NIS2, which stands for Network and Information Systems 2, and DORA, the Digital Operational Resiliency Act are two separate but interrelated pieces of legislation affecting organizations that do business in the EU. These two standards share many of the same high-level goals in that they both establish a consistent set of cybersecurity and resilience requirements for organizations in the EU. And while NIS 2 and DORA have many similarities, they are quite distinct. They have different purviews, different deadlines, impose different fines, and have their own detailed requirements.
The good news is that these standards have much more in common than not. Fundamentally, they require organizations to understand their risks and vulnerabilities, to be able to detect and properly respond to threats or incidents, and to address the risks from their supply chain or third-party technology partners. Eclypsium can help in all of these areas. With Eclypsium’s platform organizations can automatically assess any asset down to its most fundamental components, firmware, and code. Teams can proactively evaluate their supply chains by verifying the integrity of each asset, detecting vulnerabilities, alerting on threats or unauthorized changes, and properly upgrading systems based on their risk.
So let’s take a closer look at NIS2 and DORA to see what’s the same, what’s different, and what you can do to make sure you are ready.
What’s the Difference?
First, it is important to know what NIS2 and DORA actually are:
- NIS2 is an EU directive that applies to a broad set of critical services.
- DORA is an EU regulation that applies specifically to the financial services industry.
So what is the difference between a directive and a regulation? A regulation, such as DORA, directly applies to organizations throughout the EU. Thus, all financial institutions in the EU must directly meet the same requirements, which are overseen by European Supervisory Authorities (ESAs).
The NIS2 directive, on the other hand, requires each EU member state to create its own national law based on the requirements. As such, organizations will ultimately need to comply with their specific national law(s) as opposed to an EU law. The deadline for states to enact their own laws is right around the corner on 17 October 2024.
| NIS2 | DORA | |
|---|---|---|
| Type of regulation | EU Directive translated into national laws | EU regulation |
| Who is affected? | All “Essential” and “Important” services including but not limited to Energy, Transportation, Finance, Healthcare, Digital Infrastructure, and more. | Financial Services Institutions |
| Deadline | 17 October 2024 – This is the deadline that each member state must translate NIS2 into national law. | 17 January 2025 |
| Fines | Between 1.4% and 2% of global annual revenue. | Daily fines of up to 1% of a firm’s annual worldwide turnover. |
It is worth noting that financial services organizations may be subject to both NIS2 and DORA and likewise can be subject to fines from both. When it comes to the specific requirements, DORA has a lex specialis provision, meaning that its more specific requirements take precedence in any areas where the two regulations overlap.
Simplify Your Compliance With Eclypsium
NIS2 and DORA requirements have a lot in common, which should be no surprise since both regulations aim to help organizations reduce their cybersecurity risk and to be more resilient in the face of a security incident.
The NIS2 directive is organized around four key areas, while DORA uses five:
| NIS2 | DORA |
|---|---|
| • Risk Management • Reporting Obligations • Corporate Accountability • Business Continuity | • ICT Risk Management • Incident Reporting • Resiliency Testing • Intelligence Sharing • Third-Party Risk Management |
At a high level, we can see that both focus on risk management, reporting, and resiliency or continuity after a security incident. Both standards also heavily focus on the importance of the technology supply chain. DORA has made Third Party Risk Management one of the main pillars of the model, while NIS2 calls out “Security around supply chains” as one of its 10 Minimum Measures.
Eclypsium directly helps organizations meet these requirements in several ways that traditional security tools typically do not.
- Risk Management – Eclypsium can identify and alert on very low-level vulnerabilities and threats in firmware, components, system code and configurations, which are typically invisible to traditional application and OS-level scans.
- Third-Party and Supply Chain Security – Eclypsium can directly evaluate an organization’s technology at the supply chain level to verify the integrity of code and components, to verify vendor SBOMs, or identify risks in their products.
- Resiliency and Continuity – Eclypsium can proactively alert on any changes to device integrity that could indicate a security threat. By safeguarding critical system firmware an organization can prevent attackers from using implants to establish ongoing persistence within a device or causing disruption by corrupting system firmware.
These values are even more defined as we look at the specific requirements of each standard.
Eclypsium and NIS2
Chapter 4, Article 21 of NIS2 defines 10 minimum requirements of cybersecurity risk management. Eclypsium can directly apply to each of the first six requirements.
| Requirements | How Eclypsium Helps |
|---|---|
| Policies on risk analysis and information system security | Automated scanning to proactively verify the integrity of all critical code and components, and to identify vulnerabilities, misconfigurations, or threats down to the firmware level of laptops, servers, and networking gear. |
| Incident handling | Ability to alert or trigger automated responses based on any changes in system integrity. Allow analysts to assess systems for secondary exploitation or threat persistence using implants and similar methods. |
| Business continuity | Reduce the risk of permanent damage to systems due to corruption of system firmware. Enable faster recovery by quickly verifying that affected systems are free of threats before being returned to service. |
| Supply chain security | Proactively verify that all systems and updates from supply chain partners align with vendor SBOMs and that all code and components are authentic and free of vulnerabilities. |
| Security in network and information systems acquisition | Assess all information systems down to the firmware and component level during evaluations. Verify that each system received meets technical expectations. |
| Assessment of cybersecurity risk-management effectiveness | Assess and support threat detection tools by analyzing for threats and changes below the level of the operating system. |
Eclypsium and DORA
DORA details its requirements for various articles of the standard. Once again, Eclypsium can help meet these requirements in several ways.
| Requirements | How Eclypsium Helps |
|---|---|
| Article 6 – Risk Management Framework | Broad coverage for the wide range of assets defined by Article 6 including “computer software, hardware, servers…all relevant physical components and infrastructures.” These assets are assessed down to the level of firmware, physical components, and low-level configurations that traditional tools typically can’t see. |
| Article 8 – Identification | Allows teams to “identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment.” This includes the ability to establish and maintain inventories of those assets including their firmware and hardware components. |
| Article 9 – Protection and Prevention | Directly addresses the need for “procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters…” Identifies any out-of-date firmware, known vulnerabilities as well as low-level misconfigurations or missing protections, then assists staff with applying necessary device-level updates. |
| Article 10 – Detection | Specialized detection of threats that are largely missed by traditional tools such as EDR. Eclypsium detects both known and unknown firmware and device-level threats and includes the ability to detect anomalies in the behavior of firmware on a device. |
| Article 11 – Response and Recovery | Actively identifies if an asset has been infected or altered in any way at the firmware level. After an incident, staff can easily ensure that each affected asset is free of vulnerabilities or hidden code that could lead to the device being re-infected. |
| Articles 28 – 30 Managing of ICT Third-Party Risk | Proactively evaluates and verifies all assets and updates provided by a firm’s technology vendors. Enables procurement teams to evaluate prospective vendors based on device-level vulnerabilities or misconfigurations. Teams can further verify that all received assets and updates are genuine and were not altered in the supply chain. Assets can be verified to ensure they match vendor-provided SBOMs and proactively identify any undocumented changes in suppliers or components. |
Conclusion
Any organization that provides services to the EU will need to be aware of its responsibilities when it comes to NIS2 and DORA. And with key deadlines just around the corner, the moment of truth has arrived. Leaders must be ready to meet the many organizational requirements, and IT and security teams will need the right tools and processes to keep their systems safe. Naturally, this is much bigger than any single product or tool. But Eclypsium can certainly play an important role when it comes to the trickiest areas such as addressing risk in devices and in the supply chain. If you would like to learn more, please reach out to the team at [email protected].
