My Guitar Gently Weeps: Why Your Compliance Deadlines Are More Critical Than My Music.
Dear Reader,
As I wake on this bank holiday and consider my day, a few things spring to mind. Firstly, music. My thouhghts wander to my guitar set up. I have band practice on Wednesday and need to work on programming my Multi-FX unit for rehearsal. As much as I dislike the Spotify business model, it does allow me to edge closer to my teenage dream of being a recording artist. If only the BBC had an Outro stage at Glastonbury -that would be another one off the bucket list.
Alas, that’s not my main concern today. As we zoom towards September (ok, where has this year gone?) my mind is focused on something quite different. In stark contrast to my rockstar dream, I find myself deeply concerned about DORA and the NIS2 Directive. Why? Read on…
1. Deadlines Do Concern Me – And Wow, How They Creep Up
The deadlines for DORA (Digital Operational Resilience Act) and the NIS2 Directive are fast approaching, and I’m increasingly concerned that some of my network and their extended networks are not yet DORA and NIS2 ready. Some are behind schedule, some have no real plan, and most concerning of all, some don’t even know where they stand.
To clarify for those who might be unaware:
- DORA's compliance deadline is January 2025. This regulation mandates that financial entities across the EU, including banks, investment firms, and insurance companies, enhance their digital operational resilience.
- NIS2 Directive's compliance deadline is even sooner, October 2024. This directive broadens the scope of the original NIS Directive, covering more sectors and imposing stricter cybersecurity requirements on essential and important entities.
These dates are no longer distant -they’re practically around the corner. However, a recent survey found that over 40% of firms are not fully prepared for DORA compliance. Even more concerning is the uptake for NIS2, where nearly 50% of the targeted organisations have either delayed their preparations or are unaware of the full implications of the directive.
If your organisation isn't yet on track or your not really sure where you are, the time to act is now.
2. The Consequences of Non-Compliance
Even businesses who don't yet need to be compliant with DORA and NIS2 have heard of them, but not everyone fully understands the consequences of non-compliance. Falling short can result in hefty fines, legal repercussions, and significant reputational damage. For instance, non-compliance with NIS2 could lead to penalties of up to €10 million or 2% of global annual turnover, whichever is higher. DORA, while focused on financial institutions, also carries severe penalties, including fines and operational restrictions that could stifle business growth.
Beyond the financial impact, the loss of trust and potential operational disruptions could prove catastrophic. Customers, partners, and stakeholders expect organisations to protect their data and ensure continuous service delivery. Failure to do so, particularly in the wake of a cyber incident, could lead to long-term damage that far exceeds the immediate costs.
3. But Who Is at the Most Risk?
Who stands to lose the most from non-compliance? The financial services, energy, transport, and healthcare sectors are particularly high on the list due to their critical nature. These industries are integral to national infrastructure, making them prime targets for cyberattacks and, thus, under greater scrutiny by regulators.
Smaller companies within these and connected sectors are especially vulnerable. Despite having the same responsibilities as the big players, they often lack the time, resources, and expertise to achieve what’s necessary. These entities might think they can fly under the radar, but regulators won't differentiate based on size when it comes to enforcement.
Statistics show that 60% of SMEs who experience a significant cyberattack go out of business within six months. When combined with the stringent requirements of DORA and NIS2, it becomes clear that smaller firms cannot afford to neglect compliance.
4. What Are the Responsibilities for DORA and NIS2?
At a high level, DORA and NIS2 require organisations to ensure operational resilience by focusing on several key areas:
- Risk Management: Identifying, assessing, and mitigating risks related to ICT systems. This includes performing regular risk assessments and implementing measures to protect against identified threats.
- Incident Reporting: Quickly detecting, reporting, and responding to incidents. NIS2, in particular, mandates that significant incidents must be reported within 24 hours, with full incident details provided within 72 hours.
- Third-Party Risk Management: Securing the supply chain and ensuring that third-party vendors comply with relevant regulations. This is crucial as many organisations rely heavily on external partners for critical operations.
- Operational Continuity: Ensuring the ability to continue operations despite disruptions, supported by regular testing and updates. DORA emphasises the need for robust business continuity and disaster recovery plans.
- Governance: Establishing clear lines of responsibility and oversight for cybersecurity and operational resilience. This includes appointing dedicated roles within the organisation to oversee compliance and resilience efforts.
领英推荐
5. What Areas Are Most Likely to Be Overlooked?
Supply chain security is one area being overlooked by many organisations. The complexity of modern supply chains, coupled with the reliance on third-party vendors, creates a significant vulnerability that is often underestimated.
Moreover, mobile applications - both your own and those utilised by your supply chain - are all to often not fully considered. The increasing use of mobile devices in business operations opens new attack vectors that many organisations have yet to address adequately.
Other commonly overlooked areas include:
- Incident Response Planning: Many organisations do not have a fully developed or regularly tested incident response plan.
- Employee Training: Human error remains one of the leading causes of cyber incidents, yet many organisations fail to invest in regular and comprehensive cybersecurity training for their staff.
- Regular Auditing: Compliance is not a one-time effort. Continuous monitoring and regular audits are necessary to ensure ongoing adherence to DORA and NIS2 requirements.
6. Don’t Know Where You Are, Where to Start, or Just Want Third-Party Ratification That You’re on Track?
We can help. As many of you know, we offer a complimentary cybersecurity and risk gap analysis, report, follow-up consultancy, and provision of a high-level cybersecurity and risk business plan. We're also extending this service specifically for DORA and NIS2 compliance.
Our gap analysis includes:
- Snapshot Traffic Light Report: A quick and visual assessment of your current compliance status.
- Follow-Up Meetings: Detailed discussions to review findings and strategize on necessary actions.
- Action Plan: A clear, step-by-step plan to address identified gaps.
- Gantt Chart or Project Timeline: A timeline to help you track progress and ensure timely compliance.
We are here to guide you through the complexities of DORA and NIS2 compliance, ensuring that you are not only ready but confident in your organisation's resilience.
7. Reach Out
The team at Vambrace and I are here to assist. If any of the points above have piqued your interest or you feel they may be of use, contact me directly via LinkedIn. If you think the above would benefit someone in your team or network, feel free to @ them in the comments.
8. Don’t Leave It Too Late
Wherever you are in your compliance journey, it’s best to know. That way, no matter the situation, we can plan our way to where we need to be.
9. Conclusion
So, to conclude, in the words of Jerry Maguire "Help me, help you."
Now, I must work on those songs in preparation for Wednesday. Any of my contacts available to offer a complimentary lyrics, melody, and guitar rig gap analysis? Know anyone?
Let’s ensure we’re all DORA and NIS2 ready before the deadlines hit!
Vin Maguire is the Cybersecurity, Risk & AI Lead Consultant at Vambrace Cybersecurity.