The security of information systems and the protection of critical infrastructures have become priorities for the EU. The arrival of two major European regulations bears witness to this: the regulation on digital operational resilience (Dora) and the directive on the security of networks and information systems (Nis2). Other texts, starting with the AI Act, are more broadly in line with this trend.
"Dora and Nis2 are two sides of the same coin: they aim to secure our information society," summed up consultant . "We live in a world where all industries, whether energy, health or infrastructure, rely heavily on IT. This dependence makes digital continuity essential."
"Dora and Nis2 are a bit like Brett Sinclair and Danny Wilde in the series “”: they're a bit similar, but completely different", said Nicolas Remarck, Bil's chief information security officer. The main differences relate to the players involved, their obligations and the legal nature of these texts.
1. The players involved
While Dora and Nis2 have the same purpose, their targets and frameworks differ. While Dora applies strictly to financial institutions, the Nis directives cover a broader spectrum, including critical infrastructures. "Nis2 affects sectors that are key to the smooth running of our societies, from hospitals and network operators to internet domain managers and even wastewater treatment systems," pointed out Remarck. "In France, for example, players such as Rungis [the largest wholesale food market] are affected by Nis2 obligations."
In addition, added Hagen, "Dora also applies to small entities in the financial sector, unlike Nis, which generally excludes small companies unless they play a key role in critical sectors".
Nis2 mainly targets critical infrastructures to protect the safety of citizens.
Nis2 addresses a major concern: the impact of IT failures on public safety. "Nis2 mainly targets critical infrastructures to protect the safety of citizens. A disruption in these sectors could have a direct impact on people's daily lives", stressed Hagen, a former head of IT supervision for the financial sector and support PSFs at the Luxembourg financial regulator CSSF.
On the other hand, Dora focuses exclusively on the resilience of financial institutions, in order to avoid crises resulting from systemic IT shocks. "A data failure or an inability to restore financial systems could easily cause a liquidity crisis for a bank, leading to a potential financial crisis."
The two regulations are mutually exclusive: an entity subject to Dora is not affected by Nis2, and vice versa. However, "there are exceptions for certain players with a dual role, such as clearing houses", observed Remarck. He takes the example of Clearstream, which must comply with both Dora and Nis2 because of the hybrid nature of its activities.
2. Specific obligations
Dora and Nis2 both aim to protect against cyber threats and digital risks, but the way in which this is achieved differs. Where Dora lays down detailed technical requirements, Nis2 remains generalist in its approach, imposing obligations of vigilance and incident reporting.
In detail, "Nis2 requires covered entities to disclose their vulnerabilities, an obligation not found in Dora", explained Remarck. In addition, Nis2 promotes practices such as the Secure Development Lifecycle, which requires developers to follow security standards when creating code. "In concrete terms, this means paying attention to the code we produce. Dora, on the other hand, does not contain any explicit requirements on this point, although the spirit of the regulation is inspired by it", said Remarck.
By imposing a degree of transparency on vulnerabilities, Nis2 marks a major turning point in European cybersecurity culture. "Today, companies are often in a reactive posture, waiting for a vulnerability to be discovered before starting to correct it. With Nis2, this attitude will have to evolve towards proactive risk management, which will greatly improve cybersecurity in Europe."
3. Legal nature
If Nis2 seems less prominent than Dora in the public debate today, it is probably because of their legal nature. Dora is a regulation, which means that it applies directly and uniformly throughout the EU, without the need for local amendments. In contrast, Nis2 is a directive, which means that it must be transposed into national legislation - a more cumbersome and time-consuming process.
This transposition process can lead to delays and disparities between countries. This can lead to delays and even bungling. The deadline for transposing Nis2 into national law was 17 October. However, Luxembourg has not yet finalised the process, and the text is still being debated in parliament. However, the grand duchy is not an isolated case. "France, for example, tabled its transposition bill just two days before the deadline," observed Remarck.
The implementation of Dora could also be delayed by a (known as the ESAs). The commission wants to introduce a single European identifier (EUID), which the ESAs believe will make it more difficult to identify third-party ICT providers and increase the administrative burden on financial entities. This dispute could delay the roll-out of Dora, which is scheduled to come fully into force on 17 January 2025.
Read the original French-language version of this news report