NIS2 | DORA
TAKE CARE OF YOUR CYBER RESISTANCE
NIS2 fines – what are the risks for companies?
The NIS2 Directive introduces severe financial sanctions for companies that fail to meet cybersecurity requirements. The amount of the fines depends on the entity's category:
-
Critical entities can be fined up to €10 million or up to 2% of their annual global turnover (whichever is higher).
-
Important entities can be fined up to €7 million or up to 1.4% of their annual global turnover.
In addition to financial penalties, supervisory authorities can:
-
Order the implementation of specific security measures,
-
Conduct audits and inspections,
-
Temporarily ban individuals responsible for egregious violations from management positions.
Rekordowe kary finansowe
Wysokość kar pieniężnych jest uzależniona od klasyfikacji podmiotu (kluczowy lub ważny) oraz skali naruszenia:
-
Podmioty kluczowe: Maksymalna kara wynosi do 10 mln euro lub 2% łącznego rocznego światowego obrotu z poprzedniego roku obrotowego (zależnie od tego, która kwota jest wyższa). Minimalna kara w Polsce ma wynosić 20 tys. zł.
-
Podmioty ważne: Maksymalna kara wynosi do 7 mln euro lub 1,4% łącznego rocznego światowego obrotu. Minimalny próg kary to 15 tys. zł.
-
Naruszenia szczególne: W sytuacjach powodujących bezpośrednie zagrożenie dla bezpieczeństwa państwa lub życia ludzi, polskie przepisy przewidują kary sięgające nawet 100 mln zł.
Odpowiedzialność osobista zarządu
Dyrektywa NIS2 wprowadza rewolucję w odpowiedzialności kadry kierowniczej. Członkowie zarządu mogą odpowiadać osobiście za rażące zaniedbania w obszarze cyberbezpieczeństwa:
-
Kary pieniężne dla menedżerów: Mogą wynosić do 600% miesięcznego wynagrodzenia osoby kierującej podmiotem.
-
Zakazy zawodowe: Organ nadzorczy może wystąpić do sądu o nałożenie tymczasowego zakazu pełnienia funkcji kierowniczych przez osoby odpowiedzialne za naruszenia.
Sankcje administracyjne i operacyjne
Poza karami pieniężnymi, organy nadzorcze zyskują szereg uprawnień do egzekwowania przepisów:
-
Nakazy naprawcze: Obowiązek wdrożenia konkretnych środków bezpieczeństwa lub poddania się audytowi na koszt firmy.
-
Ograniczenia działalności: Możliwość czasowego zawieszenia certyfikacji lub zezwolenia na prowadzenie działalności w skrajnych przypadkach.
-
Powiadamianie klientów: Firmy mogą zostać zmuszone do publicznego poinformowania odbiorców swoich usług o wystąpieniu poważnych cyberzagrożeń.
Ryzyko utraty reputacji i odpowiedzialność karna
W Polsce zaniedbania prowadzące do poważnych incydentów (np. wycieku danych wrażliwych lub przerwania usług publicznych) mogą skutkować odpowiedzialnością karną, w tym karą pozbawienia wolności dla osób zarządzających. Dodatkowo, brak zgodności z NIS2 znacząco zwiększa ryzyko udanych ataków ransomware, co wiąże się z ogromnymi stratami finansowymi i wizerunkowymi.
CYBERSECURITY CHALLENGES FOR COMPANIES
With the introduction of the NIS2 Directive and the DORA Regulation, companies face new cybersecurity challenges that require rapid adaptation and compliance with stringent regulatory requirements. In this context, collaboration with STM Cyber professionals becomes crucial to ensuring not only regulatory compliance but also the protection of sensitive data and maintaining operational stability.
STM Cyber is a trusted partner offering comprehensive solutions tailored to the dynamically evolving digital threat landscape. Our expertise allows companies not only to meet NIS2 and DORA requirements but also to implement advanced risk management systems that minimize potential losses associated with cyberattacks.
With STM Cyber, companies can count on:
1 / Full compliance with regulations
We help you meet all network and information security management requirements, minimizing the risk of sanctions.
2/ Optimized data protection processes
Our services include security audits, monitoring, and incident response, ensuring a proactive approach to cyber threats.
3/ Risk Consultation and Support
We help you understand what actions can reduce the risk of attacks and what tools will be most effective in a given environment.
4/ Security and stability
We implement protection systems that ensure uninterrupted business operations, regardless of the challenges posed by cyber threats.
4/ Security and stability
We implement protection systems that ensure uninterrupted business operations, regardless of the challenges posed by cyber threats.
Why
STM Cyber?
1 / Expertise
Our specialists have many years of experience in digital risk management, security audits, and regulatory compliance implementation.
2/Individualized approach
We tailor solutions to the needs of your company, taking into account the specifics of your industry and the scale of your operations.
3/ Full support
From security analysis to solution implementation – we are with you at every stage of adapting to NIS2 and DORA.
3/ Full support
From security analysis to solution implementation – we are with you at every stage of adapting to NIS2 and DORA.
3/ Full support
From security analysis to solution implementation – we are with you at every stage of adapting to NIS2 and DORA.
