Personal responsibility for complying with DORA and NIS2
The entry into force of DORA (Digital Operational Resilience Act) and NIS 2 (Directive on Security of Network and Information Systems 2) regulations poses new challenges for the financial and other key economic sectors. However, many organizations are wondering who will be responsible for complying with these regulations and what the consequences are. This article aims to address these concerns.
DORA (Digital Operational Resilience Act) is an EU regulation aimed at strengthening the financial sector’s operational resilience in the context of dependence on information and communication technologies (ICT). DORA aims to strengthen the cyber security and operational resilience of all entities operating in the EU financial sector. This means that not only banks and financial institutions will have to comply with the new regulations, but also all providers of services critical to their business, such as cloud service providers and software vendors.
Responsibility for DORA compliance rests with the boards of these organizations. In practice, this means that boards must make decisions on security policies, provide adequate resources to implement those policies, and oversee compliance. The DORA regulation was published on December 14, 2022. It entered into force on January 16, 2023, and will begin to be applied on January 17, 2025.
NIS2 (Directive of the European Parliament and the Council (EU) 2022/2555) was published on December 14, 2022. and its implementation deadline 2 is October 17, 2024. Like DORA, NIS2 aims to increase the digital resilience of key economic sectors but focuses on a broader spectrum of sectors, not just financial. With NIS 2, the responsibility also falls on the organization’s boards of directors, which must approve security policies, monitor compliance, and take steps to manage risks.
Consequences of violating NIS2 regulations
Violations of the NIS 2 directive carry a variety of consequences depending on the type of entity. Tougher sanctions are provided for key players that play a vital role in the digital security system. These include. The ability to perform remote inspections and surveillance, conduct audits, request information on risk management measures and cyber security policies. If violations are found, authorities can issue warnings, impose binding orders or administrative fines. For key players, the maximum administrative penalty is €10,000,000 or 2% of the company’s total annual worldwide turnover. In special circumstances, there is also the possibility of temporary suspension of certification or authorization, as well as a ban on management functions for those responsible. Individuals managing or representing a company can also be held liable for failure to comply with the directive, which applies to both key and important players. For valid entities, the penalties are slightly lower, at €7,000,000 or 1.4% of total annual turnover.
Consequences of not complying with DORA regulations
Failure to comply with DORA can lead to serious consequences for the company, including administrative sanctions by national regulators. Based on Art. 50 para. 4 of the DORA regulation, possible sanctions include requiring the cessation of certain practices or conduct deemed to be in violation of these regulations, taking measures to ensure continued compliance with legal requirements (including financial sanctions), making data transfer records available, and issuing public notices indicating the identity of the violator and the nature of the violation. The scale of these sanctions could significantly affect the company’s operations, including the potential termination of its operations. The nature of these sanctions is proportionate, effective and deterrent, and their application depends on the degree of violation and intent (whether the violation was intentional or not). Ultimately, in the event of a violation by an organization, liability may fall not only on the organization as a whole, but also on the members of the governing body and others who are liable for such violations under national law.
In summary, compliance with DORA and NIS 2 is the responsibility of the organization’s boards. They are the ones who must approve security policies, monitor compliance and manage risks. No matter how large your organization is, this is a task that cannot be neglected, given the potential consequences of a breach. Therefore, boards should play a key role in ensuring that their organizations are ready for the new regulations.
In both cases, liability is personal, meaning that individual board members may face consequences for failing to meet their obligations under these regulations. This should prompt boards to take proactive steps to understand, implement and comply with the new regulations.
The responsibility for complying with DORA and NIS2 is therefore great, but knowledge and proper preparation can help meet these requirements and minimize risks.
Ebook DORA and NIS2
We will soon publish a comprehensive ebook on the DORA and NIS 2 regulations, which will be published on Secfense’s website. From the ebook you will be able to learn such things as:
- Which organizations are covered by DORA and NIS2?
- Who is responsible for implementing DORA and NIS2 in organizations?
- What are the consequences of not complying with DORA and NIS2? Who bears them?
- What is the “size-cap rule” in NIS2? How to find out if an organization is subject to it?
At Secfense, we focus on making it easy and efficient for our customers to move away from passwords and replace them with strong phishing-resistant with strong based on passwordless FIDO. Hence, we cannot leave this report unanswered on the key issues of strong authentication. Hence, the ebook will provide answers to questions such as:
- Do DORA and NIS2 require strong authentication in an organization’s applications?
- Are all applications covered by DORA and NIS2 regulations?
- Does DORA limit strong authentication to only methods that use asymmetric cryptography?
- Is every IT provider an “ICT third-party provider” according to DORA, and do they have to use strong authentication?