The Network and Information Systems 2 (NIS2) Directive is a European cybersecurity directive that will come into effect in October 2024.
The directive aims to:
- Harmonise cybersecurity requirements and enforcement across member states. It sets a benchmark of “minimum measures” for cybersecurity.
- Improve the overall level of cybersecurity within the EU. This is achieved by setting minimum cybersecurity standards for organisations in different sectors.
Some of the key aspects of the NIS2 Directive include:
- Risk assessments: Companies are required to conduct regular risk assessments to identify and assess potential cybersecurity threats.
- Policies and procedures for cryptography: Companies must implement policies and procedures for the use of cryptography to protect sensitive data.
- Security procedures for employees: Companies must establish security procedures for employees who have access to sensitive data, such as access controls and multifactor authentication.
- Cybersecurity training: Companies must provide cybersecurity training to their employees to raise awareness of cybersecurity threats and best practices.
- Incident handling and reporting: Companies must create a plan for handling and reporting security incidents. This includes establishing procedures for incident response, communication, and recovery.
- Business continuity management: The directive also mandates that companies have a plan for managing business operations during and after a security incident.
The NIS2 Directive is a comprehensive piece of legislation that covers a wide range of cybersecurity topics. It is important for companies that are subject to the directive to understand their obligations and take steps to comply.
The main purposes of the NIS2 and DORA directives are to enhance cybersecurity and operational resilience within the European Union.
They aim to achieve this through different but complementary approaches:
NIS2 (Network and Information Systems 2 Directive)
- Harmonising cybersecurity requirements across EU member states: The directive sets a baseline for cybersecurity measures, ensuring a consistent level of protection across different countries.
- Enhancing the overall cybersecurity posture within the EU: This is achieved by requiring organisations in key sectors to implement a range of cybersecurity measures. These include conducting risk assessments, implementing policies for cryptography and employee security, providing cybersecurity training, and establishing incident handling and business continuity plans.
DORA (Digital Operational Resilience Act)
- Strengthening the IT security of financial entities: DORA specifically targets organisations in the financial sector, including banks, insurance companies, and investment firms.
- Ensuring the resilience of these entities against operational disruptions: The regulation focuses on aspects like ICT risk management, managing risks associated with third-party providers, testing digital operational resilience, and reporting major ICT incidents to relevant authorities.
In essence, NIS2 casts a broader net, aiming to raise the cybersecurity baseline across various sectors, while DORA focuses specifically on the financial sector, imposing stricter requirements to ensure the stability and resilience of critical financial services.
Let’s break down what each directive hopes to accomplish:
- NIS2 (Network and Information Systems 2 Directive) aims to make cybersecurity requirements consistent across EU countries and strengthen the overall cybersecurity posture in the EU. This directive applies to a wide range of sectors and organisations. Our previous conversation highlighted that companies will be required to assess and manage risk, create procedures for cryptography and employee security, train employees on cybersecurity, and have plans for incident handling and business continuity.
- DORA (Digital Operational Resilience Act) seeks to improve the IT security of organisations in the financial sector, such as banks, insurance companies, and investment firms. The main focus is ensuring these organisations can withstand operational disruptions. Our previous conversation explained that DORA focuses on ICT risk management, third-party risk management, digital operational resilience testing, and incident reporting.
Microsoft offers a variety of resources to help partners grow their businesses, including training, support, and marketing resources. Partners can also connect with other partners through the Microsoft Partner Community and partner-led associations. Microsoft also offers a Solutions Partner designation for partners who demonstrate expertise in a particular area. Partners can also become Azure Expert MSPs. Microsoft offers a Cloud Solution Provider program to help partners sell Microsoft products and services.
Partners can also sell through the Commercial Marketplace. Microsoft also offers a new commerce experience and partner incentives.
First point of reference and great resource here.
- This resource help users understand NIS2 and DORA and how to use Microsoft Security solutions to help customers comply with them.
- Microsoft offers a range of resources for partners, including training. This training might include information on using Microsoft products and services to comply with regulations like NIS2 and DORA. However, this is not stated directly in the sources.