Article | 20 Nov 2024

Drawing the line – Managing the overlap Between the different cybersecurity regulations

The EU’s digital strategy for the internal market has led to a rise in regulatory demands on companies in recent years, with cybersecurity as a key focus area. Effective cyber protection across the EU is highly relevant given the increase in IT-related incidents and threats. However, a patchwork of regulations may lead to overlap, and impose a financial burden on companies, as well as, in the worst case scenario, counteract compliance. In this article, we will address how financial entities may manage the overlap of cybersecurity requirements imposed by the EU, and touch upon the relationship with Swedish national legislation on security in digital systems.

The EU’s investment in digital governance

While several EU regulations can be considered to have an impact on the digital management of financial entities, there are some that specifically target the prevention of cybersecurity risks. The main regulation for companies in finance is the Digital Operational Resilience Act (“DORA”),[1] which will apply from January 2025. DORA covers a wide range of financial entities such as banks, insurance companies and investment firms, and includes inter alia provisions on operational management of information and communication technology (“ICT”) risks.[2] Another regulation of relevance to the financial sector is the directive on measures for a high common level of cybersecurity across the EU (“NIS 2”),[3] which is proposed to be implemented through a new cybersecurity law in Sweden (with expected adoption during 2025).[4] NIS 2 is, in broad terms, applicable to entities which operate within specified sectors, such as banking and financial market infrastructures, and which have at least 50 employees, or have a balance sheet total or turnover exceeding EUR 10 million per year.[5] This directive imposes, inter alia, requirements on cybersecurity risk management measures.[6] The scope and requirements of NIS 2 are to a great extent reflected in the proposed Swedish implementation. Another EU cybersecurity regulation is the Cyber Resilience Act (“CRA”),[7] which establishes mandatory cybersecurity requirements for products with digital elements that include a direct or indirect connection to a device or network.[8] The CRA enters into force on 10 December 2024 and will gradually become applicable during the following years (it will be fully applicable in December 2027). As indicated by the above description, these regulations may overlap in the context of cybersecurity.

The financial sector can thus be subject to cybersecurity requirements from several regulatory sources, which does not come without its share of challenges. The problem of overlapping regulations has been recognised by different stakeholders. The Swedish Bankers’ Association has requested in a petition that the inquiry into the Swedish implementation of NIS 2 clearly clarifies that relevant provisions of the directive do not apply to banks covered by DORA. The petition recognises significant challenges for banks as more and more regulations, both EU and national, will apply to the same area.[9] Furthermore, the European Banking Federation has together with other associations released a joint statement on the duplication between CRA and DORA, which, according to them, could result in a highly complex regulatory landscape for financial services.[10] The general complexity of the EU’s new regulatory landscape in different policy areas and its cumulative impact create significant challenges for companies, a fact which has also been emphasised by the National Board of Trade of Sweden in two reports published this year.[11] In broad terms, the complexity resulting from overlapping regulations will increase uncertainty, which in turn generates increased compliance costs and a high administrative burden on businesses. In the following sections, this article will discuss the interaction between the above-mentioned regulations and whether, as well as how, any overlapping areas have been addressed.

Interaction between DORA and NIS 2

First to be analysed are DORA and NIS 2. As mentioned above, the scope of application of both DORA and NIS 2 affects various operators within the financial sector. While DORA specifically identifies the types of financial entities covered by the regulation, NIS 2 implements a more generalised approach which covers entities in certain financial sectors and of a specific size that will further have to notify the supervisory authorities if they fall within the scope.[12] Ultimately, this will result in financial institutions, such as banks, being affected by both DORA and NIS 2. Furthermore, both of these regulations impose requirements for the management of cybersecurity risks. DORA entails obligations on ICT risk management and in relation to the contractual relationship between ICT third party service providers and financial entities, while NIS 2 imposes minimum requirements on cybersecurity risk management measures, such as security in supply chain and in network and information systems acquisition.[13] It should further be noted that both DORA and NIS 2 include reporting obligations. Under DORA, major ICT-related incidents must be reported, while NIS 2 imposes reporting requirements in relation to incidents that have a significant impact on the provision of services.[14] Therefore, it can be concluded that these two regulations contain similar requirements in relation to a company’s cybersecurity management.

The overlap between DORA and NIS 2 has been addressed by both the EU and in the Swedish proposal for the implementation of NIS 2. NIS 2 provides an exception for sector-specific European Union legal acts, which stipulates that where such acts impose requirements on entities to take cybersecurity risk management measures or notification of significant incidents, that are at least equivalent to the obligations set out in NIS 2, the relevant provisions of NIS 2 shall not apply to such entities.[15] DORA is identified in the recitals of the directive as such a regulation.[16] The exemption for entities affected by DORA has also been introduced in the Swedish proposal for the implementation of NIS 2, where a general exception on overlapping regulations is introduced in the draft law, while DORA is specifically identified in a draft decree that will complement the new cybersecurity law.[17] This means, in practical terms, that financial operators covered by DORA will not be covered by the risk management and incident reporting obligations in NIS 2, nor the supervisory and compliance control in this respect, with the consequence that they will only be subject to the obligation to notify the supervisory authority that they fall within the scope of NIS 2. The clarification requested by stakeholders may therefore be considered to have been met regarding these aspects of the overlap.

