Everything about NIS 2 & DORA

The measures you need to take if you are affected by NIS2 vary and depend on the risks. Below you will find an overview of requirements and procedures according to the NIS2 directive. It only concerns the group of significant and important companies.

NIS2 Key requirements for significant and important companies, as described in the law:

1. Create risk analyses and security guidelines for information systems.
2. Ensure that they can manage security incidents.
3. Take measures to maintain operations, such as backup management and disaster recovery, as well as crisis management
4. Ensure the security of the supply chain, including security-related aspects of the relationships between their organisation and their service providers and suppliers.
5. Take security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities.
6. Create concepts and procedures to evaluate the effectiveness of risk management measures in the area of cyber security.
7. Establish basic cyber hygiene procedures and cyber security training.
8. Use cryptography and encryption.
9. Implement concepts for access control to systems and installations.
10. Use solutions for multi-factor authentication or continuous authentication, secure voice, video and text communication and, if necessary, secure emergency communication systems within the facility.

The following must be taken into account:

• the state of the art
• European and international standards
• Costs of realisation
• Existing risk

Attention: Supply chain

As an essential or key organisation, you not only need to strengthen your own digital security, but also ensure that security is maintained in the supply chain. This means implementing robust security measures and working closely with suppliers to minimise potential cyber threats. For example, it is important that NIS2 requirements are contractually stipulated. (Ideally in your terms and conditions of purchase, but can also be in a separate contract)

NIS2 Measures for suppliers (SMEs)

SMEs that supply significant and/or important companies must also take measures:

1. Prove to your clients that you have successfully implemented basic safety in your company. The Cyber Trust Labels are an excellent proof for this.
2. The KSÖ Cyber Risk Rating Scheme provides guidance on this.

See which risks are addressed with NIS 2 Compliance.

What are the risks for NIS2 companies?

• Supplier failure: Risk of supply chain disruption if suppliers do not fulfil the NIS2 standards: If suppliers have inadequate security measures, they may fall victim to a cyberattack and fail. This can have negative consequences for the NIS2 company's value chain.
• Insufficient security: Increased risk of data breaches and cyberattacks due to lack of security measures.
• Being uninsured: Financial losses in the event of cyber incidents due to a lack of cyber insurance. Insurance companies also refuse cover if security measures are inadequate.
• Reduced business growth: Non-compliance with the minimum requirements can lead to the loss of business relationships because customers expect and demand this in the future.
• Personal liability of directors/management: Legal and financial consequences for management in the event of non-compliance, including personal liability. Managing directors can even be removed from their position in the event of gross violations.
• Fines: Significant fines for violations of the NIS2 regulations (up to 10 million euros or 2% of annual turnover).
• Loss of sales: Decline in sales due to lower demand or interruption of business operations.
• Damage to reputation: Negative perception among customers and partners, resulting in a loss of trust among customers and loss of business.

As a supplier to large NIS2 companies, it is also important that you meet the required security standards so that you can maintain your business relationships and supply chains securely. As a supplier, it is likely that your major customers will require you to fulfil the NIS2 standards.

What are the direct risks for SMEs?

• Loss of major customers: Failure to maintain NIS2 may result in the loss of contracts with major customers.
• Security breaches: A lack of adequate cybersecurity can lead to cyber incidents and expose sensitive information.
• Financial loss: The cost of repairing a cyberattack can be significant, especially without adequate insurance.
• Reputational damage: A cyber incident can damage customer trust, which is fundamentally difficult to regain.
• Operational disruptions: Cyber-attacks or non-compliance can lead to significant disruptions in business operations.

Check immediately whether your company must fulfil NIS2.

Large and medium-sized companies from the following sectors are affected:

An organisation is considered a "medium-sized enterprise" if it has at least 50 employees OR if it has an annual turnover of more than ten million euros AND an annual balance sheet total of more than ten million euros, unless it is already considered a large enterprise. Small companies, i.e. companies that employ fewer than 50 people and either have an annual turnover of no more than EUR 10 million or an annual balance sheet total of no more than EUR 10 million, are not covered by NIS2.

