bank – your customer – who is responsible for their data on your systems, you as the provider will need to show that you are DORA compliant, and if you are not then the bank is not, they could be fined, and/or would likely not wish to continue trading with a non-compliant organisation.
Unlike NIS (a Directive) DORA Is a regulation like GDPR, and fines for non-compliance will likely be levied, even if no breach occurs. If you can’t prove that your backups will work in case of a ransomware attack then there’s a good chance you could receive a fine, even if nothing has happened! Unlike GDPR the amount hasn’t been specified; rather that it’s ‘proportional’. This mean that the larger the organisation or customer base who could potentially be affected be a breach, the higher the fine. Similarly, the level of negligence, whether say not testing backups was intentional or a genuine error, would come into play too. Compliance is complex.
Unlike the new NIS2 Directive which comes into effect in October 2024 DORA is somewhat less specific about what is required to be compliant. We have some information on our website that is a good starting point though – we hope it’s useful.
Our Partnerships
For services like our partners Hitachi, alignment with DORA is crucial, especially if they provide information and communication technology (ICT) services to organisations falling under DORA’s jurisdiction. Hitachi needs to ensure that its services comply with the specific requirements outlined in DORA to support its clients in meeting regulatory standards and avoiding potential fines. Find out more of our service with Hitachi here.
Author: Geoff Clemow
DORATPro Certified Specialist