What Companies Can Learn from GDPR and Apply to Incoming Requirements for DORA and NIS-2

  • Mark Molyneux, EMEA CTO at Cohesity

  • 28.05.2024 10:45 am
  • #GDPR #Compliance #DORA #NIS2

What began with GDPR regulations is now being followed up by the EU with NIS-2 and DORA. With the Digital Operational Resilience Act (DORA) focused on the financial industry, and the NIS-2 Directive updating EU cybersecurity rules introduced in 2016, regulations have been developed to require companies in Europe to be more operationally cyber resilient. NIS/NIS-2 and DORA regulate the data industry and the digital processes of companies in order to make data and networks more robust against attacks. At the same time, some important conclusions can be drawn from the introduction of GDPR on how companies should deal with the new rules, including fines.

The shark has teeth and Mack the knife. But the big question when GDPR was introduced six years ago (May 24, 2018) was will the regulator have teeth or will the consequences for companies violating requirements be largely invisible?

After six years, the Enforcement Tracker provides a clear picture. It lists all previous proceedings and fines imposed. 4.5 billion euros in fines have been issued so far in 2024, half a billion more than at the same time in 2023. An increase of 11 percent within 12 months. In its annual study from January 2024 on fines and data protection violations, the global law firm DLA Piper even expects an increase of 14 percent. DLA Piper also found that the trend of recent years is continuing: while an average of 328 violations were reported per day in Germany in 2022, last year there were 335 reports - a consistently high figure. If companies process the personal data of EU citizens improperly, they are reported and, in serious cases, punished.

The EU is now using new regulations to further ensure that companies not only optimise their handling of data, but also better position their IT operations to withstand cyber attacks to greater effect. DORA will be activated on January 17, 2025, while NIS-2 will become relevant by October 17, 2024 at the latest. Some European countries are already well advanced and will pass their local laws before this deadline. The UK is not implementing NIS2 as it is no longer bound by EU legislation, but any companies doing business with the EU will need to be compliant.

As with the GDPR, the EU has also provided for significant fines for violations in these new regulations. If companies fail to comply with their DORA obligations, they face fines of up to EUR 10 million or 5% of the previous year's global turnover. The penalties under NIS-2 are even stricter and now target management more closely. The fines can range from EUR 100,000 to EUR 20 million for legal entities. The fines for violations have increased significantly since the IT Security Act 2.0 of 2021. It is also expected that the authorities will pursue violations with the same rigour as they do with GDPR.

How NIS-2 and DORA are related

NIS-2 dramatically expands the number of industrial sectors that must comply with the requirement compared to its predecessor from 2016. Any sectors left out of DORA are now covered by NIS-2 and both regulations are related.

The big change in the requirements concerns the mandatory reporting obligations for data protection violations. The following requirements are set out in the directive:

  • The organisation must provide an early warning within 24 hours if there is a suspicion that a serious incident was caused by unlawful or malicious acts or could have cross-border effects.

  • Within 72 hours of becoming aware of a serious incident, the early warning must be updated with an initial assessment, including its severity and impact. The organisation should also report any indicators of compromise related to the attack to the national Computer Emergency Response Team (CERT).

  • Upon request from a national CERT or supervisory authority, the organisation must provide interim status updates.

  • Within one month of submitting the incident report, the organisation must submit a final report.

Benefit from preparatory work on GDPR

The GDPR regulations have already required companies to better manage data by requiring companies to manage personal data more strictly and carefully than any other information. The obligation to provide information, such as the right to forget and the obligation to report data loss have already required companies to implement processes and workflows that can be used in a similar way for NIS2 and DORA in the event of an attack. The use of an AI-driven data security and management platform can help companies immensely to implement these processes in a scalable and efficient manner within the company.

  • Know the exact data content: In the event of an attack, hackers want to steal, encrypt or delete data. Companies therefore need to know exactly what data they have and what value it has. Only then can they answer questions of governance and compliance and, for example, control that certain types of data are not allowed to leave certain storage locations. And they will understand more quickly which data is affected in detail if hackers have successfully penetrated. This speeds up reporting for NIS-2 and DORA and makes the results much more accurate. In everyday life, this task is gigantic and most companies have accumulated mountains of information that they know little or nothing about. In this area, AI solutions can help massively and defuse one of the most complex problems by automatically classifying companies' data. For example, business owners can ask direct questions about specific data and automatically receive an answer with a list of all affected documents.

  • Control data flows: If the data is classified, and classified with the correct characteristics, the underlying data management platform can automatically enforce rules without the data owner having to intervene. This reduces the risk of human error.

For example, a company could enforce that certain data such as intellectual property or financial data must never be passed on to other storage locations or external AI modules. Modern data management platforms control access to this data by automatically encrypting it and requiring users to authorise themselves via access controls and multi-factor authentication. These access control policies are a core element in NIS-2, which requires granular role-based access control to achieve the security principle of least privilege. 

  • Respond to incidents: In order for a company to be able to create the reports for NIS-2, DORA and GDPR, it must be able to act. In the event of ransomware or a wiper attack, the lights in the company are turned off, in the proverbial sense. In an emergency, nothing works anymore. No phone, no email, no door, let alone the website. The IT teams of the CIOs and CISOs will not even be able to respond to this attack because all security tools are offline, evidence in logs and on the systems is encrypted. No one will be able to call their team together because VoIP does not work.

The NIS-2 and DORA regulations are important because they strengthen the cyber resilience of companies and authorities. They also reflect the realities. AI and service models such as ransomware as a service have not only increased the amount of cybercrime, but also its quality. Our digital infrastructure must become more robust against successful attacks. To do this, companies need to revise and optimise all processes and workflows that handle data.

Other Blogs