NorthCode logo

NIS2, CRA, DORA... WHAT?

- updated
"The GDPR of Cybersecurity"
photo by Pexels, Jakub Zerdzicki

The activity of bad actors is increasing in our digital world—cybercriminals, hostile nations, and even script kiddies. New EU cybersecurity directives and regulations are (almost) here to handle these threats. Organizations need to act, and there are also hefty sanctions. The question in many cases is: how? Here are the main points about the new regulations. First, we need to define the difference between a directive and a regulation.

  • Directive: Issued by the EU, a directive sets out goals that all member states must achieve. However, it allows individual countries to devise their own laws on how to reach these goals. Directives need to be transposed into national law.

  • Regulation: A regulation is a binding legislative act that applies directly and uniformly across all EU member states. It does not require transposition into national laws and takes immediate effect upon enactment.

Disclaimer: This article was written on November 4, 2024, and this information might change, especially effective dates.

Name

NIS2

(Network and Information Security Directive 2)

Cyber Resilience Act (CRA)

DORA

(Digital Operational Resilience Act)

Scope

Digital services and networks

- Essential and important entities in critical sectors like energy, transport, health, finance, digital infrastructure

Products with digital elements

- Manufacturers, importers, and distributors of hardware and software, including IoT devices

Financial industry

- Banks, insurance companies, investment firms, crypto-asset service providers, and ICT third-party service providers

Directive or Regulation

Directive

Regulation

Regulation

Effective Date

By October 17, 2024

(Member states must transpose into national law by this date)

Expected in 2024–2025

(Currently in proposal stage)

Applies from January 17, 2025

Penalties for Non-Compliance

- Fines up to €10 million or 2% of the total worldwide annual turnover, whichever is higher.

- Member states may set higher penalties based on national laws

- Three levels of penalties:

  1. Up to €15 million or 2.5% of global turnover for non-compliance with essential requirements.

  2. Up to €10 million or 2% of global turnover for other specified infringements.

  3. Up to €5 million or 1% of global turnover for minor infringements.

- Administrative fines:

  - Up to 1% of the average daily worldwide turnover for financial entities.

  - Additional sanctions may apply per national laws.

- Other penalties:

  - Public statements, cease and desist orders, or withdrawal of authorization.

Access

The full text of the NIS2 Directive is available on the EUR-Lex website. You can search for "Directive (EU) 2022/2555" to locate the document.

Since the CRA is a proposal, you can find the text on the European Commission's website or the EUR-Lex portal. Search for "COM(2022) 454 final" or "Cyber Resilience Act proposal" .

The full text of DORA is available on the EUR-Lex website. Search for "Regulation (EU) 2022/2554" to find the document.

These directives and regulations can feel like a burden at times, but we need to remember that they are here to protect all of us!

Want to hear more? Follow us in LinkedIn and/or drop me an email.