Den sikre vej til DORA-compliance
Tag jeres finansielle virksomhed sikkert gennem DORAs lovkrav – med tilsynsklar dokumentation og juridisk support.
Dine fordele ved vores DORA-løsning
Arbejd struktureret med DORA-opgaver
Lad det daglige compliance-arbejde blive en naturlig del af jeres rutine. ComplyCloud-platformen opdeler DORA-kravene i konkrete opgaver, som automatisk bliver tildelt relevante medarbejdere.
Reducér IKT-risici
Kortlæg og risikovurdér jeres systemer, og før tilsyn med jeres IKT-leverandører for at sikre jeres forsyningskæde.
Spar tid med vores juridiske support
Bliv klædt på til at arbejde med DORA-kravene. Vores juridiske team hjælper dig godt i gang i platformen og sidder klar til at give løbende support.
Skal vi håndtere DORA-projektet for dig?
Hvis din virksomhed mangler tid eller interne ressourcer, kan vores juridiske team stå for hele DORA-implementeringen for jer. Med vores juridiske ydelser hjælper vi jer gennem DORA-lovgivningen i to faser:
Alle de features du har brug for til at arbejde med DORA-compliance
Brug ISO til at dække DORA-kravene
Slip for selv at omsætte DORA-krav til praksis, og benyt ISO 27001-kontroller til at strukturere jeres arbejde.
Hver kontrol er delt op i konkrete opgaver med beskrivelser, ejerskab og deadlines, så det er tydeligt, hvem der gør hvad – og hvornår.
Den ISO-baserede struktur gør jer i stand til at arbejde med flere standarder på samme tid.
Eksportérbare rapporter af jeres handlinger forbereder jer til interne og eksterne tilsyn.
Administrér jeres IKT-leverandører
Kortlæg systemer og leverandører, og få det fulde overblik over jeres IT-landskab.
Knyt leverandører til IT-systemer, underdatabehandlere og forretningsprocesser – og opnå gennemsigtighed i forsyningskæden.
Før tilsyn med dine leverandører med vejledning baseret på deres forretningskritikalitet.
Tildel ejerskab af systemer, og skab klarhed over ansvar på tværs af organisationen.
Risikovurdér jeres IKT-leverandører
Skab et solidt fundament for jeres risikostyring med værktøjer, der understøtter sikker håndtering af IKT-risici.
Tildel ansvar ved at knytte ejere og godkendere til hver enkelt leverandør.
Følg jeres risikostyring over tid inklusive versionshistorik, eksportmuligheder og revisionslogs.
Følg en standardiseret metode til at identificere, prioritere og reducere risici – trin for trin.
Generér politikker og procedurer
Lav den dokumentation, der skal til for at beskrive jeres processer og forankre IT-sikkerhed i organisationen.
Udarbejd sikkerhedsdokumentation ved hjælp af spørgeskemaer, der guider dig på vej.
Hold dokumenter opdateret med påmindelser, og spor automatisk alle ændringer.
Del jeres DORA-dokumentation via et trust center, og synliggør jeres arbejde.
Registrér sikkerhedshændelser
Vær klar til tilsyn ved at logge hændelser løbende.
Registrér hændelser med beskrivelser og tidsstempler.
Dokumentér jeres foranstaltninger og konklusioner på sikkerhedsbrud.
Eksportér jeres hændelseslog til intern brug eller eksternt tilsyn.
Tag første skridt mod DORA-compliance – med ComplyCloud.
Hvis du allerede er bruger af vores platform, kan vi hjælpe dig med dit løbende compliance-arbejde. Vi bliver en del af dit compliance-team og kombinerer vores juridiske ekspertise med din forretningsviden.
Frequently asked questions
The NIS1 directive was introduced as the EU’s initial cybersecurity legislation to enhance the ability of network and information systems to withstand cyber risks. However, the COVID-19 pandemic has expanded the range of threats, necessitating the development of new measures.
The European Commission recognized certain shortcomings in the existing NIS1, including:
- Inconsistent resilience levels across Member States and sectors
- A lack of shared understanding regarding threats
- Inadequate joint crisis response capabilities
- Insufficient cyber resilience among EU businesses
Consequently, in December 2020, the Commission put forth new regulations aimed at reinforcing cyber resilience within the EU, which were subsequently adopted in November 2022.