NIS2
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Systems Directive 2) aims to raise the level of cybersecurity in the European Union. It concerns the protection of digital infrastructure and improving risk management. The new regulations extend the regulations of the National Cybersecurity System Act, imposing additional obligations on key and important entities in the public and private sectors.
Implementation of NIS2
The NIS2 Directive was published on December 22, 2022, and will enter into force on October 18, 2024. After this date, the Ministry of Digital Affairs will publish a list of companies covered by NIS2, which will have six months to adapt to the new requirements.
Scope of the NIS2 Directive
The new regulations expand the definitions of key and important entities. They require reporting serious cybersecurity incidents within 24 hours of their detection, and a full report must be submitted within 72 hours. The regulations also cover supply chain security and the implementation of risk management strategies, such as:
• Risk management policy
• Incident handling
• Business continuity policy
• Cybersecurity training
• Cryptography and encryption
• Human resources security
• Multi-factor authentication
Preparing for NIS2 implementation
To prepare for NIS2 implementation, companies must conduct security audits, business continuity audits, penetration tests, and verification of the human factor and key service providers. It is also important to improve employees' cybersecurity skills through regular training.
Consequences of non-compliance with NIS2
Non-compliance with the NIS2 Directive is associated with serious consequences, including financial penalties. Key entities may be fined at least EUR 10 million or 2% of the company's total annual turnover, while important entities may be fined EUR 7 million or 1.4% of the company's annual turnover. The NIS2 Directive also introduces the personal liability of board members for failure to comply with the new requirements.
The impact of NIS2 on the national cybersecurity system
The NIS2 Directive introduces uniform protection standards throughout the European Union, which will increase the awareness of companies and employees about digital threats. The new regulations will force greater investment in cybersecurity, allowing for the creation of strong structures and systems throughout the European Union.
Adjustment to the NIS2 Directive is crucial for increasing the security of networks and IT systems and maintaining the continuity of companies' operations in the face of growing cyber threats.
DORA
The DORA Regulation – what is it?
The Digital Operational Resilience Act (DORA for short), is an EU legal act that tightens the requirements for the digital security of the financial sector, fintechs, and ICT providers operating in the EU. Its main goal is to strengthen the resilience of these institutions to threats related to cybersecurity and operational disruptions, such as hacker attacks, IT failures, or human errors.
What is “digital operational resilience”?
Digital operational resilience, according to the DORA Regulation, is the ability of financial institutions to maintain the continuity, reliability, and quality of services based on ICT technologies, both internally and in cooperation with external suppliers. This means that financial institutions must be prepared for various crises and disruptions that may affect the operation of their IT systems and networks.
Background of the creation of the EU DORA Act
The DORA regulation is part of the EU legislative package on digital finance, which aims to adapt the regulatory framework to the development of financial technologies and to unify digital security standards in the financial sector. The document is based on the work and recommendations of various European institutions, such as the European Central Bank, and is a common legal act for all financial entities.
Date of implementation of DORA provisions
Financial institutions must implement DORA provisions by 17 January 2025, which means that they should start preparing to comply with the requirements of this regulation now.
Which institutions must comply with DORA?
DORA covers a wide range of entities in the financial sector, including traditional financial institutions, fintech companies, ICT service providers, and many others. In total, the regulations will apply to over 22,000 financial institutions across the European Union.
DORA Regulation Content
DORA focuses on five key areas: ICT risk management, ICT incident management, digital operational resilience testing, risk management of cooperation with external providers, and exchange of information on cyber threats.
1. ICT risk management Financial institutions must establish a comprehensive framework for managing information and communication technology risks, including strategies, policies, protocols, and tools necessary to effectively protect the digital infrastructure.
2. ICT incidents DORA regulates the ICT incident management process, requiring reporting of serious incidents to the relevant authorities and classification of events according to specific criteria.
3. Digital operational resilience testing Institutions must test key IT systems and applications at least once a year, covering various aspects such as open source analysis, network security assessments, scenario testing, and penetration testing.
4. Third-party risk management in the ICT industry DORA regulates cooperation with external ICT service providers, requiring vendor assessment, development of an exit strategy, transition plan, and identification of key IT service providers.
5. Information exchange arrangements Financial institutions are required to share information on cyber threats and the results of analysis of these threats.
Penalties for non-compliance with DORA
In the event of a breach of DORA, supervisory authorities may impose financial penalties on institutions subject to the regulation. Penalties will be tailored to the type of breach and its impact on the institution and the financial sector. Serious breaches may result in penalties of up to 10% of the annual turnover of the organization.
Benefits of implementing DORA
Implementing DORA brings many benefits to financial organizations, including:
• Increased cybersecurity
• Reduced risk
• Ensuring compliance with the law
• Avoiding financial penalties
• Building reputation
The European Union on guard for cybersecurity
The DORA guidelines, alongside the NIS2 Directive and the Cyber Resilience Act, are another step by the European Union towards strengthening digital security. Compliance with regulations, implementation of appropriate protection measures, and effective management of ICT risk are key for companies and customers, who can count on greater reliability and security of services. Therefore, institutions covered by DORA should prepare for the new requirements now to avoid sanctions and increase their competitiveness and trust in the digital services market.