However, there are exceptions - the following companies fall within the scope of application regardless of their size:

• Trust service provider
• Providers of public electronic communications networks or providers of publicly available electronic communications services
• TLD name registries and DNS service providers, except operators of root name servers
• Companies that are the sole provider of a service in a Member State that is essential to the maintenance of critical social or economic activities.

The Austrian Federal Economic Chamber has created an online guide to help you determine whether your company is affected (only in German).

However, a much larger number of companies are indirectly affected as suppliers or service providers of these essential and important facilities!

The NIS2 directive places particular emphasis on the security of the supply chain, because the security of a company can depend heavily on its suppliers and service providers. The chain is as strong as its weakest link. This means that a security breach at a supplier can harm not only that supplier, but also all the companies with which it is digitally and physically connected.

For example:

• A supplier has to stop supplying due to a cyber attack. This can seriously disrupt normal business operations. This also affects products, raw materials and services.
• If an IT service provider is hacked, the hackers can also access the systems of other companies in the supply chain.
• Sometimes a serious security vulnerability is found in a service that you use every day, such as your CRM system.

For NIS2 companies: Protection against risks in the chain

If you want to ensure a secure supply chain against cyber threats, it is important to develop a policy for supply chain risk management. In this policy you describe how dependent your organisation is on suppliers or service providers, with a particular focus on the IT components. This way, you can better manage the risks that these dependencies entail.

As a company that falls under the NIS2 directive, you must actively recognise and address the risks to your own company and those posed by your suppliers. It is important to make clear agreements with your suppliers so that you can manage these risks well and reduce them to an acceptable level.

The Cyber Risk Rating Scheme and the Cyber Trust Labels can help you to request the relevant evidence from your suppliers. Both are certificates accepted by the NIS authority.

Further information

Further information on the topic of security in the supply chain can also be found on a separate page of the Austrian Federal Economic Chamber on the topic of the supply chain and NIS 2 (only in German).

The European date for NIS2 is 17 October 2024.

The Austrian Implementation Act was under review until 1 May 2024.

In Austria, the Federal Ministry of the Interior will be responsible for enforcing the NIS 2 Act. A National Cyber Security Centre (NCSZ) has been set up specifically for this purpose.

The law provides for a range of sanctions. The NIS2 organisations must contractually oblige their direct suppliers to work safely. Suppliers, often SMEs, can therefore lose their major customers if they cannot prove compliance.

The NIS2 organisations themselves are inspected by the supervisory authority (in Austria: BMI). In some sectors this is done regularly, in others after incidents.

Sanctions for companies

The NIS2 Directive has given the competent authorities the power to impose fines in the event of non-compliance: Strict fines have been set to ensure compliance with NIS2. Essential companies risk a fine of 10 million euros or 2% of their global turnover, while important companies can be fined at least 7 million euros or 2% of their global turnover. This information can be found in Chapter VII, Article 34 of the NIS2 Directive.

Furthermore, the NIS 2 Act provides for personal liability for managers and enables the supervisory authority to remove them from their position in the event of serious violations, to appoint a monitoring officer or to temporarily suspend the authorisation for some or all of the relevant services or activities provided by the essential facility.

There are several cyber security standards that you can use. Cyber Trust can help with this.

International standards such as ISO 27001 or NIST 800 are internationally recognised standards for the introduction of information security management systems. In any case, such a system is a suitable way to achieve NIS 2 compliance. However, obtaining ISO 27001 certification is a complex and time-consuming process that makes sense for most essential and important organisations, but is not always practical for their suppliers, as it is too time-consuming and expensive for many SMEs.

Specific standards such as the KSÖ Cyber Risk Rating Scheme (on which the Cyber Trust Labels are based), on the other hand, aim to provide evidence of basic security measures. The term baseline security refers to the basic minimum level of cyber security that a company should have in place. In this context, it is sometimes also referred to as "cyber hygiene". Obviously, as part of third-party risk management, care must be taken to ensure that no supplier or service provider falls below this minimum level. Common standards for basic security can be found in:

• KSÖ Cyber Risk Rating Scheme (basis for the Cyber Trust Labels)
• CIS Top 18
• ENISA Essential Baseline Security Standards
• UK Cyber Essentials

In summary, cybersecurity compliance is an essential tool for organisations that need to comply with the NIS2 Directive as it helps structure their cybersecurity efforts, demonstrates their commitment to security and ensures compliance with the law.

