Author: info@edirama.org

Posted on by Leave a comment

How to Use ISO 27001 to Comply With NIS2 and DORA

The evolving regulatory landscape, with the introduction of NIS2 (Network and Information Systems Directive) and DORA (Digital Operational Resilience Act), requires organizations, particularly those operating critical infrastructure or within the financial sector, to align their security and operational practices with stringent requirements. ISO 27001:2022, the internationally recognized standard for information security management systems (ISMS), provides a robust framework to help organizations meet the expectations of these regulations.

This article explores how ISO 27001:2022 can be used to align with NIS2 and DORA through specific mapping and application strategies for critical infrastructure and financial organizations, as well as their suppliers.

1. Mapping ISO 27001 with NIS2

NIS2, a strengthened version of the original NIS Directive, applies to essential and digital service providers. Its focus is on improving cybersecurity capabilities, risk management, incident reporting, and information sharing for critical sectors such as energy, transport, and healthcare.

ISO 27001 can be effectively mapped to NIS2 requirements by following these steps:

  • Risk management: NIS2 emphasizes risk-based security practices. ISO 27001’s risk assessment (clause 6.1.2) and treatment processes (clause 6.1.3) are integral to identifying risks to critical information systems and applying appropriate controls.
  • Incident management: Both NIS2 and ISO 27001 focus on managing security incidents. Clause 16 of ISO 27001 deals with incident management procedures and can be tailored to meet NIS2’s requirements for reporting significant incidents to national authorities.
  • Supply chain security: NIS2 places greater responsibility on securing supply chains. ISO 27001 Annex A.15 addresses supplier relationships, ensuring that the security controls extend to third-party contractors and service providers.

By leveraging ISO 27001’s existing controls, organizations can systematically address the key components of NIS2, allowing them to ensure a holistic cybersecurity posture.

2. Using ISO 27001 for Critical Infrastructure Companies

For companies operating in critical infrastructure sectors, ISO 27001 provides a structured approach to meeting the stringent cybersecurity requirements of NIS2. Specifically, it aids in:

  • Establishing a risk-based approach: Critical infrastructure organizations are required to focus on preventing and managing cyber risks that can disrupt essential services. ISO 27001’s risk assessment process (Clause 6) ensures that organizations continuously identify, analyze, and mitigate risks associated with their operational environments.
  • Ensuring operational resilience: Annex A of ISO 27001 emphasizes business continuity and disaster recovery, which are vital for critical infrastructure. These align with NIS2’s requirements for maintaining operational resilience in the face of cyber incidents.
  • Maintaining compliance with reporting obligations: NIS2 requires timely and detailed reporting of security incidents. ISO 27001’s structured incident management (Clause 16) ensures that organizations have documented procedures to detect, report, and learn from security events.

ISO 27001 helps critical infrastructure organizations stay compliant with NIS2 while improving their overall security posture and operational resilience.

3. Using ISO 27001 for Suppliers of Critical Infrastructure Companies

Suppliers to critical infrastructure companies are also subject to NIS2 requirements. They must ensure that their security practices are robust enough to protect the supply chain. ISO 27001 is particularly valuable here:

  • Supply chain risk management: ISO 27001 Annex A.15 outlines specific requirements for managing risks associated with suppliers, helping them implement appropriate security controls across their relationships with critical infrastructure operators.
  • Compliance with client demands: Critical infrastructure companies often pass on compliance obligations to their suppliers. By implementing ISO 27001, suppliers can proactively demonstrate their commitment to security and regulatory compliance, fostering trust and ongoing partnerships.

ISO 27001 thus ensures that suppliers can meet the stringent security requirements expected by their clients under NIS2.

4. Mapping ISO 27001 with DORA

DORA (Digital Operational Resilience Act) applies to financial institutions and aims to ensure their ability to withstand cyber threats and operational disruptions. It emphasizes the need for robust cybersecurity, incident response, and third-party risk management.

ISO 27001 offers a practical framework that aligns well with DORA’s key requirements:

5. Using ISO 27001 for Financial Organizations

For financial institutions, ISO 27001 plays a crucial role in building a compliant and resilient cybersecurity framework:

  • Meeting DORA’s resilience requirements: Financial organizations are expected to have robust incident detection and response mechanisms under DORA. ISO 27001’s structured processes (Clause 16) ensure that organizations are prepared to detect, report, and respond to incidents, maintaining operational continuity.
  • Regulatory alignment: With DORA’s focus on governance, ISO 27001 ensures that financial organizations have the necessary security governance structure (Clause 5) in place, including roles, responsibilities, and accountability for information security management.

