Understanding the differences between DORA and NIS2

Are you prepared for the new cyber storm on the horizon? Major regulatory changes are coming that will impact many European organizations. With the rise of cyber threats in recent years, European governments have introduced new regulations to strengthen the cybersecurity requirements for organizations across industries.

Two major upcoming directives—DORA and NIS2 from the European Union—aim to bolster cyber resilience for essential services. Strengthening defenses is crucial, yet sorting through shifting security rules and standards can feel overwhelming.

While both address improving cyber defenses, these regulations differ in scope and requirements. This guide is here to help you navigate the changes with clarity. We'll explore the key details of each directive, compare their differences, and discuss how to prepare your organization for compliance.

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring the financial sector within the EU can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It focuses specifically on financial entities like banks, investment firms, and others that provide critical financial services.

The primary goal of DORA regulation is to enhance operational resilience and manage risks associated with third-party service providers. Set to take effect in January 2025, DORA will significantly impact financial sector organizations operating within the European Union.

What is NIS2?

The Revised Network and Information Systems (NIS2) Directive is an updated EU cybersecurity law that expands the scope of its 2013 predecessor. NIS2 broadens the categories of "important" and “essential” entities subject to the regulation beyond just operators of critical infrastructure like energy, transport, banking, financial market infrastructures, and health.

The directive also imposes new requirements for supply chain security, risk assessments, incident reporting, and third-party risk management. The NIS2 Directive will be enforced starting in October 2024 and apply to any essential service provider operating within the EU.

Why are NIS2 and DORA important?

Attacks can disrupt essential functions and compromise privacy as more services and personal data move online. To mitigate cyber risks, both NIS2 and DORA aim to increase operational resilience and security practices across crucial sectors.

Therefore, the two directives are crucial for businesses due to several compelling reasons:

• Enhanced cybersecurity. DORA focuses onthe financial sector, emphasizing operational resilience and risk management, ensuring financial entities can withstand and quickly recover from cyber incidents. NIS2 applies to a broader range of essential service providers, significantly bolstering their cybersecurity measures.
• Regulatory compliance. Both directives set strict regulatory requirements. Non-compliance can lead to hefty fines, sanctions, and damage to a company’s reputation. Ensuring compliance helps businesses avoid these financial and legal risks, maintaining a positive standing with regulators and customers.
• Customer trust & confidence. Compliance with NIS2 and DORA demonstrates a business’s commitment to protecting personal and financial data, fostering trust and confidence among customers. This trust can translate into customer loyalty and a competitive edge in the market.
• Operational resilience. Both directives aim to enhance the resilience of critical infrastructure. DORA ensures that the financial sector can continue operating smoothly during cyberattacks, whereas NIS2 focuses on ensuring the continuity of services provided by essential entities across various sectors.
• Supply chain security. NIS2 requires businesses to assess and manage risks associated with their third-party vendors, mitigating potential vulnerabilities. DORA also includes provisions for third-party risk mitigation, ensuring robust measures are in place to manage risks from external service providers.
• Incident reporting & response. Both NIS2 and DORA mandate comprehensive incident reporting and response mechanisms, ensuring businesses can promptly detect, respond to, and recover from cyber incidents. Regular breach reporting and analysis help improve overall cybersecurity strategies.
• Harmonized standards. These directives aim to harmonize cybersecurity standards across the EU, creating a more consistent and secure digital environment. This simplifies compliance efforts and ensures businesses operate at the highest security standards across all regions.
• Future-proofing. As cyber threats evolve, regulatory requirements are likely to become more stringent. By complying with DORA and NIS2, businesses position themselves ahead of the curve, proactively adopting best practices to adapt to future regulatory changes.

Key differences between NIS2 and DORA

Even though NIS2 and DORA directives may seem similar, there are some key differences organizations should be aware of. While both frameworks aim to bolster security, their scopes, sectors, compliance dates, and requirements vary.

