Frequently Asked Questions

The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA has many similarities with NIS and NIS2, like the risk-based approach, but is limited to the financial sector, while NIS2 applies to many industries indispensable to society. 

Read more about DORA.

What is the Digital Operational Resilience Act (DORA)?

The first step to compliance with NIS2 is understanding whether your organization must comply. We recommend looking at our NIS2 white paper and referring to your local authority's guidance.

Increasing Cyber Security Resilience 

NIS2 encourages EU member states and critical infrastructure operators to enhance their cyber security resilience and preparedness to respond to, and recover from, cyber incidents effectively. 

Harmonizing Cyber Security Standards 

It seeks to harmonize cyber security standards and practices across the EU to ensure a consistent and high level of security across the digital landscape. 

Mandatory Reporting of Incidents 

NIS2 mandates the reporting of significant cyber incidents to national authorities and establishes a coordinated mechanism for sharing information on cyber threats and incidents among member states. 

Critical Infrastructure Protection 

The Directive places a special focus on protecting critical infrastructure sectors, such as energy, transportation, healthcare, and digital infrastructure by requiring them to meet specific cyber security requirements. 

Enforcement and Penalties 

NIS2 introduces measures for effective enforcement of cyber security requirements and penalties for non-compliance, thereby incentivizing organizations to invest in cyber security measures. 

Cooperation and Information-sharing 

It promotes cooperation and information sharing among member states and between the public and private sectors to enhance collective cyber security defense. 

The NIS2 Directive is set to be ratified by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of, as failure to comply with the Directive can result in severe consequences such as financial penalties and damage to reputation. That said, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences. 

The difference between them lies not in which requirements they must meet, as these remain the same for both entities, but rather which supervisory measures and penalties will apply. Entities in both categories will have to meet the same requirements. However, the distinction will be in the supervisory measures and penalties. Essential entities will be required to meet supervisory requirements as of the introduction of NIS2, while the important entities will be subject to ex-post supervision, meaning that action is only taken if and when in case authorities receive evidence of non-compliance. 

The NIS2 Directive takes a nuanced approach to administrative fines, differentiating between the two types of entities. 

Essential Entities:  

A maximum of 10,000,000 EUR or 2% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher. 

Important Entities 

A maximum of 7,000,000 EUR or 1.4% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher.

Implementing risk-based cyber security practices is one of the most important areas of NIS and NIS2. Holm Security helps organizations that must comply with NIS and NIS2:  

• Perform automated and continuous (systematic) risk assessments. 
• Create a proactive approach towards cyber security.
• Implement basic cyber hygiene practices and cyber security training.
• Provide the tools needed to secure the supply chain.
• Help management supervise the implementation of risk management.
• Demonstrate compliance based on data and reports. 

Regarding the requirements put down by the EU and local authorities, vulnerability scanning, or security scanning, is a requirement as part of risk assessment. The National Cyber Security Centre (NCSC) of Ireland and The Swedish Civil Contingencies Agency (MSB) refer to vulnerability management as a key element in compliance with the NIS2 Directive.

One of the focus areas of NIS2 is securing the supply chain. This means that both your organization and your suppliers must meet the criteria of NIS2 compliance. It is your responsibility to make sure that your suppliers do so.

We’re happy to tell you more about our solutions for securing your supply chain.

As a supplier to an organization that must comply with NIS/NIS2, you must ensure that you meet NIS/NIS2 security requirements. Contact us to discuss how we can help you prepare to meet the coming NIS2 requirements for the supply chain.