The NIS2 directive brings new challenges for procurement and supply chain management, where companies need to involve their suppliers in strengthening cyber security. Cyber Trust can help here.

The NIS2 Directive brings major challenges for the supply chain. The directive requires essential and important companies to ensure security in their supply chain, which has a direct impact on relationships with suppliers, including SMEs. The implications are manifold and touch multiple facets of business operations.

Frequent weak points in the supply chain

• Insecure access and inadequate data security: External parties and partners with poor security can be an open door for hackers.
• Malware: Can spread through the supply chain, compromising systems and data.
• Attacks on logistics: Disruption of processes, which can lead to delays and downtime, which in turn affects operational efficiency.

Financial and operational impact
Implementing cyber security measures can be a heavy financial and operational burden for suppliers. Investing in technology and expertise can be costly and time-consuming.

An effective solution for complying with the NIS2 guidelines regarding supply chain risk management are the Cyber Trust Labels. They help to meet and enforce the right standards with suppliers at every level of risk and minimises the risk of disruption in the supply chain while meeting legal requirements.

Important to note:

1. Costs: The financial burden of cyber security can lead to higher prices or the cancellation of suppliers.
2. Time and resources: Effective cyber security requires investment in time and manpower, which can come at the expense of other business operations.
3. Complexity: Not all suppliers have the necessary expertise, which can lead to additional costs for recruiting specialised employees.
4. Compliance: Continuous updates to systems and processes to meet changing deadlines are a constant challenge.
5. Contracts: Clients can introduce strict cybersecurity standards within contracts, which can lead to legal complications in the event of security breaches.

However, it is not necessarily a negative thing: Companies that fulfil NIS2 standards can strengthen their business relationships and improve their competitive position by innovating and improving processes.

The way forward
For key and important organisations, finding a balance in adopting standards that consider the impact on their suppliers is critical. Support and flexibility can help overcome the challenges, and a collaborative approach can lead to greater security and healthy business relationships. Cyber Trust provides a pragmatic, feasible and cost-effective way to do this that is established and recognised.

The Cyber Trust Standard Label was specially developed for smaller SMEs that are in the supply chain of NIS 2 companies. It therefore allows proof of compliance with the basic security requirements. Larger SMEs or those in sensitive areas should aim for the Silver Label or Gold Label.

The KSÖ Cyber Risk Rating Scheme and the Cyber Trust Label based on it is a practical and accessible standard for SMEs, especially for improving their cyber security in an efficient and feasible way. With regards to NIS2, this standard was developed as a tool for cyber risk management in the supply chain. A unique collaboration of renowned experts from different NIS sectors with the involvement of regulators provides a framework in which companies can comply with the NIS2 guidelines without compromising their operations or business relationships. This standard is a practical and efficient tool to support cyber risk management, especially for small and medium-sized enterprises.

The Austrian Federal Economic Chamber offers further information on NIS 2 on its own website (mostly in German).

The Regulation (EU) 2022/2554 on Digital Operational Resilience in the Financial Sector (DORA) is an EU regulation that aims to strengthen the digital security and resilience of financial organisations. It aims to ensure that financial institutions take appropriate precautions to protect themselves against cyberattacks and other IT-related risks. DORA sets out requirements for risk management, monitoring and reporting of IT incidents. It also requires financial organisations to carefully monitor and control third-party providers of IT services. The aim is to ensure the stability and integrity of the European financial system in an increasingly digital world.

