NIS2, DORA and CRA: 3 upcoming mutations in the cyber landscape

Information system security has become a major priority for businesses, consumers and governments alike. In an environment where cyberattacks have become a daily occurrence, several European laws have been adopted in recent years to safeguard and reinforce cybersecurity and protect critical infrastructures and sensitive data.

Among these texts, the NIS2 directive, the DORA regulation and the CRA play a major role, each bringing profound changes that will significantly alter the European cybersecurity landscape.

The NIS2 Directive on Network and Information Security (version 2 of the “NIS 1” Directive) aims to harmonize and strengthen cybersecurity across Europe. It came into force on January 16, 2023 and must be transposed by member states by October 17, 2024.

Its main aim is to strengthen the resilience of critical infrastructures and digital services within the European Union, notably by extending the scope of the NIS 1 Directive to include new sectors (18 in total) such as online platforms, search engines and cloud computing service providers.

What were once referred to as “operators” are now “entities”.

NIS2 also imposes stricter security requirements, notably in terms of reporting security incidents and cooperation between Member States. As a result, companies operating in these sectors will have to step up their data protection measures and incident response capabilities or face severe financial penalties, which ANSSI may impose in the same way as CNIL.

It should also be noted that NIS 2’s technical, operational and organizational constraints will apply to public administrations and supply chains.

Meanwhile, the Digital Operational Resilience Act (DORA) and its associated Directive came into force on January 16, 2023, although the DORA Regulation is due to take effect on January 17, 2025, the deadline for the transposition of the Directive.

The regulation aims to boost the European financial sector’s operational resilience to cyberthreats. DORA aims to ensure that financial service providers such as banks, insurance companies and other financial market bodies maintain high standards of information system security and operational risk management regarding the data and traffic they store.

The regulation includes measures such as the obligation for financial service providers to implement business continuity plans and cyberattack resistance tests.

Similarly, this regulation regulates the contractual relationships between third-party ICT service providers and financial entities.

In addition, DORA provides for enhanced supervisory mechanisms, including the establishment of a dedicated European authority to oversee compliance and impose sanctions in the event of non-compliance.

Finally, the Cyber Resilience Act (CRA) is expected to come into force in 2024, giving manufacturers, importers and distributers of connected products 36 months to adjust to the new requirements.

This law covers products that include digital elements used to transmit data to a device or a network.

This regulation seeks to foster trust in digital technology by ensuring that they meet rigorous security standards; manufacturers must ensure that their connected objects respect strict requirements.

If there is an incident, professionals will be required to report anything that impacts the security of digital products put on the market.

To summarize, NIS2, DORA and the CRA represent significant milestones in the European Union’s fight against cyberattacks and the protection of critical infrastructures of businesses and establishments and their sensitive data.

These texts impose stricter requirements in information system security and operational risk management while reinforcing supervision and cooperation between Member States.

Like the GDPR, the provided penalties — particularly the fines — should encourage many players to pay special attention to how they apply and respect these new constraints.