Stay resilient: EU reaches agreements to improve the cybersecurity of businesses operating in critical sectors of the economy

Stay resilient: EU reaches agreements to improve the cybersecurity of businesses operating in critical sectors of the economy

A consequence of the Cyber ​​Cybernetics of Paris? Maybe, maybe not, but last week saw two cyber files progressing rapidly at EU level. On 10 May 2022, the Council of the EU and the EU Parliament reached an interim agreement on the proposed Digital Operational Resilience Act (DORA). DORA’s goal is to promote cyber resilience in the financial sector. A few days later, on 13 May, the co-legislators also reached an interim agreement on the revision of what was the first cybersecurity law in the European Union; the NIS Directive 2016/1148 on the security of networks and information systems (NIS 1, and its revision NIS 2). Now that the texts are nearing completion, it is time to prepare for their implementation, as well as how they will interact with the revised UK cybersecurity framework (coming soon).

Interaction between DORA and EU and UK cybersecurity legislation

At the moment, both DORA and NIS 2 have yet to be formally adopted and then implemented in national law. This is not expected until 2024 at the earliest. But once completed, entities caught up in EU and UK law will have to navigate between the different frameworks; what the rules will be in the UK is still subject to speculation, as the UK has recently begun to renew its cybersecurity framework.

NIS 2 is intended to improve the harmonization of basic cybersecurity risk management requirements. NIS 2 will apply to all sector organizations that are within its scope; however, actual requirements may vary by organization and industry. NIS 2 will replace the categories of essential services (OES) and digital service providers (DSP) by the categories ” essential entities (EE) ” and ” important entities (EI) ” will fall credit institutions and infrastructure financial markets. within the scope of NIS 2 and DORA. The possible overlap between the two acts will be addressed for a special law exemption. DORA will prevail in most circumstances over NIS 2 in relation to financial institutions. It is expected that most ICT service providers currently classified as DSPs will continue to be subject to NIS 2. All ICT service providers contracted to work for financial institutions will also need to adapt their contractual configuration to meet the requirements. legal obligations of DORA.

The UK has also begun the process of updating its own Network & Information Systems Regulations 2018 (UK NIS) which implemented NIS 1. This will mark an exit from the EU’s travel direction on cyber resilience. The financial sector would remain outside the scope of the UK NIS, but would continue to be partially covered by the requirements of the UK financial authorities. ICT service providers will be subject to the UK NIS if they are within their reach. Those contracting with EU financial institutions will probably have to arrange their contractual configuration in accordance with NIS 2 or DORA (or both).

The attached table (click here) outlines some of the key differences between the three proposed legislation that companies should be aware of.

How should companies avoid the headaches of cybersecurity in the future?

Some of the above requirements will already be fairly familiar to certain entities (under existing contractual requirements or otherwise). However, the expansion of the sectors that will have to comply with NIS 2, as well as the expansion of actors within these sectors, means that a much higher number of entities will be trapped by these laws. This will add to DORA’s new set of cyber resilience standards for the financial sector. These new laws will entail new responsibilities and therefore the need to implement a strong cyber resilience strategy. This new approach raises the bar of the US NIST cybersecurity framework, which is a recommended and less stringent practice than the proposals for DORA and NIS 2. Cross-border entities will also have to comply with the forthcoming US Cybersecurity Act. reinforcement of 2022 and, like the UK. it seems to deviate from EU standards on this issue, the fragmented framework ahead.

As for the next steps, entities should navigate and understand the applicable laws, audit their current status and identify gaps, develop a new strategy and establish a list of actions, and finally try and train in advance. The time to act is now.

Source link

Related post

Emirates News Agency – WGS report addresses how governments can create a more systematic and rigorous approach to skills trainings

Emirates News Agency – WGS report addresses how governments…

DUBAI, 2nd October 2022 (WAM) – A report published by the World Government Summit Organization identifies how today’s employers are failing…
Try one of the easiest Python 3 beginner courses for $40

Try one of the easiest Python 3 beginner courses…

Offer price and availability subject to change after publication. TL;DR: Starting October 2, you can sign up for the Premium Python…
Crelor Space Launches Digital Training, Learning, Info Platform For Upskill

Crelor Space Launches Digital Training, Learning, Info Platform For…

In today’s world, the journey towards personal development and professional advancement is undoubtedly difficult for many. As a result, it’s not…

Leave a Reply

Your email address will not be published.