The NIS 2 Directive, formally known as Directive (EU) 2022/2555, has played a crucial role in this regard. Likewise, the Digital Operational Resilience Act (DORA) is a very important game changer for financial institutions in the EU. To provide further clarity and direction, the European Commission has recently issued guidelines related to the application of Article 4(1) and (2) of the NIS 2 Directive.
The Significance of Article 4(1) and (2)
Article 4(1) and (2) of the NIS 2 Directive lay the foundation for the directive's operational framework. These provisions are concerned with the intricate relationship between NIS2 Directive and other existing relevant legislation, such as DORA, and prospective EU legislation , that address the management of cybersecurity risks and incident reporting requirements. In essence, these articles provide a roadmap ensuring a harmonious and effective approach to cybersecurity.
Understanding the Guidelines: equivalence of Cybersecurity requirements
The guidelines outline a clear methodology for evaluating whether the provisions in sector-specific Union legal acts are at least as effective as those stipulated in NIS2 Directive concerning cybersecurity risk management measures (Article 21) and reporting significant incidents (Article 23).
Implications of Equivalence
These guidelines make it explicit that when sector-specific Union legal acts are deemed equivalent in effect, certain elements of NIS2 Directive, including those related to supervision and enforcement, will not apply. Nevertheless, other components of the Directive, such as those pertaining to national cybersecurity strategies, CSIRTs, cyber crisis management frameworks, and EU-CyCLONe, will remain in force.
Appendix on Sector-Specific Union Legal Acts
The guidelines feature an appendix that provides an inventory of sector-specific Union legal acts that fall within the purview of Article 4 of NIS2 Directive. An illustrative example offered is Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), specifically tailored for the financial sector.
Why These Guidelines Matter
The Commission Guidelines on the application of Article 4(1) and (2) reinforces the European Union's dedication to fostering a robust, consistent, and collaborative approach to cybersecurity in an era where digital resilience is of critical importance. In the case of financial entities, the provisions outlined in the Digital Operational Resilience Act (DORA) regarding aspects such as information and communication technology (ICT) risk management, ICT-related incident management, digital operational resilience testing, information-sharing protocols, and third-party ICT risk management will take precedence on the corresponding provisions in the NIS2 Directive.
Member States are directed not to enforce the cybersecurity risk management, reporting obligations, supervision, and enforcement provisions of the NIS2 Directive on financial entities falling under DORA's scope.
DORA is designated as the sector-specific legal act tailored for financial entities, it encourages robust collaboration and information exchange between financial entities and relevant authorities thus ensuring the security and resilience of the financial sector.
How can BDO help
With a deep understanding of European Union regulations, such as DORA, NIS2, GDPR and others, BDO Malta can provide organisations with strategic insights, risk assessments, and action plans to ensure compliance with the NIS 2 Directive or DORA and also enhancements to overall cybersecurity postures.
By partnering with BDO Malta, organisations can navigate the complex regulatory landscape with confidence, ensuring they are well-prepared to address the cybersecurity challenges of today and the future.
Get in touch