By adopting ISO 27001, financial institutions can align their information security frameworks with DORA’s rigorous operational resilience and risk management expectations.

6. Using ISO 27001 for Suppliers of Financial Organizations

Similar to critical infrastructure suppliers, suppliers of financial organizations face increased scrutiny under DORA. ISO 27001 helps these suppliers align with DORA’s requirements by:

  • Implementing robust security practices: ISO 27001 ensures that suppliers have standardized security practices, making them reliable partners for financial organizations and compliant with DORA’s supply chain resilience expectations.
  • Proactive risk management: Suppliers must identify, assess, and manage risks in their operations to avoid disruptions in services provided to financial organizations. ISO 27001’s risk management framework allows suppliers to continuously manage these risks in line with DORA.

By using ISO 27001, suppliers of financial organizations can ensure that they meet DORA’s operational and security demands, making them a valuable part of the financial ecosystem.

Conclusion

ISO 27001:2022 serves as a powerful tool for aligning with both NIS2 and DORA regulations. Whether for critical infrastructure companies or financial organizations, the ISO 27001 framework provides the necessary structure for risk management, incident response, and third-party security, enabling compliance with these new regulatory frameworks. Suppliers in both sectors also benefit from implementing ISO 27001, as it ensures they meet the heightened security and resilience demands of their clients under NIS2 and DORA.

Posted on by Leave a comment

The new Regulation (EU) 2023/988 on product safety, in brief



The EU Product Safety Regulation (GPSR), which came into force in May 2023, represents a significant transformation in European legislation, aiming for a safer and more transparent internal market. It introduces clear obligations for economic operators and greater guarantees for consumers.

The Regulation, which becomes mandatory on December 13, 2024, replaces the previous General Product Safety Directive of 2001 (Directive 2001/95/EC) and provides a new EU framework on product safety to keep pace with the challenges of digitalization and the growing volume of goods and products sold online.

Scope of the Regulation

The Regulation continues to focus on ensuring a high level of safety for consumers, without borders within the internal market. It introduces a series of clear definitions, including the concepts of “risk,” “importer,” and “logistics service provider,” to improve the understanding and application of the rules.

The Regulation applies to products placed or made available on the market, insofar as there are no specific provisions of Union law with the same objective governing the safety of the products in question. If products are subject to specific safety requirements prescribed by Union law, this regulation applies only to aspects and risks or categories of risks not covered by those requirements.

Product Safety Assessment

The product safety assessment is detailed in Articles 6 and 8 of the Regulation. A presumption of conformity is introduced for products that comply with European standards published in the Official Journal of the EU. Crucial aspects such as cybersecurity and artificial intelligence are also outlined.

Product safety must be assessed considering the following criteria:

  • Product characteristics, such as design, technical features, composition, packaging, and instructions;
  • Effects on other products;
  • Presentation of the product, labeling, warnings, instructions, and safety information;
  • Categories of consumers using the product;
  • The appearance of the product, particularly aspects that mimic food or attract children;
  • Cybersecurity features and any evolving, learning, or predictive functionalities of the product.

Economic Operators

The regulation also establishes the indispensable condition for placing goods subject to the general product safety regulation on the EU market, requiring the presence of an economic operator established in the European Union who assumes the responsibilities defined in Article 16. This means they are responsible for:

  • Verifying the existence of an EU declaration of conformity or performance and related technical documentation when required;
  • Retaining these documents for the period prescribed by applicable regulations;
  • Providing market surveillance authorities with the necessary information and documentation to demonstrate the product’s compliance;
  • Reporting any safety risks to the authorities. If a product is recalled, consumers will be entitled to repairs, replacements, or refunds, and may also file complaints or take part in collective actions.

Online and Distance Selling

To ensure product safety, the Regulation introduces new duties for online sales platforms. Moving away from a purely passive role, authorities expect them to adopt internal processes for product safety and register with the Safety Gate portal, an online tool that allows consumers to report problems and dangerous products to national and European authorities. They must also provide a single point of contact, enabling product recipients to communicate directly with them. Finally, platforms must provide consumers with information about the manufacturer or person responsible for placing the product on the market, product identification, and any warnings associated with the products.