The NIS2 is a directive which means that it will have to be implemented with national legislation. The member states in the EU must do so before 18 October 2024.
The NIS2 directive covers entities from the following sectors:
Essential sectors:
- Energy (electricity, oil, gas, district heating and cooling, and hydrogen).
- Transport (air, rail, water and road)
- Healthcare
- Water supply (drinking water, wastewater).
- Digital infrastructure (telecom, DNS, TLD, cloud service, data centres, trust service providers).
- Finance (banking, financial market infrastructure)
- Public administration
- Space
Important sectors:
- Digital providers (online markets, search engines, social networks)
- Postal services
- Waste management
- Foods
- Manufacturing (medical devices, electronics, machinery, transport equipment)
- Chemicals (production and distrubition)
- Research
While both essential and important sectors are required to adhere to the same security measures, there is a difference in the level of supervision. Entities classified as “essential” are subject to proactive supervision, meaning they are monitored regularly to ensure compliance. On the other hand, “important” entities are monitored only in response to reported incidents of non-compliance.
This differentiation aims to prioritize the continuous operation and resilience of critical services while still ensuring that all entities maintain the necessary security measures to protect against cyber threats.
The NIS2 establishes a comprehensive framework for supervisory and enforcement activities across Member States. Competent authorities are responsible for overseeing essential and important entities’ compliance with the regulations. Supervisory measures include audits, checks, information requests, and access to documents.
The directive introduces a consistent framework for sanctions, including binding instructions, implementation of security audit recommendations, alignment with NIS requirements, and administrative fines. Administrative fines vary based on entity classification, with essential entities facing fines up to €10,000,000 or 2% of annual turnover, and important entities facing fines up to €7,000,000 or 1.4% of annual turnover. Supervisory authorities must consider the nature and severity of the breach and any damages or losses incurred when exercising enforcement powers.
Opposite to the GDPR, the NIS2 also holds natural persons in senior management positions within covered entities accountable.
The NIS2 focuses on improving cyber risk management through clear responsibilities, effective planning, and enhanced cooperation within the EU.
To achieve this, NIS2 mandates Member States to designate national authorities responsible for cyber crisis management. It also introduces the requirement for national large-scale cybersecurity incident and crisis response plans. Additionally, NIS2 establishes the European cyber crisis liaison organization network (EU-CYCLONe). This network plays a vital role in the EU’s cyber crisis management framework, facilitating coordinated responses to significant cybersecurity incidents and crises. The combination of designated authorities, national response plans, and the EU-CYCLONe network ensures a more coordinated and efficient approach to managing large-scale cybersecurity incidents and crises across the European Union.
NIS2 will strengthen and streamline cybersecurity requirements for covered entities by requiring all companies to address a core set of 10 minimum requirements in their cybersecurity risk management policies.
These elements include incident handling, supply chain security, vulnerability handling and disclosure, and the use of cryptography. The NIS2 also includes a multiple-stage approach to incident reporting, which strikes a balance between swift reporting to prevent the spread of incidents and in-depth reporting to draw valuable lessons learned.
Affected companies have 24 hours to submit an early warning, 72 hours to submit an incident notification, and one month to submit a final report. This will help to reduce the additional burden for companies operating in multiple member states and ensure that all companies are addressing the necessary cybersecurity requirements.
Automating NIS2 compliance can help streamline and simplify the process for covered entities. ComplyCloud are currently developing a powerful tool to do exactly this.
Below, we have listed areas where we see a major potential in helping you automating and streamlining your NIS2 compliance:
- Annual wheel of work: An annual wheel of work regularly giving you tasks will make sure you don’t miss anything in your ongoing work and give you peace of mind.
- Risk assessment and management: Automated methods to conduct regular risk assessments, identify vulnerabilities, and prioritize mitigation efforts.
- Incident management: A simple and intuitive incident management system can help you getting managing incidents in a smooth and compliant wat.
- Documentation: Dynamic questionnaires can make you capable of creating any necessary document much faster and with a higher quality than if you had to create them from scratch.
- Employee training and awareness: Carrying out awareness training ensuring that your employees are knowledgeable about their roles and responsibilities under NIS2 will be key to strengthen your organization’s security against cyber-attacks.
- Gap-analyses: Gap-analyses will guide you through the requirements and make you aware of any gaps you might have.
- Vendor management: A system for vendor management will help you comply with the requirements to supply chain security.