Digital resilience
Services related to the Regulation (EU) 2022/2554 on the Digital Resilience of the Financial Sector, also known as DORA (Digital Operational Resilience Act), and the Directive (EU) 2022/2555 NIS2 (Network Information Security 2) for protecting the information security and shielding the operation of companies that provide critical infrastructure services.
From
Cybersecurity
to Digital
Resilience
Digital Trust at the heart of the new regulatory framework (EU legislative acts NIS2, CERD, DORA) (νομοθετικές πράξεις ΕΕ NIS2, CERD, DORA)
The total cost of cybercrime globally was approximately $8,44 trillion in 2022 and is estimated to exceed $10,5 trillion annually in 2025, according to authoritative analysts’ reports. Likewise, Gartner (Gartner analysts) predicts that within the next two years 45% of the enterprises globally will be affected in some way by a supply chain cyberattack.
Digital Resilience is not limited to Cybersecurity in the sense of preventive and detective/ corrective measures to protect network and information systems as well as users and others affected by cyber threats, but focuses on the total ability of an entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which support the continued provision of services and their quality, including throughout disruptions.
In other words, it is the capability of an organization to seamlessly maintain its core operations despite the threats to disruption of its digital systems, ICT-based procedures/ processes or infrastructures (Digital Risk).
The new Regulatory
Framework
The new European Union’s Regulatory Framework on digital operational resilience entered into force and, as a result, entities falling within its scope are now obliged to comply with the provided regulatory requirements. In particular, the adoption of the following EU legislative acts has resulted in several new and important obligations for enterprises in relation to Cybersecurity and Digital Resilience:
- The NIS 2 Directive (Directive (EU) 2022/2555 - Network Information Security 2) of the European Union, as an update of the relevant previous NIS 1 Directive, on measures for
a high common level of cybersecurity across the Union extends both its scope and the
requirements regarding the security protection and the strengthening of the operation of
companies providing critical infrastructure services.
The transposition of Directive (EU) NIS2 into national legislation has already been
fulfilled by passing the L. 5160/27-11-2024 (Transposition of Directive (EU) 2022/2555
NIS 2).
- The CERD Directive (Directive (EU) 2022/2557 “The Critical Entities Resilience Directive”) of the European Union on the resilience of critical entities and repealing Council Directive 2008/114/EC
- The Regulation (EU) DORA on Digital Operational Resilience (Regulation (EU) 2022/2554 - Digital Operational Resilience Act) for the financial sector aims to enhance security, strengthen operational resilience and prevent disruptions to financial sector systems by mandating stringent governance, risk control, and Information and Communication Technology (ICT) security practices. It is considered a sector-specific Union legal act in relation to Directive (EU) NIS2 as regards entities of the financial sector.
Who it concerns
The new regulatory framework on Cybersecurity and Digital Resilience expands (based on NIS 2) the scope to sectors of high criticality (Annex I) and other critical sectors (Annex II) for the social and economic life of the country, while introducing a size-cap rule in relation to its application.
(see tables below)
In the underlying entities are included regardless of size the following:
• Providers of public electronic communications networks
• Trust service providers and top-level domain name registries
• Other critical entities providing essential services (based on cross-border impact,
public safety, public security/health, etc.)
• The central government, regions and municipalities of the country
Tables - Size-cup rule in relation to its application
Important Entity | Reactive Supervision
Explanation:
(a) Large-sized enterprises:
> €50 mil. annual turnover | 250+ employees
(b) Medium-sized enterprises:
> €10 mil. annual turnover | 50+ employees
(c) In accordance with national law:
regardless of size | selection based on risk profile
The DORA Regulation applies to a wide range of financial sector entities (credit institutions, payment institutions, central counterparties, trading venues, insurance and reinsurance undertakings, credit rating agencies, etc.) and information and communication technology (ICT) third-party service providers (including but not limited to providers of cloud computing services, software, data analytics services and providers of data center services).
Administrative
Fines & Other
Consequences
Internal impact on compliance
Administrative fines (of a maximum of)
Other Administrative Penalties:
• Temporary suspension of the exercise of managerial functions at chief executive officer
or legal representative level
• Suspension of the provision of services
External Impact
Challenges
• Understanding the regulatory framework – is there a need for compliance?
• Immediate actions to start work on compliance – immediate results (Quick Wins)
• Corporate Accountability, Governance & Transparency - Management awareness
• Participation of all right stakeholders
• Risk assessment / management – Strategic Planning
• Rapidly evolving threats – Balance between security and usability/performance
• Correlation with other existing and future regulatory requirements
• Holistic approach - building on initiatives already underway (“Test once and comply to many”)
• Encouraging the information exchange on cyber threats - Promote cyber-threats sharing
• Supply chain security – ICT third-party risks - Identification / assessment of ICT third-party service risk providers
• Resilience testing on a regular basis
• Development of a cybersecurity and digital operational resilience culture
• Adoption of the “Security by Design” principle
Approach and
support services
of Crowe Greece for
compliance
Gap Analysis – Preparedness assessment and preparation for compliance with DORA and NIS2
Review and design of ICT and Security Risk Management framework
ICT and Security Risk Assessment
Cybersecurity Strategic Planning and Governance - Holistic Approach to compliance with regulatory framework requirements and standards
Development and support of the implementation of an Operational Programme for Cybersecurity and Digital Operational Resilience - Security Risk Transformation
ICT third-party risk Assessment / Management
Development of an Information Security Management System (ISMS) –Preparation of certification (ISO/IEC 27001)
Design and Implementation of Policies - Procedures and Controls
GRC Technologies and Control Optimisation
Assurance Reports for third-party services (based on assurance standards ISAE3000, ISAE3402, SOC1, SOC2/3, etc.)
Internal Audit Support in relation to the organisation and conduct of compliance audits
Cyber-defence (Technical assessments, vulnerability analysis – VA, penetration testing – PenTest, social engineering, security architecture, SAP system security, etc.)
Chief Security Officer services (v.CISO - CISOaaS)
Download our brochure
Greek edition
English edition
Contact us
Simeon Kalamatianos
Director, Technology Services and Digital Assurance