6 min reading Wed Nov 13 2024
Does NIS2 also apply to companies regulated under DORA?
Does NIS2 also apply to companies regulated under the DORA?
I often read that companies covered by the DORA are not covered by the NIS2 because the DORA takes precedence over the NIS. Well ... that is incorrect. DORA takes precedence over NIS2 only when it comes to areas where the two laws overlap. Companies covered by both will also have to comply with NIS 2 obligations not covered by DORA.
As a reminder, DORA will take effect in all EU countries on Jan. 15, 2025.
NIS2 should enter into force on Oct. 26, 2024, but because it is a directive, the implementation date is less stringent than for regulations. Several countries have announced delays in implementation (e.g., the Netherlands, Germany), but few have stated that the local NIS2 law will be in force by the scheduled date, Oct. 26, 2024 (Belgium, Croatia).
Which companies are subject to both DORA and NIS2 obligations?
PRELIMINARY: COMPANY SIZE AND GEOGRAPHY
Above we mentioned the sectors to which NIS2 and/or DORA apply. But it is not only activity that plays a role, also company size. DORA and NIS2, with a few exceptions, do not apply to small businesses and microenterprises.
The country where the company is located is irrelevant; the country where the company offers its services determines whether NIS2 or DORA applies. For example, a company that offers Internet search services from the U.S., but also offers its services in Europe, will have to comply with NIS2.
COMPANIES SUBJECT TO DORA
Article 2.1 of the DORA regulation, stipulates that it applies to the following companies:
- Credit institutions;
- Payment institutions;
- Account information service providers;
- Electronic payment platform providers;
- Investment firms;
- Crypto-asset service providers
- Central securities depositories;
- Central counterparties;
- Trading venues;
- Trade repositories;
- Managers of alternative investment funds(AIFM);
- Management companies in undertakings for the collective investment in transferable securities (UCITS);
- Data reporting service providers;
- Insurance and reinsurance undertakings;
- Insurance and reinsurance intermediaries (except if they qualify as microenterprise or small or medium-sized enterprise);
- Pension funds (except if they have less than 15 members);
- Credit rating agencies;
- Administrators of critical benchmarks;
- Crowdfunding service providers;
- Securitization repositories;
- ICT third-party service providers to the above-listed entities.
COMPANIES SUBJECT TO NIS2
Annex 1 of the NIS 2 directive targets medium and large-sized (exceptionally, also small companies can be targetted by member states) companies active in the following areas :
- Energy (production, storage and transmission)
- Drinking water
- Wastewater (collection, disposal or treatment of municipal wastewater, domestic wastewater or industrial wastewater)
- Transportation (air, rail, water, road)
- Banking
- Financial market infrastructure
- Digital infrastructure providers
- ICT managed service providers
- Governments (with some exceptions)
- Healthcare
- Aerospace
- Postal and courier services
- Waste management
- Digital service providers
- Research organizations (excluding education)
- Production and distribution of chemicals
- Wholesale and industrial food production and processing
- Manufacturing of:
- Medical devices
- Electrical equipment
- Motor vehicles, trailers, and semi-trailers
- Machinery and equipment
For more details on the targeted sectors, please visit this blogpost on the topic.
COMPANIES SUBJECT TO DORA AND NIS2
NIS2 and DORA do not use the same sector definitions. However, after some analysis, the following entities subject to DORA are certain to also be subject to NIS2 :
- Credit institutions (as “Banking” under NIS2 is defined as “Credit institutions” according to Article 4.1 of Regulation (EU) No 575/2013).
- Trading venues (As “financial market infrastructure” under NIS2 is defined as “regulated markets, an MTF or an OTF”, see article 4.24, of Directive 2014/65/EU).
- Central counterparties defined as “a legal person that interposes itself between the counterparties to the contracts traded on one or more financial markets, becoming the buyer to every seller and the seller to every buyer” in Article 2.1 of Regulation (EU) is explicitly mentioned in both DORA and NIS2, under “Banking”).
- ICT service providers providing service to entities subject to DORA in case they provide a managed service, defined in NIS2 as “an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely”. This likely targets all ICT providers (including digital infrastructure, such as telecommunications, providers) offering service to the financial industry.
FACTORS THAT MAY LEAD TO LOCAL DIFFERENCES
It is very important to emphasize in this perspective is the fact that DORA is a regulation, and countries must transpose it as such into national legislation. NIS 2, on the other hand, is a directive and countries have a degree of freedom to transpose it into national legislation. While no major differences are expected, the companies covered by the NIS2 legislation may vary from country to country, especially when it comes to “important” entities.
For example, accounting firms may be subject to DORA if they provide services to entities within the financial sector, especially if those services involve significant reliance on Information and Communication Technology (ICT). For instance, if an accounting firm provides IT auditing services, financial reporting, or other critical functions to financial institutions, they could be considered within the scope of DORA, especially as third-party ICT service providers. Under NIS2, accounting firms may, on a per member state basis, be categorized as important entities, particularly if they provide services to essential sectors (like banking or finance) or if their services are deemed crucial for the economy.
Obligations for companies subject to DORA and NIS2
OVERLAPPING AREAS OF DORA AND NIS2
Article 4 (1) and (2) of the NIS 2 Directive, and the guidelines of the European Commission for the interpretation of these guidelines the European Union, published on 18th of September 2023, clarify that where sector-specific Union legal acts (like DORA) require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents, and where those requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive shall not apply to such entities. The sector-specific provisions will apply.
The following domains are treated by both DORA and NIS (and for companies subject to DORA, the obligations in DORA prevail in case of conflict):
- Cybersecurity defense: DORA and NIS2 require companies to implement measures to effectively prevent, detect, and respond to cyber threats.
- Incident reporting: Under both DORA and NIS2, cybersecurity incidents must be reported to relevant authorities, such as national cybersecurity agencies.
- Risk management: Entities subject are required to implement risk management processes. This includes conducting regular risk assessments and implementing appropriate technical and organizational measures to mitigate identified risks.
- Third-party risk management: Entities must ensure that their supply chain partners and service providers adhere to appropriate cybersecurity standards in order to ensure business continuity.
Note that DORA is more stringent than NIS2, as for NIS2, a risk-based approach can be implemented, while DORA mandates a rule-based approach, regardless of varying levels of risk.
NIS2 REQUIREMENTS NOT COVERED BY DORA
The NIS2 requirements that must be implemented by companies covered by DORA because they are not explicitly covered by DORA are very limited. In fact, the only one worth mentioning is:
- The use of MFA and encryption (NIS2 Directive, Article 21 J.)
However, EU member states can add additional legislation or make national laws more stringent when transposing the NIS2 directive into their national legal systems. Directives, such as NIS2 represent a baseline, and member states are free to adopt stricter measures if they wish, as long as those stricter measures do not conflict with the overall objectives of the directive. In addition, Member states can introduce additional national provisions that go beyond the requirements of the directive, provided those additions do not violate other EU laws (eg such as principles related to the single market).
In conclusion, companies covered by DORA must also monitor local NIS2 laws in the countries where they operate to make sure there are no additional provisions in the law that are not covered by DORA. If so, they must also comply with these provisions.
Dries leads the marketing and product management activities at Ceeyu. Before joining Ceeyu, he worked in similar roles at Voxbone (now Bandwidth.com) and Orange. Dries also worked in management consulting (at Greenwich, now EY Parthenon). He is a B2B marketer at heart, with a very strong affinity for technology.
