Achieving NIS 2 and DORA conformity with TÜV SÜD

13. February 2025

Loss of sensitive data, enormous financial damage, and disruption of public order are just some of the major societal impacts caused by cyber attacks on critical infrastructure and financial institutions. With this in mind, the European Union has introduced the NIS2 Directive and the Digital Operational Resilience Act (DORA) to minimize these serious consequences. Both pieces of legislation are aimed at harmonizing cybersecurity standards, improving resilience, and enforcing compliance across all EU Member States. TÜV SÜD will hold a webinar on the subject on February 25.

“According to estimates, NIS-2 alone affects well over 100,000 organizations throughout the EU,” points out Richard Skalt, Advocacy Manager Cybersecurity Office at TÜV SÜD. “These regulations may even have an impact on organizations headquartered outside the EU. Although implementation is slow in many Member States, many companies are wondering how they can be sure of fulfilling the legal requirements and what measures they can put in place to boost their long-term cyber resilience.”

What is DORA?

The Digital Operational Resilience Act has been in full force and effect since January 17th of this year. It applies to all financial institutions in the EU and their critical IT service providers. Under DORA, those bodies must implement specific risk management actions such as third-party risk assessment. IT service providers headquartered outside the EU may also be required by national supervisory authorities to open an office in the EU. Organizations that fail to fulfill the requirements must expect high financial penalties.

What is NIS2?

The European Network and Information Security Directive, known as NIS-2, requires organizations in critical sectors to take appropriate security actions to minimize risks for their systems. Failure to do so can incur an array of negative consequences, from financial penalties and cybersecurity risks to problems in establishing or maintaining business relations. NIS-2 applies to companies engaged in critical operations such as energy supply, healthcare, and transport.

The role of ISO standards

Many organizations impacted by NIS 2 and DORA already hold certification under the widespread international cybersecurity standards ISO 27001 and IEC 62443. While ISO 27001 provides assistance in establishing and maintaining an effective information security management system (ISMS), the IEC 62443 international series of standards is also relevant for companies in which OT security is important.

“ISO standards help companies to comply with the requirements set out in NIS2 and DORA,” advises Skalt. “For example, companies holding ISO 27001 certification need to provide proof of their effective risk management system for their suppliers and service providers, as required by NIS-2.”

TÜV SÜD’s webinar “Ensuring Cyber Resilience – Navigating NIS2 and DORA Compliance Across Critical Sectors” will be held on February 25 at 10 AM. To register, go to tuvsud.com/en-in/resource-centre/webinar/nis2.

Download Press Release

Press contact: Laura Albrecht