CYBERSECURITY |
|||
| NETWORK AND INFORMATION SECURITY 2 DIRECTIVE (NIS2) | DIGITAL OPERATIONAL RESILIENCE ACT (DORA) | DRAFT CYBER RESILIENCE ACT (CRA)* | |
| WHO WILL BE IN SCOPE? |
Operators of essential and important services across various sectors including energy, transport, banking, health, medical devices, chemicals and digital. In-scope entities in the digital sector include infrastructure providers (including cloud computing) as well as other digital providers such as online marketplaces, search engines and social networks. Extraterritorial Application: NIS2 applies to in-scope operators if they offer 'Essential' or 'Important' goods and services to the EU, irrespective of their place of establishment. |
Financial entities and FinTechs, including credit and payment institutions, e-money institutions, cryptoasset service providers, alternative investment funds managers and insurance undertakings. Third party providers of critical internet and communication technology (ICT) services to in-scope financial entities. Extraterritorial Application: DORA applies to financial entities that provide services in the EU, irrespective of their place of establishment. |
Manufacturers of products with digital elements, including software, IoT and hardware devices and their remote data processing solutions. Certain products that are already subject to cybersecurity requirements in sectoral legislation are outside the scope of the CRA, such as medical devices, aviation or certain connected vehicles. Extraterritorial Application: The CRA will apply to products with digital elements sold in the EU, irrespective of where the manufacturers are established or where the products are manufactured. |
| WHAT ARE THE KEY OBLIGATIONS? |
NIS2 outlines cybersecurity risk management obligations, including supply chain due diligence and amended incident notification obligations. Board Responsibilities: Senior management will be responsible for approving and overseeing the cybersecurity framework, and can be held liable for non-compliance. |
Obligations include requirements for operational resilience, third-party risk management (including IT outsourcing), testing of ICT tools (including threat-led penetration testing), and incident notification obligations. Board Responsibilities: Senior management will be responsible for approving and overseeing the cybersecurity framework, and can be held liable for non-compliance. |
New cybersecurity requirements, including cybersecurity risk assessments, supply chain due diligence, security and functionality updates and vulnerability management processes. |
| TIMELINE | EU Member States are required to implement NIS2 by October 18, 2024, with significant penalties for non-compliance. National implementing legislation will likely start applying on or around that date | DORA will generally start applying by January 17, 2025, with significant penalties for non-compliance. | Formal adoption pending; obligations would likely apply by 2025-2026 at the earliest, with significant penalties for non-compliance. |
| THOUGHT LEADERSHIP | NIS2 Directive: New EU Cybersecurity Rules Now In Force. Read more... |
Draft Technical Standards for DORA Now Available. Read more... EU Cyber Legislation puts emphasis on board responsibility. Read more... |
EU Cyber Resilience Act Moves Closer to Adoption. Read more... |
To view the full article click here
Originally Published 13 March 2024
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