Posted on by Leave a comment

Risk assessment for product safety according to EU Regulation 2023/988: Practical guide to Articles 6 and 8 with example

The EU Regulation 2023/988, which came into force to strengthen product safety in the European market, introduces new requirements for risk assessment regarding the safety of products placed on the market. Articles 6 and 8 of this regulation focus respectively on the obligations of producers and those of importers and distributors, including risk assessment as one of the key elements to ensure that products are safe.

Obligations of the producer (Art. 6)

Article 6 stipulates that the producer must ensure that products are designed and manufactured in compliance with safety requirements. In this context, the producer must conduct a risk assessment, which involves:

  1. Identification of hazards: The producer must identify all potential risks associated with the product, including those related to intended use and reasonably foreseeable misuse.
  2. Assessment of the probability and severity of the risk: After identifying the risks, it is necessary to evaluate both the likelihood of occurrence and the severity of the consequences for the user or consumer.
  3. Definition of mitigation measures: Based on the assessment, the producer must adopt appropriate safety measures, such as adding warnings, adjusting the design, or using safer materials.
  4. Continuous monitoring and review: Risk assessment is not static. The producer must monitor risk evolution over time, taking into account feedback, incident reports, or changes in product use.

Obligations of importers and distributors (Art. 8)

Article 8 specifies that importers and distributors also have responsibilities for product safety. They must verify that producers have adequately conducted the risk assessment and report any discrepancies or new risks.

  1. Documentary verification: Before placing a product on the market, importers and distributors must ensure that the producer has conducted a risk assessment and that documentation is available.
  2. Random checks: When necessary, they may conduct random tests to verify product safety and report any anomalies.

Practical Example: Children’s Toy

Imagine a manufacturer designing a new plastic toy for children. To comply with EU Regulation 2023/988, they must follow these steps for risk assessment:

  1. Identification of hazards: Potential risks include choking hazards due to small parts, chemical risks from materials used, and physical injury from sharp edges or moving parts.
  2. Assessment of probability and severity: The manufacturer assesses that the risk of choking is high for children under three years old, while the chemical risk is moderate. The severity of a choking incident is extreme, while the severity of chemical exposure is moderate.
  3. Mitigation measures: The toy is redesigned to eliminate small parts, and the materials used are certified as non-toxic. In addition, labels are added specifying that the toy is not suitable for children under three years old.
  4. Monitoring: After the product is marketed, the manufacturer continues to monitor incident reports and updates the risk assessment if new data or problems arise.
Posted on by Leave a comment

DORA Compliance: Practical Tips and Common Pitfalls to Avoid

The Digital Operational Resilience Act (DORA) is a European regulation aimed at strengthening the operational resilience of financial firms by prioritizing cybersecurity and business continuity. Achieving compliance with DORA requires a structured and well-thought-out approach. Here are 10 practical tips and common pitfalls to avoid for effective compliance:

1. Understand DORA’s Requirements

First and foremost, it’s crucial to fully understand DORA’s regulatory requirements. The regulation covers a wide range of areas, from IT governance to third-party risk management and incident reporting. A thorough review and deep understanding of its provisions is the initial step toward ensuring compliance.

2. Assess Your Current Operational Resilience

Evaluating your current level of operational resilience helps identify the areas that need improvement to align with DORA. Companies should conduct a risk analysis of their cybersecurity measures and incident response capabilities, using this assessment as a foundation for planning necessary improvements.

3. Create an Incident Response Plan

DORA requires firms to have clear, updated, and actionable incident response plans. These plans should include detailed procedures on how to identify, contain, mitigate, and communicate cyber incidents to minimize the impact on critical services.

4. Manage Third-Party Vendors

One of the most common pitfalls is poor management of third-party risks. DORA imposes strict oversight of third-party vendors, especially those providing critical services. It’s essential to evaluate their cybersecurity levels and operational resilience and ensure they meet the required standards.

5. Implement Regular Resilience Testing

DORA mandates companies to regularly test their operational resilience capabilities. This can include penetration testing, cyberattack simulations, and stress testing. A common mistake is conducting these tests superficially or infrequently, reducing the overall effectiveness of the resilience strategy.

