Top

Digitalberry

Digital trust expert

 
/ Digital certificates / NIS 2 and DORA: CLM solutions to support compliance

/

NIS 2 and DORA: CLM solutions to support compliance

The European Union is gradually expanding the legal framework designed to protect organizations, both public and private, and make them more resilient against the risks of cyberattack. The NIS 2 directive and the DORA regulation are part of this global strategy to strengthen the security of information systems. One concerns essential and important entities, the other the financial sector. In both cases, CLM (Certificate Lifecycle Management) solutions provide answers to the requirements of these regulations.

Cyber attaques 2021

NIS 2: IT security and resilience for essential and important entities

The main aim of the NIS 2 (Network and Information Systems, version 2) directive is to improve the resilience and security of critical, essential or important networks and information systems in the European Union.

In France, the Agence nationale de la sécurité des systèmes d’information (ANSSI) is responsible for transposing the standard into national law. From October 18, 2024 at the latest, NIS 2 will apply to thousands of entities in over 18 sectors, divided into two categories:

  • “Essential entities”: energy, transport, banking, financial market infrastructures, healthcare, drinking water and wastewater management, digital infrastructures and public administrations.
  • “Important entities”: postal and shipping services, waste management, manufacturing (food, chemicals, pharmaceuticals, critical medical equipment…), marketplaces, search engines, social networking platforms…

All companies in these sectors with 50 or more employees, or annual sales in excess of €10 million, are concerned. However, some exceptions may be made by individual Member States.

It should be noted that :

  • These two new categories replace those provided for under NIS 1, namely Essential Service Operators (ESOs) and Digital Service Providers (DSPs).
  • Operators of vital importance (OIV) are not concerned by NIS 2, as they already benefit from advanced supervision and regulation.

DORA regulation: IT security and resilience in finance and insurance

The European DORA (Digital Operational Resilience Act) regulation aims to strengthen the IT operational resilience of companies in the finance and insurance sector: credit institutions, investment firms, payment institutions, electronic money institutions, asset management companies, insurance and reinsurance companies, insurance and reinsurance intermediaries, etc. It includes a section on risk management in relation to third parties, in particular the IT service providers with which financial organizations contract. Its scope therefore extends far beyond just companies in these sectors.

The DORA regulation came into force on January 16, 2023, and will be applicable in the various member states by January 17, 2025 at the latest.

NIS 2 and DORA: improving IT system security

In detail, the two regulations aim to improve the security and resilience of IT systems and networks in Europe, in sectors considered essential to the European economy and society.

They impose increased requirements in terms of security measures for the entities concerned, and in particular :

  • The implementation of regular audit and control policies for risks to information systems, in order to identify any weaknesses, failures or shortcomings, and rapidly implement corrective measures.
  • Regular reporting on IT assets, security audits, cyber incidents, remedial action taken, etc.
  • The establishment of disaster recovery plans (DRP) or business continuity plans (BCP) in the event of an incident.
  • Application of policies and measures to protect cryptographic secrets.
  • Implementation of policies, procedures and controls for user identification and access control.
  • Deployment of multi-factor authentication solutions.
  • Monitoring, detection and notification of abnormal activities and security incidents to the appropriate authorities.
  • Implementation of policies for continuous improvement of cybersecurity practices.

In addition, NIS 2 and DORA encourage cooperation between EU member states in cybersecurity risk management and incident response, as digital threats are, by their very nature, cross-border.

Lastly, organizations that fail to comply with the requirements of these two regulations face substantial fines, up to €10 million.

CLM solutions: a response to these regulatory obligations

Digital certificate management (CLM) solutions, such as BerryCert, facilitate compliance with the requirements and technical protection measures defined by these two regulations, thus participating in the security and resilience of European organizations’ information systems.

Here are just a few examples:

  • Risk management with asset identification: mapping, cryptographic inventory and scoring of digital certificates;
  • Supervision, audit reports and notification of major operational and security incidents to authorities or intelligence services (number of certificates issued, for which domain, etc.);
  • Centralized governance: management of certificates from issuance to expiration, revocation of expired or compromised certificates, issuance of new certificates, identification of certificates that do not comply with corporate security policies…

 

CLM solutions also play a key role in the event of an attack, as they enable the centralized revocation of compromised certificates. Finally, they speed up disaster recovery and IS reconstruction, thanks to inventory data and automatic regeneration of internal and external certificates.

Discover our Certificate Lifecycle Management tool

💡 Why automate digital certificate lifecycle management?💡

Read our article