Welcome to the second episode in our new four-part podcast series, Full disclosure, where we explore key cyber regulatory challenges across different regions – UK, Europe, US, and Asia.
In the second episode of our Full disclosure podcast series, host Matthew Mettenheimer (Associate Director, Cyber Advisory, US), along with Gideon Teerenstra (Head of Cyber Advisory, Netherlands) and Selma Mujcic (Associate, Cyber Advisory, Netherlands) discuss the cyber regulatory landscape across Europe. They look in detail at the scope of the legislations and their application, plus the implications for businesses operating within the European Union (EU).
Listen to the S-RM Insider podcast
Regulatory trends in the EU
Gideon explains that what is seen in the EU – an increase in regulatory complexity – is common to many parts of the world when it comes to cyber regulatory trends. For the EU specifically though, much of that complexity comes from EU-wide legislation being transposed into national regulations, combined with a skilled workforce shortage. All this is driven – not because cyber regulation or legislation is a good idea – “by the fact we are see more and more ransomware actors wreaking havoc” he explains.
Distinctive requirements of DORA and NIS2
Selma goes on to explain the particular differences in the application of two key regulations; the Network and Information Security directive (NIS2) and the Digital Operational Resilience Act (DORA). Whereas DORA holds an EU-wide, sector-specific application, NIS2 relies on national interpretations by individual countries, raising complexities for businesses with multi-nation operations. Gideon provides an indicative problem, “there are different timeframes that individual nations use to transpose the NIS2 in national law, we can see, for example, that the Belgian version is ready, whereas the Dutch version is still in draft. Of course, if you operate in both countries, this already increases the complexity and it also makes it very unclear what standards you should implement and where you should implement them.” Therefore, companies must align their operations with the needs of each individual nation for a clear understanding.
Check out episode one of Full Disclosure for further details on DORA and NIS2.
The AI Act
The new AI Act (approved by the Council of the EU on 21 May 2024) establishes a regulatory framework to manage the risks that are associated with AI systems, focusing on their developments, deployment, and usage. The act is also designed to foster innovation, while ensuring that AI technologies are developed and used in a way that protects public safety, fundamental human rights and ethical standards. As Selma explains, “the AI Act takes a risk based approach, with four categories under which AI models could fall. One being 'unacceptable risk AI models'. The next level below that will be 'high risk AI models', underneath that are 'low risk' applications and finally 'no risk AI models'.”
Once the new Act comes into effect (which will be 20 days after publication in the Official Journal of the European Union), and based on the organisation’s risk level, some provisions will apply either six, 12 or 36 months after entry into force.
Reporting and penalties for non-compliance
All three regulations discussed have short incident notification turnaround times and each carries punitive measures for non-compliance. Within DORA, administrative fines are defined by the member state but are recommended to be ‘effective and proportionate’, for NIS2 penalties are up to EUR 10 million or 2% of global turnover, and the AI Act the penalty can be EUR 30 million or 6% of global turnover for non-compliance.
Across all the regulations liability is stressed too – board members and senior management bodies may be held personally liable for any regulatory infringements by their organisations, even facing potential professional bans. This underscores the importance for board members to be informed and involved in their organisation's risk management strategy and for strong IT security risk awareness and training programmes across the business.
Key takeaways
- Prepare early to effectively manage regulatory changes. Assess if you are scope of these regulations and understand what you need to do.
- Enhance third party risk management. All three regulations all demand robust third party risk management.
- Leverage existing frameworks and control measures. Implementing frameworks such as ISO 27001 and NIS2 will get you ahead of the curve.
Although the regulatory landscape may initially seem overwhelming, it provides an opportunity for businesses to enhance their risk management strategies and ensure robust cyber security measures. As Gideon concludes “you don't need to do everything at once, but the best time to start is today.”
Stay tuned for the next episodes in our Full disclosure series by subscribing to Latest thinking here. If you would like to discuss any of the topics raised in this podcast with the S-RM team, please do not hesitate to contact us.