Between October 2024 and January 2025, three new EU regulations* - the Network and Information Security Directive (NIS2), the Directive on the Resilience of Critical Entities (CER), and the Digital Operational Resilience Act – also known as DORA - will become applicable, after the European Member States will have transposed the requirements of these Directives into national law.
All three establish a clear impetus towards cyber, operational, and technological resilience of the organisations involved. They reflect a clear shift from a reactive modus to a pro-active modus, from a defensive approach focusing on keeping the bad guys out to a pragmatic, forward-looking approach focussing on resilience and recovery. Moreover, they also contain a shift of the responsibility and accountability for the organisation's cyber security and resilience from solely allocated to the CISO and his team to engaging the board and, by extension, the whole organisation.
In view of these evolutions, what actions can or should you undertake to best prepare for NIS2, CER, and DORA? And what are the specific roles and responsibilities of the business versus the IT and security teams, of the board members versus all collaborators, of the internal teams versus external partners and suppliers…?
We invite you to come and exchange ideas with subject matter experts and with peers who are – just like you – investigating the best possible ways to prepare their organisation, not only to be compliant with these regulations but also to come up to the level of resilience that could one day be critical for the survival of your organisation.
How to perform a gap assessment on DORA, CER and NIS2 well in advance to know where you stand
How to map your gaps against your risk landscape
How to prioritize the gaps based on their impact on your organisation's critical processes, services and assets
How to develop a roadmap to address the identified gaps and prioritise them based on their impact on your organisation's critical processes, services and assets
During this CIONET Round Table, we discuss and exchange ideas with peers to prepare our organisations in the best possible way to become resilient and compliant to the newest regulations.
DORA aims to consolidate and improve ICT risk requirements in the financial sector. The regulation includes measures to enable and support digital finance innovation and competition while mitigating the risks associated with it. NIS2 requires EU member states to take measures to improve the cybersecurity of network and information systems, to establish national incident notification systems, and cooperate with other EU member states and institutions in the field of cybersecurity. It also requires operators of essential services (such as energy, transport, health, and banking) and digital service providers to implement appropriate and proportional security measures. And the new CER Directive will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, covering eleven sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for the society and the economy.