• Scope: DORA applies to financial sector entities within the EU, while NIS2 Directive covers all essential service providers across the EU
• Sectors: DORA targets the financial sector, whereas NIS2 expands to industries like health, energy, and more
• Compliance date: DORA is set to take effect in January 2025, while NIS2 Directive goes into effect in October 2024
• Requirements: DORA regulation emphasizes operational resilience, whereas NIS2 includes comprehensive supply chain reviews and stringent reporting obligations
• Non-compliance penalties: Entities found non-compliant with DORA may face fines up to 2% of annual global turnover or €1 million for individuals, whereas NIS2 establishes larger fines of up to €10 million or 2% of turnover—whichever is higher—for non-compliance

By recognizing these distinctions, businesses can better navigate their compliance strategies, ensuring they meet the necessary standards and improve their cybersecurity defenses.

Preparing for increased compliance

To effectively prepare for NIS2 and DORA compliance, businesses should take the following steps:

Conduct risk assessments

Perform thorough vulnerability assessments to identify potential vulnerabilities and threats. Evaluate the impact of identified risks on your organization and prioritize mitigation strategies.

Review third-party relationships

Assess the security posture of all third-party vendors and partners and ensure that third-party risk mitigation practices, including regular audits and reviews, are in place.

Develop and document incident response plans

Create detailed incident response plans outlining steps to take during a cybersecurity event; ensure these plans are well-documented and accessible to all relevant personnel.

Implement reporting procedures

Establish clear procedures for reporting security incidents to regulators and stakeholders. Ensure these procedures comply with the requirements of NIS2 and DORA.

Train staff regularly

Conduct regular training sessions on cyber hygiene, focusing on password management and recognizing phishing attempts—provide specialized training on spear phishing and other targeted attack methods.

Document compliance efforts

Maintain thorough documentation of all compliance-related activities and efforts. This documentation demonstrates diligence and can be beneficial during regulatory reviews.

Outsource to experts

Consider outsourcing functions like cloud infrastructure management, security monitoring, or compliance auditing to specialized service providers. Leveraging expert services can reduce the burden on in-house teams and ensure higher compliance standards.

Audit & update regularly

Schedule regular internal audits to review compliance status and identify areas for improvement. Stay updated on changes in regulatory requirements and adjust your strategies accordingly.

Engage with regulatory bodies

Maintain open communication with relevant regulatory bodies to stay informed about compliance expectations. Seek guidance and clarification on any aspects of DORA and NIS2 that may be unclear.

How NordLayer can help achieve compliance

As a network security provider, NordLayer offers tools and services tailored to help organizations achieve compliance with both directives:

1. Secure access management: Utilize our business VPN for encrypted connections with masked identities, and implement Always-On VPN and Multi-Factor Authentication (MFA) to ensure safe and controlled access to your network. Secure access technologies ensure compliance with DORA’s emphasis on thorough access control practices, in addition to fulfilling many of the access governance standards outlined in NIS2.
2. Network segmentation: Enforce stringent security policies using a robust Cloud Firewall and advanced access control features like Network Access Control (NAC).
3. Continuous visibility & monitoring: A network visibility solution ensures comprehensive monitoring of network activity and devices. It fuses activity information, Server Usage Analytics, and Device Posture Monitoring to track traffic and performance in real-time. Ensure secure network access through features such as DNS filtering and Device Posture Security checks that verify endpoint security posture before network entry. Such visibility is crucial for meeting regulatory requirements, facilitating audits, and demonstrating practical usage of security controls.
4. Protection of sensitive information: Comply with data sovereignty requirements through comprehensive NAC solutions like VPN gateways, dedicated servers, Cloud Firewall, and Device Posture Security, as well as advanced user authentication methods, such as MFA, biometrics, SSO, and user provisioning—addressing DORA’s and NIS2’s mandates for data protection.
5. Manage vendor risks: Our solutions isolate third-party access to only needed resources. Additionally, NordLayer can be trusted to comply with customers’ vendor security requirements and international standards.

With NordLayer, businesses can simplify infrastructure security management and meet the stringent requirements of both the NIS2 and DORA directives. Contact us to discuss how we can assist with your compliance journey.