Operational Resilience and Cyber Security
The risk management and reporting requirements in relation to security incidents under the NIS Directive are due to be revised and extended through two European Commission initiatives.
Technology and Innovation Partners, Anne-Marie Bohan and Carlo Salizzo, consider the implications of NIS 2 and DORA.
It is self-evident that the impact of a crisis on an organisation can be minimised through risk assessment and good planning.
Most businesses will have business continuity and disaster recovery plans in place, and increasingly, having a robust cyber-crisis management plan as part of their overall risk management plan is a given. For certain organisations, however, this is not just good business practice, but a statutory obligation. And developments at EU level will see those statutory obligations not only extended, but applied to a broader range of businesses.
The existing Network and Information Security Directive (“NIS Directive”) sets down these obligations for the operators of essential services (“OES”) (including some financial institutions) and digital service providers, obliging them to ensure a high level of resilience for network information systems. The obligations include mandatory reporting requirements in the event of certain security incidents, imposition of risk management obligations and cooperation with the national competent authorities.
The NIS Directive was implemented into Irish law through the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (the “Regulations”). The competent authority for Ireland under the NIS Regulations (other than for financial services) is the Minister for Communications, Climate Action and Environment (the “Minister”), who has the power to designate a sector, subsector or provider as an OES. The Central Bank of Ireland (the "CBI") is the competent authority for those financial services institutions within scope of the Regulations.
Growing threats of cyber-attacks
In response to the growing threats of cyber-attacks and taking into account the significant growth of digitalisation, the European Commission (the "Commission") is in the process of updating the NIS Directive through the introduction of a replacement directive ("NIS 2"). In parallel, the Commission has published a draft regulation for a Digital Operational Resilience Act ("DORA") as part of its Digital Finance Strategy, which is specifically directed to financial services.
One of the key features of both initiatives is the extension of the regulatory cyber and operational resilience regime to a broader range of business sectors (NIS 2) and a much broader range of financial services (DORA). However, for many organisations, a new set of risk management and incident reporting obligations will arise. For financial institutions not currently within scope of the Regulations, but to which DORA will apply, there is some comfort to be taken from the fact that the CBI Cross Industry Guidelines on Outsourcing, the CBI Cross Industry Guidelines on ICT, and the EBA Outsourcing Guidelines cover some, although not all, of the same principles and obligations.
While there are differences between NIS 2 and DORA (DORA is significantly more detailed), the Commission has ensured that there is broad alignment between them. The aligned elements include increased accountability requirements on both companies and executives for risk management practices, an increased focus on supply chain security, streamlined reporting, and wider enforcement powers for competent national authorities, including significant financial sanctions.
At a high level, organisations to which the Regulations currently apply are subject to security requirements obliging them to:
- take proportionate technical and organisational measures to manage risks;
- take appropriate measures to prevent and minimise the impact of incidents; and
- notify the competent authority without undue delay in the case of an incident.
These broad principles will not change, but will be supplemented, on a statutory basis, with more detailed requirements in relation to:
- risk analysis and information system security policies;
- incident handling (prevention, detection and response);
- business continuity;
- cybersecurity testing and auditing;
- supply chain security; and
- the effective use of encryption
The focus of reporting obligations will shift from impact on total users to incidents causing (or having the potential for) severe operational disruption, financial losses for the entity or considerable material or non-material losses for other natural or legal persons. The timeframe within which reports must initially be made under will also be reduced, depending on whether the report is required under NIS 2 or DORA. There will also be obligations to notify customers and, potentially, the general public, although the criteria for when this will be required are as yet unclear.
There is a very specific focus on supply chain vulnerabilities, including understanding end-to end risks and putting an onus on organisations to assess and take into account the overall cyber security products and practices of suppliers and service providers. This will require procurement and tender processes to be assessed, to ensure that sufficient information is sought and assessed at procurement stage. The terms of supplier contracts should also address ongoing obligations with regard to cyber security and maintenance of standards, reporting of incidents at the supplier and allowing, in appropriate cases, audits.
What organisations should do now:
- Assess whether within scope of NIS 2 or DORA
- Refresh or undertake risk assessment
- Update or create incident response plan, and communicate it
- Implement additional technical and organisational protections where gaps and vulnerabilities have been identified
- Update all relevant and impacted policies and procedures
- Train personnel on cyber risks and awareness, and on the incident response plan
- Do a dry run / simulation