What is a Management Body?
Under both DORA and NIS2, a management body can be a body with managerial and/or supervisory functions. The powers and structure of management bodies vary within the EU Member State, and managerial and supervisory functions may be assigned to different bodies within an organization. In EU Member States where management bodies have a one-tier structure, a single board usually performs both management and supervisory functions. In EU Member States with a two-tier system, the supervisory function is typically performed by a separate supervisory board with no executive functions, and the executive function is performed by a separate management board, which may be responsible and accountable for the day-to-day management of the company.
This means that, depending on the national legal framework and the specific setup of the company, the management board and the supervisory board may be considered, either separately or jointly, as the 'management body' for the purposes of a particular obligation. Further guidance from national financial regulators will help to clarify this.
What Cyber Obligations do Members of Management Bodies have?
Under DORA and NIS2, the management body has ultimate responsibility for defining, approving and overseeing an organization's ICT risk management framework. This means that, as a general rule, the management body's cyber responsibilities cannot be delegated to a third party.
The obligations under DORA and NIS2 differ to some extent, but at their core the obligations are similar. In addition to managing the overall ICT risk management framework, the management body is specifically required, among other things, to:
- Policies: Put in place and periodically review cyber documentation to ensure cyber resilience, such as an ICT business continuity policy and an ICT response and recovery plan, among others;
- Governance: Set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
- Supply Chain Due Diligence: Approve and periodically review the use of ICT services provided by ICT third-party service providers, which includes regular review of the contractual arrangements for the use of ICT providers.
In addition, members of the management body shall maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the organization's operations. To this end, they are required to receive cyber training.
What are the Consequences for Failing to Meet the Obligations?
DORA requires EU Member States to implement national measures to impose administrative sanctions and remedial measures on members of the management body for certain breaches of their cyber obligations. For example, the German draft law implementing DORA provides that the German Federal Financial Supervisory Authority (BaFin) may sanction violations of DORA by the management body with orders that are "suitable and appropriate" to ensure compliance, such as cease-and-desist orders. A violation of DORA may also result in a fine of up to EUR 5 million.
NIS2 requires EU Member States to ensure that management bodies of in-scope entities can be held liable for breaches of their cyber obligations. As NIS2 – as a Directive – is transposed into national law by each EU Member State, the scope of liability may differ slightly from one EU Member State to another. For example, the German draft law implementing NIS2 provides, among other things, that members of the management body who violate their approval and oversight duties are liable to the organization for any damages incurred. The notion of "damages" includes both recourse claims against the organization and fines imposed by relevant authorities, which can be significant. The organization may not waive or settle any claims for damages.
As noted above, the cyber responsibilities of the management body generally may not be delegated to a third party, meaning that delegation is unlikely to be an efficient means to avoid liability.
Next Steps and When will NIS2 and DORA start applying?
DORA will become applicable in all EU member states on January 17, 2025. As a Directive, NIS2 must be transposed into the national laws of the Member States before it can take direct effect. Member States have until October 18, 2024 to transpose NIS2 into national law, which means that most national implementing legislation is likely to come into force on or around that date.
By these respective dates, members of management bodies of in-scope entities should be fully aware of and comply with their cyber obligations under these laws. As NIS2 has to be implemented separately in each EU Member State, the obligations may differ slightly from one EU Member State to another. This is particularly relevant for organizations with activities in more than one EU Member State.
Since both laws do not exist in a vacuum, and some obligations overlap with existing laws, a gap analysis will likely be a helpful tool for determining where DORA and NIS2 go beyond existing obligations. Organizations can benefit from basing their DORA / NIS2 compliance measures on controls, policies and procedures they already have in place based on existing laws and regulations.