Additional requirements introduced by CRA

Unlike DORA and NIS 2, which focus on organisations and the cybersecurity management of their operations, the CRA takes a different approach to cybersecurity risks, imposing requirements for security in products with digital elements. The scope of CRA will cover both hardware, such as wired and wireless products that are connected to internet, and software. Since several financial institutions as a part of their financial services offering also provide digital services in the forms of e.g., applications or platforms, entities within the financial sector, such as manufacturers or distributors of digital products, may be subject to additional cybersecurity requirements under the CRA. CRA will require products to undergo a conformity assessment process whereby several cybersecurity requirements must be met and considered in the design of products, which eventually may result in a CE marking of the product.[18] CRA further includes incident reporting obligations to authorities in addition to its security requirements. Under the CRA, manufacturers shall notify the authorities of any actively exploited vulnerability contained in digital products and any severe incident having an impact on the security of such products.[19] As indicated above, the CRA contains similar requirements to those in DORA and NIS 2.

The interaction of the CRA with other European Union legal acts, such as DORA and NIS 2, is addressed in the text of the CRA. In the recitals of the CRA, Member States are encouraged to consider providing at national level single entry points for reporting requirements, in order to simplify the reporting of information required under the CRA in consideration of other complementary reporting requirements laid down in e.g., DORA and NIS 2, as well as to decrease the administrative burden for entities.[20] Therefore, there is a possibility that the overlap in incident reporting will be handled at the national level in a way that is more convenient for businesses. When it comes to the cybersecurity requirements on digital products in relation to operational requirements on cybersecurity in other regulations, the issue of overlap has not been clearly addressed. Instead, the position seems to be that the CRA, in relation to several aspects, complements the other legislative acts.[21] The recitals emphasise that existing European Union law on cybersecurity, such as NIS 2, does not directly cover mandatory requirements for the security of products with digital elements.[22] In the recitals, it is further stated that the CRA will facilitate the compliance with supply chain security obligations of entities that fall within the scope of DORA and NIS 2 which use products with digital elements.[23] To conclude, companies that are subject to cybersecurity requirements in other legal acts are thus not explicitly excluded from the scope of the CRA.

National legislation on security in digital systems

As financial firms may, in some specific cases, also be subject to the Swedish Security Protection Act (Sw. Säkerhetskyddslag (2018:585)), a brief mention should be made of this regulation. The Swedish Security Protection Act applies to security-sensitive operations, i.e., operations that are of importance to Sweden’s security.[24] In the financial sector, for example, parts of the payment system and activities relating to financial stability may be of importance to Sweden’s security.[25] According to the Swedish Security Protection Act, the operators affected must take necessary security protection measures, inter alia in relation to information security.[26] It should be noted, however, that the Swedish Security Protection Act applies to operations that meet the specified criteria, not necessarily to the whole organisation. However, the same part of the organisation may fall within the scope of both DORA, NIS 2 and the Security Protection Act.[27] Nonetheless, where there is an overlap, it is only the Swedish Security Protection Act that applies. According to the Swedish legislative proposal for the implementation of NIS 2, the law will not apply to operators who only conduct safety-sensitive activities, while for operators who conduct safety-sensitive activities together with other activities, only the requirement for notification to the supervisory authority applies to the safety-sensitive part (i.e., not the requirements on risk management and incident reporting).[28] DORA further states that the regulation does not affect the responsibilities of EU member states with regard to essential state functions in the areas of public security and national security.[29] As regards the CRA, the distinction with national security legislation is not as clear, as the exemption for national security mainly applies to products that are developed or modified exclusively for national security or defence purposes.[30] To summarise, it can be assumed that (at least for DORA and NIS 2), national safety legislation will take precedence over these EU regulations.

To conclude

In summary, although the boundaries of the (yet to be formally adopted) CRA are uncertain, it is clear that the requirements of DORA take precedence over NIS 2, if one is covered by both regulations. Furthermore, the Swedish Security Protection Act will have priority in the case of security-sensitive activities. Drawing the line between these regulations will pose a significant challenge for the financial entities concerned. Hopefully this article has provided some guidance and clarity in navigating the complex regulatory landscape of cybersecurity.

[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.

[2] See e.g. article 2 and chapter II of DORA.

[3] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union.

[4] SOU 2024:18 ”Nya regler om cybersäkerhet”.

[5] Article 2 and Annex I of NIS 2.

[6] Article 21 of NIS 2.

[7] Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements.

[8] Article 1 and 2 of the CRA proposal.

[9] See petition No. 2023/11/005 of the Swedish Bankers’ Association and especially page 2 of the petition.

[10] See https://www.ebf.eu/ebf-media-centre/joint-statement-on-duplication-in-the-cyber-resilience-act/ .

[11] ” The EU Single Market in the Digital Era – from legislative complexity to clarity” and “The Cumulative Effect of EU Regulations on External Trade – From free movement to more conditioned trade”.

[12] Article 2 of DORA and article 2 and 3.4 of NIS 2.

[13] Chapter II of DORA and article 21 of NIS 2.

[14] Article 19 of DORA and article 23 of NIS 2.

[15] Article 4 of NIS 2.

[16] Recital 28 of NIS 2.

[17] Article 9 of the Swedish proposal for a cybersecurity law.

[18] See for example article 13.1 and chapter III of the CRA.

[19] Article 14 of the CRA.

[20] Recital 72 of the CRA.

[21] See for example recital 24 of the CRA.

[22] Recital 3 of the CRA.

[23] Recital 125 of the CRA.