NIS 2 Directive

Since 16 January 2023, what is termed the NIS 2 Directive (Network and Information Security Directive (EU) 2022/2555 of the European Parliament) has been in effect. Each EU Member State has until 17 October 2024 to implement this Directive into its national legislation. This will not only affect the companies that reside in one of the EU member states, but also others. Any entity that is part of the supply chain that provides a service to an organisation in one of the sectors might also be affected. This means that a company in New Zealand or Australia that provides for example IT services to an EU organisation in the critical service sector, will need to assess the impact and address any requirements. The directive states even that if an entity is not established in the EU, but offers services within the EU, it shall designate a representative in the EU (Article 26 (Jurisdiction and territoriality)). The directive affects a wider range of sectors compared to the previous NIS1 directive. It distinguishes between sectors of high criticality and sectors that are important.

---

DORA

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to establish a universal framework for managing and mitigating ICT risk in the financial sector.DORA consists of a set of technical standards that financial organisations and their critical suppliers must have implemented by January 17, 2025. Affected financial organisations are banks, investment firms, and credit institutions, and related organisations, such as crowdfunding and crypto-asset platforms. Third party ICT-related service providers in New Zealand and Australia are subject to DORA requirements when they are suppliers to financial entities covered by DORA. Those providers might have to set up a subsidiary in the EU and the EU supervisory authorities can conduct inspections outside the Union if necessary. If you like to know if and how DORA impacts your organisation contact us.

Share