NIS2 and DORA Compliance and Protecting Your Atlassian Cloud Data

In late 2022, the European Parliament introduced two major pieces of legislation aiming to strengthen cybersecurity across the EU: the updated Network and Information Systems Directive (NIS2) and the Digital Operational Resilience Act (DORA).  With NIS2 requiring compliance by EU member states by October 18th, 2024, and DORA enforcement kicking in on January 17th, 2025, organizations within the EU need to act fast.

These regulations will significantly impact how businesses approach digitalization and cybersecurity. This blog dives into the details of NIS2 and DORA, explores potential compliance risks, and explains how Revyz’s Atlassian Data Protection solution can help you address these new requirements for protecting your data in the Atlassian Cloud.

NIS2 and DORA: What are they?

The Network and Information Security Directive (NIS 2) strengthens EU cybersecurity by requiring digital service providers to have robust security measures. This protects critical infrastructure from cyberattacks and ensures essential networks and systems are resilient.  It also holds top management accountable for cybersecurity compliance.

Meanwhile, the Digital Operational Resilience Act (DORA) focuses on the financial sector. It establishes a unified framework to ensure financial institutions are digitally resilient in today's tech-driven world. DORA outlines several compliance requirements, such as:

• Identifying and safeguarding critical IT systems
• Developing thorough incident response and business continuity plans
• Conducting regular risk assessments and system testing
• Implementing a reporting system for major incidents
• Monitoring and assessing the operational resilience of third-party service providers

Who do these regulations apply to? Which sectors and entities?

The directive applies particularly to two categories, with those two being “essential” entities and “important” entities. 

• Energy (electricity, district heating, oil, gas, and hydrogen)
• Transport (air, rail, water, and road)
• Banking (credit institutions)
• Financial market infrastructures (marketplaces)
• The health sector (healthcare providers and manufacturers of pharmaceuticals, etc.)
• Drinking and wastewater
• Digital infrastructure (including providers of cloud services, data centers, domain name systems (DNS), top-level domain registries (TLD) and public communication networks)
• Information and communication service providers (ICT services)
• Providers of managed services and managed security services
• Public administration  
• Space  

The "important entities" include public and private entities within:

• Postal and courier services
• Waste management
• Manufacture, production, and distribution of chemicals
• Manufacture, processing, and distribution of food
• Production of i.a., electronics, machinery, and motor vehicles
• Providers of certain digital services (online marketplaces and search engines and social networking services)
• Research (higher education institutions and research institutions). 

If you are an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities—for example, a transport company—you are, in the eyes of the law, classified as an “operator of essential services.” 

This classification will involve substantial investment in your technical and organizational structure to implement and maintain the required level of risk management security.

Do these laws apply to US Companies

While NIS2 and DORA are EU regulations, US companies providing services to EU customers will still need to comply.  Understanding these regulations and adhering to NIS2 guidelines is crucial for such companies.

What are the penalties for non-compliance with NIS2 and DORA?

NIS 2 Non-Compliance Can Be Costly: Potential Fines Explained

Failing to comply with NIS 2 can result in significant fines. These fines vary depending on the classification of your organization:

• Essential Entities: Up to €10,000,000 or 2% of your global annual revenue (whichever is higher).
  
• Important Entities: Up to €7,000,000 or 1.4% of your global annual revenue (whichever is higher).
  
  

DORA Non-Compliance: A Big Bite Out of Your Bottom Line

For financial institutions, failing to meet DORA's requirements can be financially crippling. Fines can reach up to €10 million or 5% of their total annual turnover, significantly impacting their financial health and potentially damaging their brand reputation.

Steps to ensure Regulatory compliance

Achieving compliance with NIS2 and DORA requires a structured approach. Here's a breakdown of the key steps:

1. Understand Your Obligations: First, identify the specific NIS2 requirements that apply to your organization based on its classification (essential or important entity).
   
   
2. Uncover Your Risks: Conduct a comprehensive risk assessment to pinpoint the ICT (Information and Communication Technology) threats your systems face.
   
   
3. Assemble Your Team: For a successful compliance journey, involve key stakeholders across IT, legal, and risk management departments.
   
   
4. Educate Your Workforce: Equip your employees with a clear understanding of NIS2 requirements through proper training.
   
   
5. Build Resilience: Develop a robust operational resilience strategy that effectively manages ICT risks and guarantees continued operations.
   
   

Beyond the Basics

Compliance doesn't stop there. Additional steps include:

• Evaluating Third-Party Vendors: Ensure the operational resilience of your partners by assessing their security posture.
• Regular Testing: Conduct regular penetration testing and vulnerability assessments to identify and address weaknesses.
• Contingency Planning: Establish contingency and business continuity plans for swift response and recovery in case of incidents.

By following these steps, you can navigate the NIS2 and DORA landscape with confidence and ensure the security and resilience of your organization's critical infrastructure.

How can Revyz help you with compliance with your Atlassian Cloud ?

Feeling overwhelmed by the data security demands of NIS 2 and DORA for your Atlassian Cloud infra? Revyz goes beyond basic backups, offering award-winning Atlassian data management apps that simplify compliance and strengthen your security posture.

Reduce Risk, Simplify Compliance for Your Atlassian Cloud:

• Automated, Daily Backups: Ensure rapid recovery from incidents with secure, encrypted backups.
• Granular Restore: Recover specific data or configurations with pinpoint accuracy.
• Detailed Audit Logs: Track changes and identify suspicious activity for enhanced security.
• Automatic Malware Scanning: Stop threats in their tracks with real-time attachment scanning.
• Among other capabilities - reference more here

Revyz empowers you to:

• Meet compliance requirements for your Atlassian Cloud with confidence.
• Elevate your data security posture for complete peace of mind.
• Boost operational resilience with a modern data protection infrastructure.

Don't wait to safeguard your data and simplify compliance. Contact Revyz today and see how we can empower your NIS 2 and DORA journey.

References:

• The NIS2 Directive: A high common level of cybersecurity in the EU

• Digital Operational Resilience Act (DORA)

• Deloitte Whitepaper on DORA & NIS2