The most important requirements of DORA summarised

• Comprehensive, documented framework for ICT risk management
• ISMS according to international standards
• Strategy for information security and digital resilience
• Description of an ICT reference architecture to achieve specific business objectives
• Emphasising the responsibility of the management body for the management and control of ICT risk management
• Accountability for appropriate allocation of ICT investment and training
• Increased testing of ICT systems including threat-led penetration tests (TLPT)
• Automated mechanisms for the detection, prevention and containment of cyberattacks
• Efficient business continuity and recovery plans
• Coherent mechanisms for reporting security incidents
• Situational Awareness & Information Sharing
• Full monitoring of the risk by third-party ICT providers
• Contractual requirements for third-party ICT providers
• Strengthening the powers of financial supervisory authorities
• Administrative sanctions that must be dissuasive, criminal sanctions if necessary
• Own supervisory framework for continuous direct monitoring of important ICT third-party providers

The regulation addresses a broad spectrum of companies in the financial services sector, including supporting sectors:

• Banks
• Insurances
• Payment service provider
• Provider of crypto-asset services
• Central counterparties
• Trading centres
• Alternative investment fund managers
• Provider of data transmission services
• Insurer
• Insurance intermediaries
• Rating agencies
• Audit firms
• IT service providers such as cloud service providers, software providers or operators

In contrast to the NIS Directive, this regulation affects all companies in the financial services sector, not just significant or important operators. There is no lower size limit!

A much larger number of companies are also indirectly affected as suppliers or ICT service providers to these financial services companies!

The measures that companies must take if they are affected by DORA must always follow a risk-based all-hazards approach:

• Appropriate and proportionate technical, operational and organisational measures
• Consideration of the state of the art and the costs of implementation
• Consideration of the extent of risk exposure and the size of the company
• Consideration of the probability of occurrence of security incidents and their severity (including social and economic impact)

Key requirements include, among others:

1. Financial organisations shall appropriately identify, classify and document all ICT-related business functions, the information resources that support these functions, the configurations of ICT resources, the connections and interdependencies between the various internal and external ICT resources, and networks with third-party ICT providers. Relevant inventories must be kept for this purpose.
2. Mechanisms in place to promptly detect anomalous activity, including ICT network performance issues and ICT-related incidents
3. Detection mechanisms enable multiple levels of control and the setting of alert thresholds and criteria to initiate detection of ICT-related incidents and countermeasure processes for ICT-related incidents and set up automatic alert mechanisms.
4. Sufficient resources and capacity to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, including in particular cyber-attacks.
5. Financial organisations design the network connectivity infrastructure in such a way that it can be immediately disconnected (even with the implementation of automated mechanisms) and ensure its compartmentalisation and segmentation to minimise and prevent contagion, especially in interconnected financial processes.
6. Specific and comprehensive ICT business continuity strategy as an integral part of the operational business continuity strategy of the financial organisation through specific, appropriate and documented policies, plans, procedures and mechanisms.
7. When restoring backed-up data using their own systems, financial companies use ICT systems with an operating environment that is not related to the main environment, is not directly networked with the main environment and is securely protected against unauthorised access or manipulation in the ICT area.
8. Third-party ICT providers must maintain at least one secondary processing site with sufficient and appropriate resources, capacity, functions and staffing to meet the business needs, geographically distant from the primary processing site so that it has its own risk profile.
9. When setting recovery timelines and recovery points for each function, financial organisations consider the potential overall impact on market efficiency. These timelines ensure that the agreed performance levels are also achieved in extreme scenarios.
10. Financial organisations have communication plans in place to enable responsible disclosure of ICT-related incidents or significant vulnerabilities to customers, other financial organisations and the public, as appropriate.
11. Financial organisations define a procedure for dealing with ICT-related incidents and set up early warning indicators as alerts.
12. Financial organisations classify ICT-related incidents and determine their impact based on defined criteria.
13. Robust and comprehensive digital business resilience programme as an integral part of the ICT risk management framework applies a risk-based approach and takes into account the changing scenarios for ICT risks.
14. Testing of all critical ICT systems and applications at least once a year.
15. The programme includes conducting a full range of appropriate tests, including vulnerability assessments and reviews, open source software analysis, network security assessments, vulnerability analysis, physical security analysis, physical security reviews, questionnaires and scanning software solutions, source code testing where feasible, scenario-based testing, compatibility testing, performance testing, end-to-end testing or penetration testing.
16. Financial organisations carry out extended tests at least every 3 years using threat-led penetration tests (TLPT).
17. Threat-based penetration testing shall include, at a minimum, the critical functions and services and shall be performed on live production systems that support such functions. The exact scope of threat-based penetration tests performed based on the assessment of critical functions and services shall be determined by financial organisations and approved by the competent authorities.
18. Financial companies establish exit strategies to address risks that may arise at the level of the third-party ICT provider, including a possible failure of the third-party ICT provider, a deterioration in the quality of the functions provided, interruptions to business activities due to inadequate or omitted services or a significant risk in connection with the adequate and continuous provision of the function.
19. Exit strategies must be comprehensive, documented and, if necessary, sufficiently tested.
20. Contractual agreements on the use of ICT services include at least the following:

