NIS2 and DORA: what are they, and how can Identity help compliance?
At the end of 2022, the European Parliament approved two new legislations: the second version of its Network and Information Systems Directive (NIS2) and the Digital Operational Resilience Act (DORA). As of 18th October, 2024, EU Member States are required to adopt NIS2 measures, while DORA will be enforced on 17th January, 2025.
Both of these laws are set to significantly alter the way organisations in the EU approach digitisation and cybersecurity. But what do these legislations entail? What risks could they create from a compliance standpoint? And how can a modern Identity solution help? In this blog, we provide answers to all the above.
NIS2 and DORA: what are they?
Network and Information Security Directive (NIS 2) is part of the EU's wider efforts to improve cybersecurity and protect critical infrastructure from cyber threats. It seeks to ensure that digital service providers have appropriate security measures in place to protect against cyber incidents and ensure the resilience of critical networks and systems. It also aims to establish accountability and liability of top management for failing to comply with cybersecurity obligations.
The purpose of the Digital Operational Resilience Act (DORA) is to ensure the digital operational resilience of the EU’s financial sector by setting out a harmonised regulatory framework that addresses the industry’s increasing reliance on digital technologies. The Act proposes several requirements that organisations would need to comply with, including:
- Ensuring that critical IT systems are identified and protected
- Implementing adequate incident response and business continuity plans
- Conducting regular testing and risk assessments
- Establishing a reporting framework for major incidents
- Ensuring that third-party service providers are adequately monitored and assessed for their operational resilience.
What are the penalties for non-compliance with NIS2 and DORA?
NIS directive fines for non-compliance can be severe – ranging from a maximum of at least 10,000,000 EUR or 2% (for essential entities) to a maximum of at least 7,000,000 EUR or 1.4% (for important entities) of the total worldwide annual turnover in the preceding financial year of the undertaking, whichever is higher.
In contrast, under DORA (Article 50), financial institutions may face:
- Cease and Desist Orders: Authorities can mandate entities to stop actions violating the Regulation and prevent future repetitions.
- Cessation of Practices: Practices against the Regulation might be required to cease temporarily or permanently.
- Compliance Measures: Financial and other measures can be adopted to ensure compliance.
- Data Access: Access to telecommunication data records may be necessary for investigations.
- Public Notices: Public statements disclosing the identity of violators and the nature of the breach.
Additionally, for critical ICT third-party providers to financial institutions under DORA (Article 35):
- Non-compliance Penalties: The Lead Overseer may impose periodic penalty payments following a minimum 30-day notification period for non-compliance.
- Duration and Calculation of Penalties: Penalties are applied daily until compliance, for up to six months, up to 1% of the provider's average daily worldwide turnover in the preceding business year, based on the severity and duration of non-compliance, intent, and cooperation level.
These penalties and measures will be designed to be effective, proportionate, and dissuasive, to ensure compliance with the Regulation's objectives.
Competent authorities according to Article 54, must publish any decision imposing an administrative penalty on their official websites once it becomes final.
What role does Identity play in DORA and NIS 2 compliance?
Digital identity will play a critical role when it comes to compliance with NIS 2 and DORA for several reasons.
#1 Protect networks and systems from cyber threats
NIS 2 requires digital service providers to implement strict security measures to mitigate cyber threats and report significant cyber incidents to the relevant authorities. By ensuring only authorised individuals or systems can access a network or system, Identity significantly reduces the risk of a cyberattack. It can also automate reporting processes to speed up operations and prevent human error.
#2 Strengthen operational resilience|
DORA seeks to strengthen the operational resilience of digital service providers by requiring them to take a risk-based approach to their operations. By ensuring that only individuals with the right credentials and access levels are carrying out critical functions, Digital Identity management can significantly reduce the risk of operational failures and cyber incidents.
#3 More robust data access processes
Effective digital identity management is essential to protect data from unauthorised access and misuse as well as being able to efficiently be able to report to various authorities in the event of an incident. Cloud access management allows organisations to instantly understand who has access to what information, produce the necessary auditable evidence, and automate key processes, is vital for compliance with DORA and NIS 2.
How can Okta help you with compliance?
With Okta Workforce Identity Cloud (WIC) you can protect access for every user – employees, contractors, and more – no matter where they are or what device they’re using. It is built to help leaders drive productivity and efficiency, modernise IT and infrastructure, and, most importantly in the context of NIS 2 and DORA, strengthen security measures.
Features such as Single Sign-On (SSO), Adaptive Multi-Factor Authentication (MFA) and Passwordless Authentication improve your cybersecurity posture and offer a seamless experience for your employees. There is also our Okta Identity Governance (OIG) solution that combines Okta Workflows, Okta Lifecycle Management & Okta Access Governance to help you mitigate modern risks and improve efficiency.
Ultimately, a modern infrastructure like WIC will help you simplify compliance with DORA and NIS 2 by allowing you to improve cybersecurity, implement more robust access management processes and guarantee reliant delivery of Identity services with a best-in-class uptime.
To discover how Okta Workforce Identity Cloud and our other solutions can support your organisation with DORA and NIS 2 compliance, reach out to our team.