New regulations for your ISMS: your IT security needs to meet these regulatory requirements

NIS2 (Network Information Security Directive)

The NIS2 Directive must be implemented by national legislators in EU member states by 17 October 2024. It extends the scope of the original NIS Directive from 2016 and sets stricter security requirements for operators of essential and digital services.

Covered entities must take appropriate technical and organisational measures to protect their networks and information security management systems (ISMS). The NIS2 Directive also includes extended reporting obligations in the event of security incidents and stricter sanctions in the event of breaches.

DORA (Digital Operational Resilience Act)

The Digital Operational Resilience Act focuses on strengthening operational resilience in the financial sector. Financial organisations will be required to implement robust systems and processes to ensure they are more resilient to cyber-attacks and other IT-related disruptions.

This will include regular testing and evaluation of IT security measures, as well as contingency plans and crisis exercises. The obligations set out in the regulation will apply to covered entities from 17 January 2025.

CER-Directive (Critical Entities Resilience Directive)

The CER Directive, which will come into force alongside the NIS2 Directive in January 2023 and must be implemented by the German government by October 2024, is likely to be aimed at critical infrastructure operators as part of the KRITIS Directive.

It requires these companies to carry out comprehensive risk analyses and implement appropriate security measures to strengthen their resilience to a range of threats, including natural disasters, terrorist attacks, insider threats and sabotage. Unlike the NIS2 Directive, the CER Directive relates to cyber resilience requirements, not cyber security.

CRA (Cyber Resilience Act)

The Cyber Resilience Act, due to come into force in the second half of 2024 and apply from 2027, is designed to protect consumers and businesses that buy or use products or software with a digital component. Manufacturers and retailers will have to comply with mandatory cybersecurity requirements, ensuring protection throughout the product's lifecycle.

Obligations include implementing mechanisms to quickly fix security vulnerabilities and providing regular security updates.

AI Act (Regulation on artificial intelligence)

The Artificial Intelligence Act (AI Act) is expected to be published in the Official Journal of the EU in July 2024 and will enter into force 20 days later. Its provisions and resulting obligations will be applied in stages.

The Act aims to make the use of AI systems safer and more transparent. It sets out requirements for the development, deployment and use of AI systems, in particular with regard to risk assessment, transparency and compliance with ethical standards.

Supplementary regulations in IT security law

In addition to the laws mentioned above, there are numerous other regulations that affect IT security. These include the IT Security Act 2.0 in Germany, which places specific requirements on the security measures of operators of critical infrastructure, and the General Data Protection Regulation (GDPR), which sets out comprehensive requirements for the protection of personal data.

These regulations complement and strengthen the requirements for IT security in organisations.