7 points after giving another in-depth presentation to global businesses on the path to NIS2 compliance (with a flavour of DORA and GDPR):
(i) Having a broad enough team (“multidisciplinary” / “multi-stakeholder” / however you wish to call it) is not easy for many organisations, irrespective of their size (this is nothing new, but it continues; AI Act compliance work also presents similar challenges).
(ii) There is once more a true need for advisors (whether internal or external) who either are able to understand the combination of technical & legal requirements, or who properly understand one type of those requirements and are willing and able to talk with others who have expertise in the other type of requirement. As a legal practitioner with some background in web & software development, I know the former are few and far between, but there are also ways for the latter to work together.
(iii) Many financial institutions are now firing DORA-compliance requirements at *all* their suppliers, irrespective of whether they are in fact ICT service providers for them or not (something we have also seen in questions our clients have been asking us). A lack of clear legal definitions in this respect could be seen as helping to increase cybersecurity levels across the EU, but it is in practice having the effect of overbroad, overcautious requests from financial institutions. If you are subject to DORA, not all your suppliers will be – so consider their perspective too.
(iv) Information security was never purely for the CISO and security teams, but now with NIS2 there at least appears to be a slightly broader interest in getting the cybersecurity strategy done right at management level.
(v) The combination of the Data Act, GDPR, AI Act and NIS2 can lead to the impression that there are certain contradictions or incompatibilities, so it is critical for organisations to document properly their strategic choices on how to make them work together. Some data protection reflexes are good for NIS2 compliance, others don’t necessarily help.
(vi) There is so much from which to draw inspiration. The Belgian cyber authority’s NIS2 Notification Guide and its CyberFundamentals framework, the Commission’s Implementing Regulation, DORA, … Too much choice kills choice, though, so you need to carefully consider what appears relevant to your organisation.
(vii) As I have said over and over again, “document everything”. NIS2 involves putting some things on paper – notably some things you might not have wished to put in writing previously. But nothing prevents you from considering how to limit your exposure and what precisely *needs* to be made available to others.
Need help with NIS2, to brainstorm or to get things moving (faster) within your organisation? Reach out!
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