6. Maintain Up-to-Date Documentation

DORA compliance involves accurate and up-to-date documentation. Companies must keep records of all activities related to risk management, operational resilience, and incident management. A common pitfall is neglecting to review and update these documents regularly, leading to outdated information.

7. Regular Staff Training

Staff play a crucial role in operational resilience. Ensuring that employees, especially those in key areas like IT and security, receive regular training on DORA requirements and best practices in cybersecurity risk management is essential to avoid operational errors.

8. Effectively Communicate Incidents

DORA sets clear guidelines for reporting significant incidents to relevant authorities. However, timely and transparent communication within the organization and to customers is equally important. A common mistake is underestimating the importance of timely incident reporting.

9. Monitor Regulatory Changes

The regulatory landscape, particularly in technology, is constantly evolving. A common risk is complying with DORA’s initial requirements but failing to account for regulatory updates or new guidelines that may arise. Constantly monitoring changes and adjusting business processes is crucial.

10. Integrate DORA into a Broader Business Strategy

A common pitfall is treating DORA compliance as a separate initiative from the overall business strategy. Operational resilience and cybersecurity risk management should be integrated into every aspect of corporate governance to be effective and sustainable. This ensures long-term compliance and maximizes the benefits of DORA.

Conclusion

DORA compliance requires continuous commitment and a holistic approach to operational resilience. By thoroughly understanding the regulation, avoiding common pitfalls, and implementing practical strategies, organizations can effectively align with its provisions and protect themselves from increasing cyber risks.

4o

Posted on by Leave a comment

10 FAQs (Frequently Asked Questions) to help understand and comply with the NIS 2 Directive requirements

10 FAQs (Frequently Asked Questions) to help understand and comply with the NIS 2 Directive requirements:

1. What is the NIS 2 Directive?

The NIS 2 (Network and Information Systems) Directive is an update to the 2016 NIS Directive aimed at strengthening cybersecurity and resilience in digital infrastructure across the European Union. It applies to a wide range of sectors, including energy, transport, healthcare, finance, and digital infrastructure.

2. Who is subject to the NIS 2 Directive?

NIS 2 applies to organizations of “essential importance” and “significant importance.” These entities include critical infrastructure, digital service providers, and companies operating in strategic sectors such as energy, transport, finance, healthcare, and telecommunications.

3. What are the main compliance requirements of the NIS 2 Directive?

Organizations must implement adequate technical and organizational measures to prevent, manage, and mitigate risks to the security of networks and information systems. This includes incident management, business continuity, supply chain security, protection against cyberattacks, and compliance with incident reporting obligations.

4. What are the key differences between NIS and NIS 2?

NIS 2 extends the scope to more sectors and enforces stricter penalties for non-compliance. It also introduces more rigorous governance, risk management, and cooperation requirements among EU Member States.

5. How can I determine if my company is subject to NIS 2?

Your company is subject to NIS 2 if it operates in one of the critical sectors listed in the directive. Typically, EU Member States are responsible for formally identifying entities subject to the new rules. It is advisable to check with national authorities and assess the potential impact on your organization.

6. What are the penalties for non-compliance with NIS 2?

Non-compliance with NIS 2 can result in significant administrative penalties, which may vary depending on the EU country and the severity of the breach. Fines can be up to 2% of the annual global turnover or €10 million, whichever is higher.

7. What are the deadlines for compliance with NIS 2?

NIS 2 must be transposed by EU Member States by 2024. Entities subject to the directive need to be prepared to comply with the new rules within the deadlines set by national regulations.

8. How can I implement a security management system compliant with NIS 2?

Implementing a compliant system requires thorough risk analysis, the definition of security policies, staff training, technical solutions such as firewalls, intrusion detection systems, vulnerability management, and a response plan for security incidents.

9. What security measures are required to protect critical systems?

Security measures include perimeter protection, data encryption, continuous network monitoring, vulnerability management, regular system audits, and a business continuity plan to ensure that essential services can continue during and after a cyberattack.

10. How does incident reporting work under NIS 2?

Entities subject to NIS 2 are required to promptly notify significant incidents to competent authorities (such as CERTs or national cybersecurity authorities). The notification must occur within 24 hours of identifying the incident, with regular updates on the resolution status.

