In the face of the growing sophistication and impact of cyberattacks, actors are seeking to adopt cybersecurity best practices to protect themselves. At the same time, the current landscape is characterised by a marked increase in cybersecurity and resilience regulatory pressure and complexity, driven by the need to protect increasingly interconnected sectors and to seek their security and operational stability. Improving operational resilience is everyone’s goal, where physical and logical security must be addressed jointly and holistically.
DORA (Digital Operational Resilience Act), NIS2 (Network and Information Systems directive) and CRA (Cyber-Resilience Act) are part of the complex European cybersecurity regulations recently developed, complementing other obligations derived from the GDPR (General Data Protection Regulation), telecommunications sector regulations, as well as regulations associated with certifications (CSA) and critical entities of essential services (CER).
We will briefly focus on these first three acts, which we will explore in more detail in future publications. Not only the complexity of the regulation is a challenge, but also the interoperability between acts, the deadlines set and the interrelation between competent authorities. Coordination and regulatory simplification, in particular in the implementation acts, compliance and certifications by actors, are challenges ahead.
In addition to its comprehensive security strategy and by design, Telefónica has worked over the last few years on its preparation, both in terms of sectoral obligations and as a trusted provider of communications, cybersecurity and technology (ICT services ) in different sectors.
DORA: The resilience and cybersecurity act applicable to the financial sector and to communication and technology service providers
On 17 January 2025, the DORA Regulation came into force, and with it the rush to get everything ready on the part of the main players, financial institutions, communication and technology service providers (ICT), supervisory and certifying bodies.
The Regulation (EU) 2022/2554 published in December 2022, known as DORA (Digital Operational Resilience Act) and directly applicable to the financial sector, aims, among other objectives to:
- Homogenise the various regulations aimed at different types of companies in the financial sector (credit and payment institutions, insurance and intermediation, pension funds, fund managers, etc.). A regulation applying to the financial sector, which now encompasses a larger number of entities.
- Focus the efforts of financial institutions on having and maintaining a robust risk management framework, with a direct and demanding impact on ICT providers that support essential services and/or products of these institutions.
Once the Regulation is in place, the operation and maintenance phase will continue, from which lessons and best practices will be drawn from the testing of risk management and its impact on organisational and sectoral resilience, as well as incident reporting.
This will undoubtedly lead the way in the incorporation of best practices in other sectors in areas such as Business Continuity and Supply Chain security.
NIS2: The directive on the protection of network and information systems applicable to 18 critical sectors
The NIS2 Directive on the protection of network and information systems (Directive 2022/2555 of 14 December 2022) establishes a unified legal framework to improve resilience and cybersecurity in 18 critical sectors across the EU, generally applicable to medium-sized and large companies. The financial sector with its specific DORA regulation is excluded, as the latter is lex specialis of the former.
This new directive updates and strengthens the previous directive, NIS1, with the aim of improving cybersecurity capabilities and coordination in Europe. It introduces risk management measures and notification requirements that extend to a larger number of sectors, including telecommunications (which had its own sectoral regulation). In addition, it calls for an update of the national cybersecurity strategy and establishes stricter cybersecurity requirements, in particular in relation to the supply chain, as well as details on information sharing, monitoring, incident reporting and greater involvement and accountability of senior management.
This regulation is still pending transposition in most European countries. On 16 January 2025, Spain began the transposition process by means of public consultation on the preliminary draft law on the coordination and governance of cybersecurity for its implementation.
Challenges associated with the NIS2 Directive and its transposition
With the increasing complexity of the cybersecurity regulatory framework, the main challenge for authorities will be to promote the greatest possible simplicity (including in the incident management or reporting platform, as well as the certification regime), ensure the availability of resources, provide advice to businesses, as well as ensure effective coordination on sectors and of the applicable obligations arising from different regulations. The companies concerned will have to carry out risk assessments, implement corresponding security measures and be able to demonstrate compliance.
Security schemes and international certifications (e.g. ISO 27000) should be consolidated as key elements to facilitate this work. In addition, sectors will be obliged to report cybersecurity incidents following defined procedures and within very short deadlines.
As established by the directive, this transposition should be accompanied by the repeal of the sectoral cybersecurity obligations provided for in the General Telecommunications Law. It must also ensure adequate cohesion with other regulations, such as those related to cybersecurity obligations in critical entities, derived from the future transposition of the CER directive.
This directive will have a major impact on the cybersecurity governance of many companies, which will have to have processes in place to comply with the principle of due diligence, while also regulating the figure of the chief information security officer (CISO).
CRA: The cybersecurity regulation applicable to products with digital elements
On 10 December 2024, Regulation (EU) 2024/2847 on cybersecurity requirements for products with digital elements (including software and hardware), known as the Cyber Resilience Act (CRA), came into force. This regulation complements regulations such as DORA or NIS2 (aimed at service provision) and its main obligations will apply from 11 December 2027, seeking to improve the guarantees that manufacturers of digital products offer to consumers and users. It introduces the concept of cybersecurity from design, vulnerability management and incident reporting, the obligation to maintain security updates, conformity assessments and European Commission marking, transparency obligations, as well as responsibility for manufacturers, importers and distributors. The different actors will have to start preparing, as the deadlines are tight, and the regulation is complex.
As with ‘labelling’ initiatives, such as the US Cyber Trust Mark label for IoT devices, certification companies will play a key role, along with the relevant standards that will need to be developed.
Improving cybersecurity and resilience will be a key pillar in 2025, driven by increasing digitalisation and technological sophistication. The various European cybersecurity regulations will have a significant impact on businesses, which will need to adapt to new requirements, relying on experienced organisations where necessary.
In addition, in order to facilitate the way forward, it is essential to make progress in regulatory simplification, improve coordination and achieve greater harmonisation, in addition to promoting training for all the agents involved.
