Ahead of the EU’s Digital Operational Resilience Act (DORA) coming into force on 17th January 2025, and on the back of the updated Network and Information Security Directive (NIS2) coming into effect from 17th October of this year, organisations across Europe are scrambling to understand what these regulations mean for them. The initial reaction from many businesses is one of concern, and understandably so, non-compliance can lead to significant penalties and reputational damage. However, the reality is less daunting than it might appear.

For businesses already aligned with robust frameworks like ISO 27001, compliance with these new regulations will require only incremental changes to existing controls. In most cases, the focus will be on areas such as incident reporting and ensuring processes meet the specific requirements outlined in DORA and NIS2. Let’s break this down.

What Are DORA and NIS2?

DORA:

DORA aims to ensure the operational resilience of financial institutions by requiring them to prepare for, withstand, recover from, and adapt to disruptions. While its primary focus is on financial entities such as banks, investment firms, and payment providers, it also applies to their critical third-party providers, such as:

  • IT service providers offering cloud computing, data storage, or disaster recovery solutions.
  • Managed Service Providers (MSPs) delivering IT or cybersecurity support to financial institutions.
  • Outsourced service providers providing software, analytics, or operational support.

If you support the financial sector with technology or operational services, DORA’s requirements likely extend to your organisation.

NIS2:

NIS2 expands on the original NIS Directive, introducing stricter cybersecurity requirements for a broader range of industries providing critical or essential services. The affected organizations fall into two main categories:

  1. Essential Entities:
    • Energy providers, such as electricity, oil, and gas suppliers.
    • Transportation and logistics companies.
    • Public healthcare services, including hospitals and clinics.
    • Digital infrastructure providers, such as data centers and DNS providers.
  2. Important Entities:
    • IT service providers, including MSPs and cybersecurity firms.
    • Manufacturers critical to supply chains.
    • Providers of food and water supply systems.
    • Postal and courier services.

Even if you’re outside the EU, your compliance might still be necessary if you provide services to EU-based businesses.

Why ISO 27001 Provides a Strong Foundation

ISO 27001, the internationally recognised standard for information security management, provides the fundamental building blocks for compliance. It ensures:

  1. Risk-based thinking: Organisations identify and address risks relevant to their business and industry.
  2. Established processes: Controls for access management, incident response, and vendor oversight are already in place.
  3. Continuous improvement: A cycle of regular reviews ensures security evolves as threats do.

If your business is ISO 27001 certified, much of the heavy lifting for DORA and NIS2 compliance is already done. The key will be reviewing your existing controls and making necessary adjustments to align with specific regulatory requirements, such as:

  • Enhancing incident response times and reporting procedures.
  • Documenting third-party risk assessments more comprehensively.
  • Testing operational resilience through more frequent simulations.

A Simple Process for DORA and NIS2 Compliance

To streamline your compliance efforts, we recommend the following steps:

  1. Understand the Requirements: Review the text of DORA and NIS2 to understand how they apply to your business. Focus on operational resilience, incident reporting, and supply chain security.
  2. Gap Assessment: Conduct a gap analysis against your existing frameworks and controls. Identify where your current controls meet the requirements and where enhancements are needed.
  3. Update Policies and Procedures: Tweak your incident management, third-party risk, and operational resilience plans to align with the regulations. Ensure documentation is thorough and up to date.
  4. Test Your Controls: Conduct tabletop exercises, simulate incidents, and test your business continuity and disaster recovery plans to ensure operational resilience.
  5. Train Your Teams: Educate your staff about the new requirements, focusing on the importance of timely incident reporting and robust cyber resilience.

Compliance Without the Stress

The key message is this: compliance with DORA and NIS2 should not feel like starting from scratch. If your organisation has invested in frameworks like ISO 27001, or similar, you’re likely already well on your way to meeting these new standards. The focus should be on fine-tuning your existing processes rather than overhauling them entirely.

At Calligo, we specialise in helping businesses navigate complex regulatory landscapes, including DORA and NIS2. Whether you need a gap assessment, guidance on updating your controls, or help training your teams, our experts are here to support you.

Ready to simplify your compliance journey? Contact us today to learn how we can help you turn regulatory challenges into opportunities for strengthening your cybersecurity and operational resilience.