The end of 2022 saw the publication of the DORA regulation and NIS 2 in the EU Official Journal, and thus the official creation of a new, future cybersecurity framework in the EU.
The DORA regulation:
- will be directly applicable across the entire EU from 17 January 2025.
- will have a major impact on business undertakings in the financial sector and operators of essential ICT services for the financial sector
- will supersede the current NIS directive
- will require implementation into national legal systems by 17 October 2024, and this can be done in the form of an amendment to the National Cybersecurity System Act or new legislation implementing NIS2
- will have a major impact on critical operators with important definitions in NIS2, and the distinction between operators of essential services, digital service providers, and public entities will be abolished
These rules will be extraordinarily important for IT companies that provide SOC services or other IT services for entities that fall within the scope of governance of the DORA regulation and NIS 2.
Combined with the GDPR and Cybersecurity Act currently in force, and the AI and cyberresilience acts on which work continues, this legislation will form the foundation for the EU compliance system for IT firms.
There is an ever greater number of new laws that directly affect the IT sector, and thus IT service providers expect many challenges when adapting to the new legislation.
Often, this will require them to implement new organizational procedures and technical solutions, and make preparations with regard to formalities (to document procedures correctly and draw up the appropriate contractual conditions).
The years 2023-2024 can be expected to be a time of intensive analysis and preparation for IT firms to ensure proper IT compliance.