Digital resilience
Services related to the Regulation (EU) 2022/2554 on the Digital Resilience of the Financial Sector, also known as DORA (Digital Operational Resilience Act), and the Directive (EU) 2022/2555 NIS2 (Network Information Security 2) for protecting the information security and shielding the operation of companies that provide critical infrastructure services.
From
Cybersecurity
to Digital
Resilience
Digital Trust at the heart of the new regulatory framework (EU legislative acts NIS2, CERD, DORA) (νομοθετικές πράξεις ΕΕ NIS2, CERD, DORA)
The total cost of cybercrime globally was approximately $8,44 trillion in 2022 and is estimated to exceed $10,5 trillion annually in 2025, according to authoritative analysts’ reports. Likewise, Gartner (Gartner analysts) predicts that within the next two years 45% of the enterprises globally will be affected in some way by a supply chain cyberattack.
Digital Resilience is not limited to Cybersecurity in the sense of preventive and detective/ corrective measures to protect network and information systems as well as users and others affected by cyber threats, but focuses on the total ability of an entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which support the continued provision of services and their quality, including throughout disruptions.
In other words, it is the capability of an organization to seamlessly maintain its core operations despite the threats to disruption of its digital systems, ICT-based procedures/ processes or infrastructures (Digital Risk).
The new Regulatory
Framework
Το νέο Ρυθμιστικό Πλαίσιο της Ευρωπαϊκής Ένωσης για την ψηφιακή επιχειρησιακή
ανθεκτικότητα έχει ήδη τεθεί σε εφαρμογή και, κατά συνέπεια, οι οντότητες που εμπίπτουν στο πεδίο εφαρμογής έχουν πλέον υποχρέωση συμμόρφωσης με τις προβλεπόμενες κανονιστικές απαιτήσεις. Συγκεκριμένα, η θέσπιση των παρακάτω νομοθετικών πράξεων της ΕΕ έχει επιφέρει αρκετές νέες και σημαντικές υποχρεώσεις για τις επιχειρήσεις σε σχέση με την Κυβερνοασφάλεια και την Ψηφιακή Ανθεκτικότητα:
- The NIS 2 Directive (Directive (EU) 2022/2555 - Network Information Security 2) of the European Union, as an update of the relevant previous NIS 1 Directive, on measures for
a high common level of cybersecurity across the Union extends both its scope and the
requirements regarding the security protection and the strengthening of the operation of
companies providing critical infrastructure services.
The transposition of Directive (EU) NIS2 into national legislation has already been fulfilled by passing the L. 5160/27-11-2024 (Transposition of Directive (EU) 2022/2555 NIS 2). The technical, operational and organizational measures to manage cybersecurity risks that should be taken by the underlying entities to align them with the institutional framework (Article 15, Law 5160/2024), are further specified by Joint Ministerial Decision 1689/06-05-2025 “National Framework of Cybersecurity Requirements for Key and Important Entities”.
The transposition of Directive (EU) NIS2 into national legislation has already been fulfilled by passing the L. 5160/27-11-2024 (Transposition of Directive (EU) 2022/2555 NIS 2). The technical, operational and organizational measures to manage cybersecurity risks that should be taken by the underlying entities to align them with the institutional framework (Article 15, Law 5160/2024), are further specified by Joint Ministerial Decision 1689/06-05-2025 “National Framework of Cybersecurity Requirements for Key and Important Entities”.
– Η οδηγία της Ευρωπαϊκής Ένωσης CERD (οδηγία (ΕΕ) 2022/2557 “The Critical Entities
Resilience Directive”) για την ανθεκτικότητα των κρίσιμων οντοτήτων και την κατάργηση
της οδηγίας 2008/114/ΕΚ του Συμβουλίου.
– Ο κανονισμός (ΕΕ) DORA για τη Ψηφιακή Επιχειρησιακή Ανθεκτικότητα (Κανονισμός
(ΕΕ) 2022/2554 – Digital Operational Resilience Act) του χρηματοπιστωτικού τομέα στοχεύει στη βελτίωση της ασφάλειας, στην ενίσχυση της επιχειρησιακής ανθεκτικότητας και την αποτροπή διαταραχών που οφείλονται στα συστήματα του χρηματοπιστωτικού τομέα επιτάσσοντας αυστηρή διακυβέρνηση, διαχείριση κινδύνου, και πρακτικές ασφάλειας Τεχνολογίας Πληροφορικής και Επικοινωνιών (ΤΠΕ). Θεωρείται τομεακή νομική πράξη της Ένωσης σε σχέση με την οδηγία (ΕΕ) NIS2 όσον
αφορά τις οντότητες του χρηματοπιστωτικού τομέα.
