Outside the tent: Navigating EU tech regulation

The EU tech regulatory landscape is continuously evolving with numerous key legislative initiatives, such as NIS 2 and DORA, coming into force. What relevance do these regulations have for UK businesses, and how best should they navigate the EU tech regulatory landscape as an outsider? Martin Davies, Audit Alliance Manager at Drata explores the implications for UK businesses

 

The far-reaching ramifications of Brexit continue to impact the UK business landscape. The UK might now be firmly outside the EU tent, however, if organisations want to continue doing business together, EU regulations must still be taken into account. Given the rapidly evolving legislative environment, it is worth considering some of the more notable changes coming into force and how they affect UK businesses.

 

The NIS 2 Directive

The NIS 2 Directive is a critical framework for improving the EU’s cyber resilience when it comes to essential services and digital infrastructure that came into force on October 17th this year. It has implications for UK businesses because of the interconnected nature of European supply chains, meaning UK companies taking part in cross-border transactions, data exchange or IT provision must comply with NIS 2 directives as applied in the member states they are servicing.

 

UK firms that fail to comply with the directive will be liable for financial penalties and reputational loss. In some scenarios, these penalties can extend to individual liability on directors within non-compliant organisations.

 

There are three key areas UK businesses should focus on to prepare for the directive: risk management, reporting and leadership.

 

Risk management

Companies must deploy a range of risk management policies, assign ownership, establish clear terminology, and ensure consistency in how security risks are identified, analysed and reported. The resultant risk management activity crucially must cover risks inherent in third party vendor relationships, as well as those that arise internally. 

 

Reporting

NIS 2’s reporting requirements might at first seem to be straightforward, however, firms must be able to supply initial incident reports within a 24-72 hour window, which requires robust and uniform internal processes and governance.

 

Leadership

NIS 2 is not restricted to just technology but extends into the entire business, including employees who may have never had to think about cybersecurity legislation in the past. That means leadership figures will have to step up and help ease the compliance process, ensuring that all the relevant resources are available.

 

Perhaps the simplest way of aligning with NIS 2 is to carry out a gap analysis of existing policies and processes in relation to the directive articles; ENISA provides a handy tool to compare requirements against ISO 27001 and NIST CSF, helping to identify and close gaps. For companies that are already aligned with SOC 2 or ISO 27001, many of the procedures related to risk management, breach identification and reporting, plus due diligence can be used to address NIS 2 requirements.

 

Important to note is that specific member states will interpret the directive in their own jurisdiction, so it is important for organisations to stay abreast of any local interpretations that may impact them.

 

With the analysis complete, it is time to establish well-documented new or updated policies and procedures based on best practice and then train the relevant personnel. When all is up and running smoothly, companies should track progress and evidence compliance at every step.

 

Digital Operational Resilience Act (DORA)

Financial entities and their ICT service providers will be expected to be compliant with DORA regulation by January 2025. UK businesses will need to act quickly to determine if they fall in scope of DORA, based on the broad range of financial markets activities included and whether those take place within EU jurisdictions. DORA places an emphasis on third party risk management (TPRM), so financial institutions will have to have a profound understanding of their end-to-end supply chain and how any operational failures within that chain can impact the ultimate services delivered. Additionally, DORA requires operational resilience testing to be carried out by in-scope organisations.

 

Identify key functions

Start by identifying every critical element of the business, breaking it down into the people responsible, the processes that support it, the technology which enables it, and the third parties who provide the systems and solutions. This will provide a coherent overview of operations and how functions interconnect and allow for a well-informed business continuity plan to be devised to support ongoing resilience.

 

Map third party risks

Every part of the company will have some level of operational risk attached, such as key-person risks, where only one or two people have knowledge of a critical function, leaving them exposed. And there might be functions that depend on third party systems so heavily that there is no feasible manual workaround when an outage occurs.  Collaborate with vendors and subject matter experts to understand the potential risks and prioritise accordingly.

 

Outline risk treatment plans

Once we have identified the functional risks and their potential impact, we can develop a well-governed risk treatment plan in response. This should summarise the extent of the risk when it comes to resilience and business continuity, identify mitigation methods, assign an owner and set deadlines for completion. Continual monitoring, resilience testing, and reporting will enable companies to measure the effectiveness and suggest adjustments where necessary.

 

Train employees

Don’t wait until January 2025 to start bringing staff on board; the quicker they are made aware of their responsibilities; the more time you’ll have to make the processes more robust before DORA goes live. There are a number of DORA compliance training courses and e-learning platforms to assist.

 

Develop Operational Resilience

Regular threat-led testing across all critical functions and processes helps fine tune your resilience and security stance. Integrating these tests into an ongoing risk assessment improves resilience posture even in the face of evolving threats and emerging risks.

 

Deploy GRC tools

Governance Risk and Compliance (GRC) tools act as a single source of truth for managing every vendor relationship and associated risks. Establish a vendor directory to enable total visibility of your vendor ecosystem in one central repository so you can streamline risk management and minimise the risk of human error. Companies might also want to consider deploying a TPRM platform to handle continuous risk assessment consistently.

 

These upcoming pieces of legislation might appear daunting or perhaps irrelevant outside of the EU, however, anyone who does cross-border business needs to be prepared. Taking some of these simple steps will help get companies in order ahead of the regulations coming into force. Now is the time to act. 

 

---

 

Martin Davies is Audit Alliance Manager at Drata

 

Main image courtesy of iStockPhoto.com and emarto