March 07, 2024

EU Cyber Legislation Puts Emphasis on Board Responsibility


Governments around the world are tightening cybersecurity requirements, with a plethora of new laws and pending legislative proposals. The EU is no exception. Two of the most prominent EU cyber laws that will soon come into effect are the Digital Operational Resilience Act ("DORA") and the Network and Information Systems 2 ("NIS2") Directive. DORA establishes uniform cybersecurity requirements for institutions operating in the financial sector. NIS2, on the other hand, is designed to protect critical infrastructure and organizations within the EU from cyber threats. In areas where NIS2 and DORA overlap, such as banking and financial market infrastructures, the Commission has recently clarified that sector-specific rules under DORA take precedence.

Both DORA and NIS2 explicitly assign a significant portion of an organization's cyber responsibilities to the "management body,'' with the management body having ultimate responsibility for defining, approving, and monitoring an organization's information and communication technology ("ICT") risk management framework. ICT includes any software or hardware asset in the network and information systems used by the financial entity such as cellular phones, computer and network hardware and software. Failure to meet their obligations may also subject members of the management body to fines and other remedial measures.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.