Who it concerns
Το νέο κανονιστικό πλαίσιο για την Κυβερνοασφάλεια και την Ψηφιακή Ανθεκτικότητα
διευρύνει (βάσει NIS 2) το πεδίο εφαρμογής σε τομείς υψηλής κρισιμότητας (Προσάρτημα I) και άλλους κρίσιμους τομείς (Προσάρτημα II) για την κοινωνική και οικονομική ζωή της χώρας, εισάγοντας, παράλληλα, έναν κανόνα ανώτατου μεγέθους (“size cap”) σε σχέση με την εφαρμογή.
(see tables below)
In the underlying entities are included regardless of size the following:
• Providers of public electronic communications networks
• Trust service providers and top-level domain name registries
• Other critical entities providing essential services (based on cross-border impact,
public safety, public security/health, etc.)
• The central government, regions and municipalities of the country
Tables - Size-cup rule in relation to its application
Important Entity | Reactive Supervision
Explanation:
(a) Large-sized enterprises:
> €50 mil. annual turnover | 250+ employees
(b) Medium-sized enterprises:
> €10 mil. annual turnover | 50+ employees
(c) In accordance with national law:
regardless of size | selection based on risk profile
Ο Κανονισμός DORA έχει εφαρμογή σε ένα ευρύ φάσμα
οντοτήτων του χρηματοπιστωτικού τομέα (πιστωτικά ιδρύματα, ιδρύματα πληρωμών, κεντρικοί αντισυμβαλλόμενοι, τόποι συναλλαγών, ασφαλιστικές και αντασφαλιστικές επιχειρήσεις, οργανισμοί αξιολόγησης πιστοληπτικής ικανότητας, κ.λπ.) και σε τρίτους παρόχους υπηρεσιών τεχνολογίας πληροφοριών και επικοινωνιών (ΤΠΕ) (συμπεριλαμβανομένων μεταξύ άλλων παρόχων υπηρεσιών υπολογιστικού νέφους, λογισμικού, υπηρεσίες ανάλυσης δεδομένων και πάροχοι υπηρεσιών data center).
Administrative
Fines & Other
Consequences
Internal impact on compliance
Administrative fines (of a maximum of)
Other Administrative Penalties:
• Temporary suspension of the exercise of managerial functions at chief executive officer
or legal representative level
• Suspension of the provision of services
External Impact
Challenges
• Understanding the regulatory framework – is there a need for compliance?
• Immediate actions to start work on compliance – immediate results (Quick Wins)
• Corporate Accountability, Governance & Transparency - Management awareness
• Participation of all right stakeholders
• Risk assessment / management – Strategic Planning
• Rapidly evolving threats – Balance between security and usability/performance
• Correlation with other existing and future regulatory requirements
• Holistic approach - building on initiatives already underway (“Test once and comply to many”)
• Encouraging the information exchange on cyber threats - Promote cyber-threats sharing
• Supply chain security – ICT third-party risks - Identification / assessment of ICT third-party service risk providers
• Resilience testing on a regular basis
• Development of a cybersecurity and digital operational resilience culture
• Adoption of the “Security by Design” principle
Approach and
support services
of Crowe Greece for
compliance
Gap Analysis – Preparedness assessment and preparation for compliance with DORA and NIS2
Review and design of ICT and Security Risk Management framework
ICT and Security Risk Assessment
Cybersecurity Strategic Planning and Governance - Holistic Approach to compliance with regulatory framework requirements and standards
Development and support of the implementation of an Operational Programme for Cybersecurity and Digital Operational Resilience - Security Risk Transformation
ICT third-party risk Assessment / Management
Development of an Information Security Management System (ISMS) –Preparation of certification (ISO/IEC 27001)
Design and Implementation of Policies - Procedures and Controls
GRC Technologies and Control Optimisation
Assurance Reports for third-party services (based on assurance standards ISAE3000, ISAE3402, SOC1, SOC2/3, etc.)
Internal Audit Support in relation to the organisation and conduct of compliance audits
Cyber-defence (Technical assessments, vulnerability analysis – VA, penetration testing – PenTest, social engineering, security architecture, SAP system security, etc.)
Chief Security Officer services (v.CISO - CISOaaS)
Download our brochure
Greek edition
English edition
Contact us
Simeon Kalamatianos
Director, Technology Services and Digital Assurance