With the NIS 2 Directive and the Digital Operational Resilience Act (DORA), two pieces of EU legislation aimed at strengthening the cyber security of companies in certain sectors have come into force within a short period of time. But what are the differences between NIS 2 and DORA? We provide the answer by briefly explaining and comparing the respective provisions.
The most important answers to NIS 2
NIS 2: Regulations for critical infrastructures
NIS 2 is an EU directive for cyber security and aims to better protect critical infrastructure companies (CRITIS) from cyber threats. The term “critical infrastructures” refers to organizations that are essential for the smooth functioning of the economy and society. These include, for example, energy and water supply, transportation and medical facilities.
The NIS 2 Directive covers a total of 18 sectors, which are divided into essential and important sectors. This means that NIS 2 goes well beyond the scope of the IT Security Act 2.0, which previously applied to critical infrastructures. Experts estimate that around 40,000 additional companies in Germany will be affected. Self-identification is a particular challenge: A company must independently determine whether it falls under NIS 2. An initial non-binding orientation is provided by the NIS-2 impact assessment of the Federal Office for Information Security (BSI).
Germany is behind schedule with NIS 2
In terms of content, NIS 2 updates the provisions of the NIS Directive introduced in 2016 and defines minimum standards for the cyber security of critical infrastructures, including the development of risk management concepts, the introduction of emergency plans, the immediate reporting of security incidents and the establishment of protection concepts for securing supply chains.
According to the original timetable, the EU member states had until October 18, 2024 to transpose the European NIS 2 provisions into national law. However, Germany will not be able to meet this deadline. Although the German government has drafted a bill (NIS-2 Implementation and Cyber Security Strengthening Act), the legislative process is behind schedule. As things currently stand, NIS 2 is therefore not expected to come into force in Germany before March 2025. However, it should be noted that there are no transitional periods. Therefore, companies should immediately start checking the applicability of the NIS 2 Directive to their own business and – if necessary – implement the requirements in accordance with the new law.
DORA: Uniform framework for IT security in the financial sector
With DORA, the European Union (EU) is closing existing regulatory gaps for the European financial sector. The aim is to enable financial companies to withstand a cyber attack and continue operations even in the event of such an attack. Information and communication technology (ICT) plays a crucial role in the availability and integrity of financial services. DORA therefore brings together existing requirements for financial companies under one roof and consolidates applicable provisions from different sets of regulations.
The DORA regulation governs the handling of ICT-related incidents and is intended to improve the operational stability of digital systems in the financial sector. This includes, for example, the definition of requirements for business continuity management, threat-led penetration testing and third-party risk management. DORA will enter into force on January 17, 2025 and will be binding for all EU member states.
Different legal forms: Directive (NIS 2) vs. regulation (DORA)
An EU directive such as NIS 2 does not come into force immediately after it has been adopted, but specifies certain regulations that the EU member states must transpose into national law. They are usually given a period of two years to do so. In contrast, an EU regulation such as DORA applies to all member states from a specified date. This means that the provisions of DORA are binding as soon as they come into force and must be enforced in their entirety.
But what happens if a company from the financial sector falls within the scope of both NIS 2 and DORA? In this case, DORA takes precedence, as it is a so-called “lex specialis” (special law) for the financial sector, while NIS 2 is considered a general law.
Conclusion: Better protection against cyber attacks as a common goal
In view of the enormous threat posed to companies by the constantly growing number of cyber attacks in times of advancing digitalization, the EU has significantly tightened the legal provisions in this area. Both NIS 2 and DORA aim to improve the level of security for certain sectors from a European perspective. NIS 2 focuses on critical infrastructures, extends the scope of application to many companies that were not previously affected and is intended to enable CRITIS companies to protect themselves more effectively than before against cyber attacks and ensure permanent availability.
DORA, on the other hand, focuses exclusively on the financial sector and creates a financial sector-wide regulation for cyber security, ICT risks and digital operational resilience. With its entry into force on January 17, 2025, DORA will make a significant contribution to sustainably strengthening the European financial market against cyber risks and ICT security incidents – provided that the companies concerned implement the required measures in good time.