• A clear and complete description of all functions and services
• Provisions on accessibility, availability, integrity, security and protection of data
• Complete service descriptions, including updates and revisions, as well as precise quantitative and qualitative performance targets
• Notice periods and reporting obligations of the third-party ICT provider
• Requirements to implement and test contingency plans and have ICT security measures, tools and policies in place that adequately ensure the secure provision of services by the financial organisation in accordance with its regulatory framework
• The right to monitor the performance of the third-party ICT provider on an ongoing basis
• The right to agree alternative levels of security if the rights of other customers are affected
• Exit strategies, in particular the definition of a binding, appropriate transition period

Special requirement: Supply chain

In future, financial institutions must adopt and regularly review a strategy for the risk posed by third-party ICT providers as part of their ICT risk management framework. This strategy includes a policy for the use of ICT services provided by third-party ICT providers.   This includes the maintenance of an information register relating to all contractual agreements on the use of ICT services by third-party ICT providers.

Before concluding a contractual agreement on the use of ICT services, financial organisations must therefore:

• Identify and assess all relevant risks associated with the contractual arrangement, including the possibility that such contractual arrangements may contribute to increasing ICT concentration risk
• Exercise all due diligence on potential third-party ICT providers and ensure that the third-party ICT provider is suitable throughout the selection and evaluation processes

Financial organisations may only enter into contractual agreements with third-party ICT providers that comply with high, appropriate and up-to-date information security standards.

This means implementing robust security measures and working closely with suppliers to minimise their potential cyber threats. For example, it is important that security requirements are contractually defined. (Ideally in the terms and conditions of purchase but can also be in a separate contract). This evidence can be provided, for example, by respective Cyber Trust Labels.

DORA measures for suppliers (SMEs)

SMEs that supply financial services companies must also take measures:

1. Prove to your clients that you have successfully implemented basic safety in your company.
2. The KSOe Cyber Risk Rating Scheme provides guidance on this.

The DORA regulation places particular emphasis on the security of the supply chain, because the security of a company can depend heavily on its suppliers and service providers. The chain is as strong as the weakest link. This means that a security breach at a supplier can harm not only that supplier, but also all the companies with which it is digitally and physically connected.

DORA even goes one step further than NIS 2: financial services companies must identify and document the risks across the entire supply chain. Suitable registers must also be kept for this purpose. The scope and structure are regulated in corresponding regulatory and technical standards.

Financial organisations may only enter into contractual agreements with third-party ICT providers that comply with high, appropriate and up-to-date information security standards.

Before concluding a contractual agreement on the use of ICT services, financial organisations must therefore:

• identify and assess all relevant risks associated with the contractual arrangement, including the possibility that such contractual arrangements may contribute to increasing ICT concentration risk
• Exercise all due diligence on potential third-party ICT providers and ensure that the third-party ICT provider is suitable throughout the selection and evaluation processes

This means that suppliers will be able to prove their appropriate cyber security in future. This proof can be provided, for example, through corresponding cyber trust labels; both are proofs accepted by the regulator.

As a regulation, DORA enters into force immediately in all EU countries on 17 January 2025. There are no transitional periods.

In Austria, the Financial Market Authority (FMA) is responsible for the enforcement of DORA.

The Regulation also establishes appropriate administrative sanctions and remedies for breaches of the Regulation for financial undertakings themselves, which should be effective, proportionate and dissuasive.

DORA establishes a strict supervisory framework for operational risks that is standardised across Europe for the first time. In addition to the strict measures defined by DORA, which should lead to a further improvement in the resilience of European financial service providers, this will bring harmonisation, particularly for internationally active financial service providers, which will lead to improved legal certainty within the European framework.

• Our DORA Whitepaper.
• The official text of the DORA Regulation is available on the European Union website.