In a European Parliament Plenary Session on Thursday 10th November the European Parliament considered two pieces of EU legislation relating to cyber and ICT resilience.
The NIS2 Directive: A high common level of cybersecurity in the EU
New rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved. The NIS2 Directive: A high common level of cybersecurity in the EU, already agreed between MEPs and the Council in May, will set tighter cyber security obligations for risk management, reporting obligations, and information sharing. The requirements cover incident response, supply chain security, encryption, and vulnerability disclosure, among other provisions.
Under the legislation entities in ‘essential sectors’ (such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors) will be covered by new security provisions. All medium-sized and large companies in these sectors will be impacted
The legislation also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database.
MEPs adopted the text with 577 votes to 6, with 31 abstentions.
The European Council now has to formally adopt the law before it will be published in the EU’s Official Journal.
The Digital Operational Resilience Act (DORA)
In a separate vote, MEPs approved changes to the EU directive on the Digital Operational Resilience Act; better aligning these new rules to existing financial services legislation.
The DORA legislation will now pass to the European Commission. The Commission will need to refer DORA back to the European Parliament if it ‘replaces, substantially amends or intends to substantially amend’ the European Parliament’s amendments.
What is DORA?
DORA will establish uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties that provide ICT-related services to them, such as cloud platforms or data analytics services.
DORA creates a regulatory framework on digital operational resilience where all regulated firms will need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.