Skip to main content

DORA a NIS2 – two legislative instruments of the EU

Contact us
Submit RFP

About the instruments

The European Union is continuously strengthening its regulations to increase digital resilience in the financial sector – the DORA regulation and the NIS2 directive are part of the constantly developing regulatory framework. While NIS2 is a general directive that individual EU member states must implement into their legislation, the DORA regulation clearly specifies requirements applicable to all without exception.

How do the two instruments differ and what do they bring for the individual entities concerned? What requirements must be met and are you ready for them?

Download PDF »

What requirements need to be met – NIS2 or DORA?

If the area of your business falls under regulated financial services, or if it directly meets the definition of CASP, it will fall under the scope ofthe DORA regulation and the implementation of the regulation's requirements will therefore represent a lex specialis for you. However, the fulfillment of DORA will also de facto fulfill the requirements of the NIS2 directive, as they overlap.

If your business does not fall under the aforementioned, it is necessary to determine whether NIS2 is applicable for you. The scope of NIS2 is defined on the basis of the industry and on the basis of the enterprise size. In simple terms, the directive is applicable to medium and larger enterprises (50 or more employees or assets / annual turnover exceeding EUR 10 million) from various areas – public administration, energy, healthcare, transport, manufacturing, chemical and food industry, water and waste management, digital infrastructure and digital services and more.

Both legislative instruments represent significant progress in cybersecurity, introducing the necessary requirements and standards to strengthenthe digital resilience of financial organizations and ensure the security ofcritical services across various industries.

Organizations should act quickly to comply with these changing legal frameworks, as failure to comply can have serious consequences – from fines to business suspension. Deloitte's team of compliance, cybersecurity, legal andother industry experts offers you holistic services aimed at assessing your readiness, advising and implementing the necessary steps to fulfill your obligations under both regulations.

Introducing any changes to business practice often means aligning processes, making changes within the organizational structure and technological base. This is also why it is important to prepare a good plan and, through a nin-depth analysis of the current situation, propose an implementation roadmap and specific changes that will then need to be implemented.

DORA

See our DORA services page for more information on the Deloitte approach and the DORA Maturity Assessment Tool our specialists use for detailed analyses.

Find out more

NIS2

More information regarding NIS2 and the Czech Act on Cyber Security.

Find out more

News

DORA: Regulation on digital operational resilience and its impacts on financial entities

Regulation in the area of information and communication technology is to be unified into a single legislative act. The European Commission is preparing a set of measures including a Regulation on digital operational resilience for the financial sector (“DORA”). Read on to find out what the new legal initiative will bring and what obligations it will impose on financial entities.

How to correctly set up company compliance? Sensible rules and realistic expectations are key

Compliance is a phenomenon that attracts increasing attention in business circles. An effective compliance programme, from well-prepared codes of ethics to a balanced system of responsibility enforcement, is the foundation of high-quality, successful and secure corporate governance. However, keeping pace with the times and following the most modern trends is not an easy task for a company. Do you know how to set up such a company compliance system the right way?

Implementace nařízení DORA: Instituce EU mohou hledat inspiraci v britském modelu

The transposition of the European NIS2 Directive into the Czech legislation should be completed by mid-2024. The directive will be reflected in the new Cybersecurity Act (CSA) and related decrees and will affect approximately 6,000 companies that have not had to deal with the legal requirements for cybersecurity in practice so far. These companies will have to implement a number of measures to comply with obligations arising from the new regulation. It will be essential to involve not only IT specialists but also other experts in the whole process.

DORA: Nařízení o digitální provozní odolnosti a jeho dopady na finanční subjekty

Regulation in the area of information and communication technology is to be unified into a single legislative act. The European Commission is preparing a set of measures including a Regulation on digital operational resilience for the financial sector (“DORA”). Read on to find out what the new legal initiative will bring and what obligations it will impose on financial entities.

Contact us

Jakub Höll

Director
+420 734 353 815

Martin Antoš

Manager