The Digital Operational Resilience Act (DORA) and the Network and Information Security directive (NIS2) have now been passed by members of the European Parliament (MEPs), paving the way for them to enter into EU law.
DORA and NIS2 are seen as central to the EU’s operational resilience, with DORA in particular bringing in new compliance requirements for the trading bloc’s financial sector, including payment service providers (PSPs).
EU lawmakers voted through the new laws on a 556-18 vote, paving the way for them to be finally voted through by the European Council, which comprises EU government ministers.
DORA is intended to ensure that the EU's financial sector is more resilient to severe operational disruptions and cyber-attacks.
Parliament gave final approval to the legislation, previously agreed with the Council, on November 10.
The law introduces and harmonises digital operational resilience requirements for the EU’s financial services sector, obliging companies to make sure that they can withstand, respond to and recover from all types of information and communication technology (ICT) related disruptions and threats.
The new rules apply to all companies providing financial services, including payment, electronic money and crypto-asset service providers, as well as to critical ICT third-party service providers.
Banks and investment firms are also in scope, and it is to be the responsibility of national authorities to supervise and enforce implementation.
Commenting on the Parliament’s endorsement, EU commissioner for financial services Mairead McGuinness tweeted that it was “good to see”.
Meanwhile, Frances Fitzgerald, one of the key MEPs in the negotiation process, said that “recent months have highlighted the need to increase our vigilance and defend vital European infrastructure”.
Meanwhile, NIS2 introduces new rules to advance a high common level of cybersecurity across the EU — both for companies and countries. It also strengthens cybersecurity requirements for medium and large-sized entities that operate and provide services in key sectors.
The new law expands the scope of sectors and activities that are critical for the economy and society, including banking and services such as energy and transport.
It requires more entities and sectors to take cybersecurity risk management measures, including providers of public electronic communications services, social media operators, manufacturers of critical products (including medical devices), and postal and courier services.
The law is an update of the 2016 NIS directive, and aims to improve clarity and implementation, as well as address fast-paced developments in this area.
It covers more sectors and activities than before, streamlines reporting obligations and addresses supply chain security.
Following its approval by Parliament on November 10, it will also need to be approved by EU countries in the Council, after which member states will have 21 months to implement it.
Compared with the first NIS directive, notable changes include increasing the requirements expected of national government and regulators.
For example, it sets stricter cybersecurity obligations for EU countries when it comes to supervision.
It also improves the enforcement of those obligations, including by harmonising sanctions across member states, and aims to improve cooperation between EU countries in the case of large-scale incidents, under the umbrella of the EU Agency for Cybersecurity (ENISA).