These FAQs provide a basic guide, and each organization should consult legal and technical advisors to ensure proper compliance with the NIS 2 Directive.

Posted on by Leave a comment

NIS 2 – Implementation Steps for Cybersecurity Risk Management Measures

Complying with regulations like the NIS 2 Directive can be complex, but having a clear plan simplifies the process. Below are the best practices for achieving compliance with Chapter IV of the NIS 2 Directive, which focuses on “Cybersecurity risk-management measures and reporting obligations.” This chapter is crucial for essential and important entities to comply with.

Step 1: Gain support from senior management
Although compliance with NIS 2 is mandatory, it is essential to secure senior management’s active support. Without it, the project may face delays, lack funding, and experience obstacles at every stage.

Step 2: Establish project management
Given the complexity of NIS 2, it is critical to approach it as a formal project, with clear roles, responsibilities, milestones, and outcomes. A structured management approach is key to success.

Step 3: Conduct initial training
Cybersecurity training is emphasized in NIS 2. Early training helps all involved parties understand the regulation and its importance, facilitating a smoother project initiation.

Step 4: Develop an Information System Security Policy
A top-level policy, while not required by NIS 2, is best practice according to international standards. It defines cybersecurity goals, responsibilities, and success metrics.

Step 5: Define the Risk Management Methodology
To comply with NIS 2, a clear risk management process is necessary, detailing how risks are assessed and managed within the organization.

Step 6: Conduct risk assessment and treatment
Identify potential threats to information systems, assess the risks, and implement mitigation measures for the most critical threats, ensuring actions are based on a comprehensive analysis.

Step 7: Create and approve a Risk Treatment Plan
This plan outlines the cybersecurity measures to be implemented, including timelines and responsibilities. Approval from senior management is crucial.

Step 8: Implement cybersecurity measures
Implement new security processes, activities, and potentially technologies, based on the risk assessment outcomes. Formalize these through documented policies and procedures.

Step 9: Strengthen supply chain security
NIS 2 highlights the importance of managing risks related to suppliers. Assess suppliers’ vulnerabilities and include security clauses in contracts.

Step 10: Assess cybersecurity effectiveness
Monitor cybersecurity continuously, conduct internal audits, and perform management reviews to ensure the effectiveness of cybersecurity measures.

Step 11: Implement incident reporting protocols
Significant incidents must be reported to the CSIRT or relevant authority, along with service recipients, following a defined reporting process.

Step 12: Continue cybersecurity training
Regular training for all employees, including senior management, is essential. Focus on relevant topics and choose cost-effective training methods.

Step 13: Conduct periodic internal audits
Although not required by NIS 2, regular internal audits are best practice for identifying nonconformities and providing senior management with an accurate cybersecurity status.

Step 14: Conduct periodic management reviews
Formal reviews provide senior management with the information needed to make key decisions about cybersecurity, including budget allocation and defining objectives.

Step 15: Execute corrective actions
Corrective actions ensure that any identified nonconformities are addressed, preventing recurrence.

Posted on by Leave a comment

What are the main cybersecurity requirements of NIS 2?


Surprisingly, only Chapter IV “Cybersecurity risk-management measures and reporting
obligations” defines what essential and important entities must do to comply with NIS 2.
All the other chapters are not relevant for these companies, because they specify the
obligations of the EU countries (Member States), and what government agencies must do
to enforce NIS 2.
Chapter IV has the following articles:

  • Article 20 – Governance
  • Article 21 – Cybersecurity risk-management measures
  • Article 22 – Union level coordinated security risk assessments of critical supply
    chains
  • Article 23 – Reporting obligations
  • Article 24 – Use of European cybersecurity certification schemes
  • Article 25 – Standardisation
Posted on by Leave a comment

Obligations under the DORA (Digital Operational Resilience Act) Regulation

Obligations under the DORA Regulation

The DORA Regulation, once in force (15/1/2025), will require all affected entities to adopt specific technical and organisational measures to ensure digital operational resilience.

