Governments around the world are tightening cybersecurity requirements, with a plethora of new laws and pending legislative proposals. The EU is no exception. Two of the most prominent EU cyber laws that will soon come into effect are the Digital Operational Resilience Act ("DORA") and the Network and Information Systems 2 ("NIS2") Directive. DORA establishes uniform cybersecurity requirements for institutions operating in the financial sector. NIS2, on the other hand, is designed to protect critical infrastructure and organizations within the EU from cyber threats. In areas where NIS2 and DORA overlap, such as banking and financial market infrastructures, the Commission has recently clarified that sector-specific rules under DORA take precedence.
Both DORA and NIS2 explicitly assign a significant portion of an organization's cyber responsibilities to the "management body,'' with the management body having ultimate responsibility for defining, approving, and monitoring an organization's information and communication technology ("ICT") risk management framework. ICT includes any software or hardware asset in the network and information systems used by the financial entity such as cellular phones, computer and network hardware and software. Failure to meet their obligations may also subject members of the management body to fines and other remedial measures.
What is a Management Body?
Under both DORA and NIS2, a management body can be a body with managerial and/or supervisory functions. The powers and structure of management bodies vary within the EU Member State, and managerial and supervisory functions may be assigned to different bodies within an organization. In EU Member States where management bodies have a one-tier structure, a single board usually performs both management and supervisory functions. In EU Member States with a two-tier system, the supervisory function is typically performed by a separate supervisory board with no executive functions, and the executive function is performed by a separate management board, which may be responsible and accountable for the day-to-day management of the company.
This means that, depending on the national legal framework and the specific setup of the company, the management board and the supervisory board may be considered, either separately or jointly, as the 'management body' for the purposes of a particular obligation. Further guidance from national financial regulators will help to clarify this.
What Cyber Obligations do Members of Management Bodies have?
Under DORA and NIS2, the management body has ultimate responsibility for defining, approving and overseeing an organization's ICT risk management framework. This means that, as a general rule, the management body's cyber responsibilities cannot be delegated to a third party.
The obligations under DORA and NIS2 differ to some extent, but at their core the obligations are similar. In addition to managing the overall ICT risk management framework, the management body is specifically required, among other things, to:
- Policies: Put in place and periodically review cyber documentation to ensure cyber resilience, such as an ICT business continuity policy and an ICT response and recovery plan, among others;
- Governance: Setclear roles and responsibilitiesfor all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation and coordination among those functions;
- Supply Chain Due Diligence: Approve and periodically review the use of ICT services provided by ICT third-party service providers, which includes regular review of the contractual arrangements for the use of ICT providers.
In addition, members of the management body shall maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the organization's operations. To this end, they are required to receive cyber training.
What are the Consequences for Failing to Meet the Obligations?
DORA requires EU Member States to implement national measures to impose administrative sanctions and remedial measures on members of the management body for certain breaches of their cyber obligations. For example, the Germandraft law implementing DORAprovides that the German Federal Financial Supervisory Authority (BaFin) may sanction violations of DORA by the management body with orders that are "suitable and appropriate" to ensure compliance, such as cease-and-desist orders. A violation of DORA may also result in a fine of up to EUR 5 million.
NIS2 requires EU Member States to ensure that management bodies of in-scope entities can be held liable for breaches of their cyber obligations. As NIS2 – as a Directive – is transposed into national law by each EU Member State, the scope of liability may differ slightly from one EU Member State to another. For example, theGerman draft law implementing NIS2provides, among other things, that members of the management body who violate their approval and oversight duties are liable to the organization for any damages incurred. The notion of "damages" includes both recourse claims against the organization and fines imposed by relevant authorities, which can be significant. The organization may not waive or settle any claims for damages.
As noted above, the cyber responsibilities of the management body generally may not be delegated to a third party, meaning that delegation is unlikely to be an efficient means to avoid liability.
Next Steps and When will NIS2 and DORA start applying?
DORA will become applicable in all EU member states on January 17, 2025. As a Directive, NIS2 must be transposed into the national laws of the Member States before it can take direct effect. Member States have until October 18, 2024 to transpose NIS2 into national law, which means that most national implementing legislation is likely to come into force on or around that date.
By these respective dates, members of management bodies of in-scope entities should be fully aware of and comply with their cyber obligations under these laws. As NIS2 has to be implemented separately in each EU Member State, the obligations may differ slightly from one EU Member State to another. This is particularly relevant for organizations with activities in more than one EU Member State.
Since both laws do not exist in a vacuum, and some obligations overlap with existing laws, a gap analysis will likely be a helpful tool for determining where DORA and NIS2 go beyond existing obligations. Organizations can benefit from basing their DORA / NIS2 compliance measures on controls, policies and procedures they already have in place based on existing laws and regulations.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
