Three important EU cybersecurity-related legislative acts have finally been published in the EU Official Journal on 27 December 2022 and will come into force on 16 January 2023:
All aiming at strengthening the resilience of certain entities and partly overlapping in the scope of application, these legislative acts have different focus areas: While the NIS 2 Directive aims to respond to the security concerns for the cyber dimension, the RCE Directive sets out rules to reduce the vulnerabilities and strengthen the physical resilience of critical entities. The DORA on its part, lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities and addresses both, the digital as well as physical dimension.
As to the next steps, by 17 October 2024, Member States will need to adopt and publish the measures necessary to comply with the NIS 2 as well as the CER Directive. They will apply those measures from 18 October 2024 and the DORA will apply from 17 January 2025.
The article describes the key takeaways of the new legislation and highlights some important actions organisations should have in place before the DORA respectively the national implementation of the NIS 2 and CER Directives apply.