The financial institutions involved will have to prioritise the implementation of an ICT risk management process, aimed at identifying cyber threats in advance and minimising the impact of cyber incidents. The main responsibility for this process will lie with the company’s management body, which will have to assume ‘full and ultimate responsibility’ for:

  • ICT risk management;
  • The definition and approval of the digital operational resilience strategy;
  • The review and approval of the company’s policy regarding third-party ICT service providers.

Risk Assessment Approach

In detail, the DORA Regulation establishes the adoption of a risk assessment approach that includes:

  • The definition of requirements to harmonise the ICT risk management process with a comprehensive view of business processes;
  • The creation of an ICT Risk Management Framework;
  • The development of a resilient strategy for Disaster Recovery and Business Continuity.

Financial institutions will also need to be able to classify cyber threats and incidents related to ICT vendors, based on criteria established by the DORA Regulation, such as:

  • The number and significance of customers or financial counterparties involved;
  • The duration of the incident;
  • The loss of data, assessing the availability, authenticity, integrity and confidentiality of the data.

Internal Procedures and Communication

Institutions should establish internal procedures to identify, record and categorise incidents, assigning roles and responsibilities and developing communication plans for stakeholders, including board members.

The classification and tracking of incidents are functional to the implementation of a reporting system to the competent bodies provided for in Article 46 of the DORA Regulation. This includes:

Compliance with Third Party ICT Service Providers

In the context of ICT risk management, the DORA Regulation also imposes obligations towards third-party suppliers, requiring:

  • The identification, classification and documentation of all processes that depend on third-party suppliers;
  • The inclusion of contractual clauses to ensure adequate monitoring of supplier activities on services critical to financial operations.

Information Sharing and Resilience Testing

The DORA Regulation also promotes, through Article 45, a voluntary cyber threat intelligence sharing programme among financial actors, aimed at preventing new threats and improving the resilience of the financial ecosystem.

Finally, financial institutions will have to regularly test their operational resilience through periodic tests based on the Threat Led Penetration Testing method, tailored to the size, type of business and risk profile of the institution.

Posted on by Leave a comment

Introduction to DORA – Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) Regulation 2022/2554/EU is a European regulation that aims to strengthen the digital operational resilience of the EU internal market in the context of increasingly sophisticated cyber threats.

The DORA Regulation sets out the technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by 17 January 2025.

Target audience
The DORA Regulation is aimed at banks, insurance companies, financial institutions and ICT service providers.

What it establishes
DORA sets out the technical requirements for financial entities and ITC providers in four areas:

  • ICT risk management and governance
  • Incident reporting and response
  • Digital operational resilience testing
  • Third Party Risk Management
  1. ICT Risk Management (Articles 5-16)
    The first pillar of DORA concerns operational risk management. Financial entities are required to identify, categorise and manage the operational risks associated with their digital activities, with an emphasis on involving the entire organisation in adopting and maintaining measures to meet the identified tolerance level, with particular emphasis on critical functions and the evolution of Business Continuity into comprehensive resilience systems.
  2. ICT Incident Management (Articles 17-23)
    Incident management is a key aspect of ensuring operational resilience in the financial sector and digital services, and the DORA Regulation sets out guidelines involving a rapid, coordinated and well-planned response to events that threaten the security and business continuity of companies in the digital environment, as well as conducting a post-mortem analysis to identify lessons learned and areas for improvement. This continuous learning process is essential to strengthen operational resilience and prevent future similar incidents.
  3. Digital Operational Resilience Testing (Articles 24-27)
    With a view to achieving operational resilience, it is important to adopt testing as an integral part of the risk management strategy. DORA-compliant digital operational resilience testing aims to assess an organisation’s ability to withstand and recover from adverse events in the digital environment.
  4. Third Party ICT Risk Management (Articles 28-30)
    Third Party Management according to the DORA Regulation requires companies to proactively and carefully manage third party relationships to protect digital infrastructure and ensure operational resilience by assessing and monitoring the risks associated with the ICT vendor supply chain in relation to the type, criticality and number of services provided. Financial entities are required to conduct thorough due diligence before engaging with a third party and monitor it over time, integrate security requirements into contracts, and contingency measures in the event of contract termination.
  5. Information and Intelligence Sharing (Article 45)
    The fifth pillar of DORA promotes collaboration and information sharing between financial entities and competent authorities to protect against common threats, vulnerabilities, and to support overall defence capabilities to effectively address digital threats, including cross-border threats.