Cyber security: Resiliency by Shoosmiths

In the digital age, cyber security and system resiliency are not just technology issues, they’re legal ones too. 

Cyber security

The legal landscape is adapting to the ever-evolving cyber threats and the cost of cybercrime is predicted to hit £8.4 trillion by 2025. In addition to cyber threats, as we become ever more reliant on digital infrastructure to power our critical infrastructure, laws aimed at strengthening the way in which organisations embed resiliency into their infrastructure, information processing systems and connected devices has become a priority for law makers.

In Europe, with the advent of new cyber resiliency frameworks, including the NIS2 Directive (NIS2) the Digital Operational Resiliency Act (DORA) and the Directive of Resiliency of Critical Entities (CER) and the soon to be passed  the Cyber Resiliency Act (CRA) (to name but  a few), the regulatory landscape has adapted in way which places InfoSec at the forefront of an organisation’s legal and risk posture. Navigating this complex and continually shifting landscape presents a sizeable challenge for organisations moving into 2024 and beyond.

Resiliency by Shoosmiths

Our firm offers a multidisciplinary team of experts who cater to a range of specialisms and sectors, including critical sectors such as telecoms, energy, and financial services. We understand that each sector has unique challenges and requirements, and through Resiliency we are able to assist your organisation in creating and implementing Data Governance frameworks that are tailored to your sectoral needs.


Download icon
Resiliency by Shoosmiths download

To assist you on your journey to NIS2 compliance, we have prepared the following useful downloads; NIS2 directive, NIS2 checklist and NIS2 river flow for compliance. Download all three here.

Download

Core tenets of our offering

Implement

  • scoping which applicable UK and EU cyber legislation laws apply to your sector.
  • detailed understanding of the applicability of NIS2 Directive, CER Directive, the Cyber Resiliency Act, DORA, proposed AI Regulation, and other sectoral laws.
  • mapping the identified legislation to your digital assets, information systems, critical services, and products. Categorisation of information systems by criticality, based on the relevant legislative requirements.
  • identifying and implementing mandatory registration requirements (e.g., under the NIS2).

Govern

  • creating a holistic Data Governance and Cyber Resiliency Framework to manage your organisation’s compliance with the applicable rules.
  • adapting that Framework to existing information security management frameworks.
  • determining resiliency baselines and stress testing.
  • gap-analysis of existing cyber security and disaster recovery estate and creation of technology roadmaps and improvement plans.
     

Outsource

  • designing outsourcing strategies to derisk supply exposure.
  • enhancing vendor management and contractual processes to ensure cyber resiliency throughout the supply chain.
  • implementing mandatory contractual processes (e.g., DORA’s Article 30 obligations).
  • assisting clients with the maintenance of mandatory records (e.g. , material outsourcing registers).
     

Respond

  • a revolutionary approach to breach management, cyber incident management, and information reporting.
  • centralized crisis line and access to a network of expert third parties, from data forensics to ransomware negotiation.
  • regulatory engagement and legal defence.
     
 

NIS2 Directive

The EU’s new Network and Information Systems Directive (NIS2) came into effect on 16 January 2023 and enhances the scope of the EU’s cyber security risk management regime. NIS2 aims to strengthen the cyber security posture of businesses across the EU and enhance cooperation between Member States. 

NIS2 Directive primarily targets organisations that provide key services in vital sectors including energy, transport, banking, financial market infrastructures, healthcare, utilities, and digital infrastructure. Additionally, it extends to critical suppliers within these sectors, encompassing both direct providers such as digital service and cloud computing services, as well as indirect suppliers whose services are integral to the digital infrastructure of those critical sectors.

EU Member States have until 17 October 2024 to transpose NIS2 (the Directive) into national law, and those measures will apply from 18 October 2024. Under the NIS2, organisations face substantial fines and sanctions for non-compliance, which can reach up to €10 million or 2% of global turnover (whichever is greater). Regulators are also granted robust audit and oversight powers, which include enhanced authority to conduct detailed on-site inspections.

The UK is currently introducing equivalent legislation aimed at enhancing the cyber security of both information systems and digital products. 

Download our helpful checklist to help you identify the compliance steps you need to take, such as preliminary scoping and assessment, governance and gap analysis, legal and registration, technical and security, incident management and breach response and also training, vendor management and audit and assurance. 


Download icon
NIS2 guidance documentation

To assist you on your journey to NIS2 compliance, we have prepared the following useful downloads; NIS2 directive, NIS2 checklist and NIS2 river flow for compliance;

Download

 

 

DORA

The Digital Operational Resilience Act (DORA) was enacted in 2023, representing a significant enhancement in the cyber security and operational resiliency framework across the EU’s financial sector.

DORA targets a wide range of financial entities, including banking providers, credit institutions, investment firms, insurance companies and crypto-asset service providers. It also directly applies to third-party service providers supplying 'critical' services to those financial entities, such as cloud providers. In addition, as a consequence of enhanced resiliency requirements and vendor management, it will also indirectly impact a significant proportion of the financial services digital supply chain.

At its core, DORA introduces new requirements that regulate how organisations implement cyber security and operational resiliency controls, enabling them to withstand, respond to, and recover from all types of digital disruptions and threats. Additionally, DORA introduces new mandatory registration and reporting criteria, significantly changing how in-scope organisations report incidents and outsource aspects of their services and infrastructure to third parties. 

Moreover, DORA introduces stringent oversight and audit requirements. It empowers regulators with enhanced supervisory tools, including the ability to conduct on-site digital operational resilience testing and mandatory incident reporting. This ensures that financial entities not only comply with robust cyber security standards but also continuously improve their ICT risk management frameworks. For critical third-party providers (TPPs), this will mean falling under the direct oversight of a supervisory authority who will engage in regular audits of TPPs cyber security and resiliency frameworks. TPPs will also be required to register and pay annual fees to cover the cost of the authority’s auditing and oversight role.

EU Member States are in the process of adopting and publishing national laws necessary to enact the supervisory aspects of DORA, with all organisations required to comply by 17 January 2025. Under DORA, non-compliant organisations and individuals may face significant penalties. The level of the penalty, set by each Member State's supervisory authority, is expected to include periodic penalty payments of up to 1% of the average daily worldwide turnover and fines of up to €1 million for individuals, with criminal penalties for individuals also anticipated.

In line with DORA, the UK is exploring similar regulations to strengthen the operational resilience of its financial services sector, focusing on mitigating ICT risks and enhancing system robustness.

Through Resiliency we have developed a tailored governance framework and vendor management program that is specifically catered towards DORA compliance.

 

Download icon
DORA guidance documentation

To learn more about how we can assist organisations on DORA compliance and to understand more about how DORA may impact your organisation, we have prepared the following useful downloads; DORA Resiliency Overview and DORA Contract Guidance.

Download

Insights