The impact of DORA and NIS2 in the digital domain
Directors must demonstrably control digital risks and the entire supply chain. What is the impact and what is the shortest route to compliance?
Background of the legislation
DORA specifically targets financial institutions. NIS2 sets requirements for a much broader group of essential and important entities. At their core, they require that the management of the organizations to which the laws apply ensure a system whereby automation risks are mapped and the organization takes measures to control the risks. It is not enough to look at the threats of their own IT, but the entire supply chain falls under this obligation. A task that is no sinecure with modern SaaS/cloud architectures.
Many directors are now aware of the fact that IT management is not a side issue, but a main issue in the boardroom, if only because of the managerial liability that these laws entail.
DORA and NIS2 - the cybersecurity act - are initiatives to keep our IT reliable. The laws originate in Europe and place requirements on IT systems and the organizations that use them. They oblige directors to effectively control digital risks and their entire supply chain.
Less well known is that Europe, with the eIDAS regulation, offers a system of qualified trust services that helps organizations organize security, evidential value and compliance much more easily and cost-effectively.
Europe offers a regulated system of qualified trust services
Less well known is that Europe also has a regulated system that helps organizations comply with important security and reliability requirements more easily. The recently revised eIDAS regulation regulates the market for qualified trust services.
These are services that fulfill essential functions for online business and public traffic through licensed providers. These specialized parties are under permanent supervision of the RDI, receive the Q-label and are listed in a European trust list.
Want to know how trust services can be implemented in your organization?
Leave your details and our team will contact you.
High certainty and lower compliance costs
Through qualified trust service providers (QTSPs), an organization can, for example, have documents qualified signed, sealed and archived. A document with such a signature or seal cannot be changed afterwards without being noticed.
It goes without saying that if an IT solution provides a high degree of certainty about integrity, availability and confidentiality of information and guarantees evidential value, this saves the customer a lot of compliance costs.
Legal liability well regulated
The signature has the same legal value in Europe as a handwritten signature directly. The seal also has a legally determined high evidential value. Both can always be traced back to the (legal) persons behind the signature or seal. The qualified archive keeps documents confidential and available, and also legally protects them against the consequences of ever faster computers.
Lots of convenience at low cost
Solutions are easy to implement and use. This allows organizations to become compliant in a short time.
That is why Europe has launched many initiatives in recent years to modernize the market for qualified trust services, and this has paid off. The costs for qualified trust services have therefore dropped dramatically. Where 10 years ago you still paid hundreds of euros for a card with which you could produce qualified signatures in specialized software, today you can already sign all your documents qualified for a few euros per year with an app on your phone.
Another important point that is legally enforced is interoperability. This means there is no vendor lock-in and an organization can support multiple qualified trust service providers simultaneously, depending on user preference. Just like a consumer chooses their bank for a payment at a web shop.
With NIS2 Europe is fully committed to qualified trust services
The Union obliges member states through NIS2 to promote the use of qualified trust services among essential and important entities. Furthermore, it will provide its citizens with wallets of which the signing functionality is part.
And besides fulfilling a safe online society, it has good reasons for this: keeping oversight costs for companies and governments manageable. An inspector who only has to fill in a Q on all crucial points in their form at an organization immediately knows that the system is safe and that the supply chain is in order.
Want to discuss this further?
Leave your details and our team will contact you.
