The European Parliament adopts NIS2 and DORA proposals

The NIS2 Directive will impose stricter cybersecurity obligations on a broad range of entities operating in critical infrastructure sectors (such as digital infrastructure, banking, energy, health, transportation, space and public administration) and so-called “important sectors” (such as food, chemicals, electronics, machinery, medical device manufacturing, motor vehicles and digital providers). Unlike the current NIS Directive, where entities in specific sectors need to be designated based on certain criteria as operators of essential services or digital service providers in order to be in scope, all large and medium-size companies in these sectors will be covered by the NIS2 obligations. The NIS2 Directive will tighten, among others, the rules on risk management, supply chain cybersecurity, incident reporting, information sharing and vulnerability disclosure. You can read A&O blogs about the NIS2 Directive here, here, and here.

The DORA offers a digital operational resilience framework for a wide range of financial institutions (e.g. credit institutions, payment and electronic money institutions, trading venues, central securities depositories, crypto-asset service providers etc.), to ensure institutions are able to protect against, respond to and recover from different ICT-related attacks and threats. You can read A&O blog about the DORA here and listen to podcasts here.

The press release on the NIS2 is available here and the adopted text of the NIS2 Directive here. The EPRS briefing of the DORA is available here and the adopted text of DORA here.