Training for the European Cyber Resilience Act

Training program 1

The NIS 2 Directive, the European Cyber Resilience Act, and the Digital Operational Resilience Act (DORA), for EU and non-EU firms (tailored-made training).

Note: This program will be offered 3 months after the announcement of the final text of the NIS 2 Directive, the European Cyber Resilience Act, and the Digital Operational Resilience Act.

Possible modules of the tailor-made training program

a. The NIS 2 Directive

We will cover the new cybersecurity risk management measures. Essential and important entities must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented. The measures must include at least the following:

(a) risk analysis and information system security policies;

(b) incident handling (prevention, detection, and response to incidents);

(c) business continuity and crisis management;

(d) supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers such as providers of data storage and processing services or managed security services;

(e) security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures;

(g) the use of cryptography and encryption.

The obligations for the EU Member States to adopt a national cybersecurity strategy, and to designate competent national authorities, single points of contact, and CSIRTs.

The obligations for the EU Member States to adopt cybersecurity risk management and reporting obligations for entities referred to as essential entities and important entities.

The obligations for the EU Member States to adopt obligations on cybersecurity information sharing.

Essential entities - certain public or private essential entities (energy; transport; banking; financial market infrastructures; health, drinking water; waste water; digital infrastructure; public administration and space).

Important entities - (postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing and digital providers).

Micro and small entities.

The designation of CSIRTs to act as trusted intermediaries, and to facilitate the interaction between the reporting entities and the manufacturers or providers of ICT products and ICT services.

The European vulnerability registry for the discovered vulnerabilities.

The National Cybersecurity Crisis Management Frameworks, and the designation of national competent authorities responsible for the management of large-scale cybersecurity incidents and crises.

The Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.

The European Cyber Crises Liaison Organisation Network (EU - CyCLONe) that supports the coordinated management of large-scale cybersecurity incidents and crises, and ensures the regular exchange of information among Member States and EU institutions.

The peer-review system allowing regular peer-reviews of the Member States’ effectiveness of cybersecurity policies.

Management bodies must approve the cybersecurity risk management measures taken by their entities, and they must have cybersecurity-related training.

Entities must take appropriate and proportionate technical and organisational measures to manage the cybersecurity risks posed to the security of network and information systems.

Entities must notify the national competent authorities or the CSIRTs of any cybersecurity incident having a significant impact on the provision of the service they provide.

The rules for TLD registries and the entities providing domain name registration services for the TLD.

DNS service providers, TLD name registries, cloud computing service providers, data centre service providers and content delivery network providers, as well as certain digital providers, are deemed to be under the jurisdiction of the Member State in which they have their main establishment in the Union.

Competent authorities are required to supervise the entities under the scope of the Directive, and in particular to ensure their compliance with the security and incident notification requirements.

Administrative fines to essential and important entities.

Closing remarks.

b. The European Cyber Resilience Act

We are developing the course synopsis.

c. The Digital Operational Resilience Act (DORA)

Digital operational resilience is the ability of a financial entity to build, assure and review its operational integrity from a technological perspective. The entity must be able to ensure, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which the entity makes use of, and which support the continued provision of financial services and their quality.

Governance and organisation after DORA.

The internal governance and control frameworks that ensure an effective and prudent management of all ICT risks.

The management body bears the final responsibility for managing the financial entity’s ICT risks, and must set clear roles and responsibilities for all ICT-related functions.

Determining the appropriate risk tolerance level of ICT risk of the financial entity, approving, exercising oversight, and reviewing the implementation of the financial entity's ICT Business Continuity Policy and ICT Disaster Recovery Plan.

Approving and periodically reviewing the ICT audit plans, ICT audits and material modifications.

Allocating and periodically reviewing appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including training on ICT risks and skills for all relevant staff.

Approving and periodically reviewing the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers, and be informed, of the arrangements concluded with ICT third-party service providers on the use of ICT services, of any relevant planned material changes regarding the ICT third-party service providers, and on the potential impact of such changes on the critical or important functions subject to those arrangements.

The sound, comprehensive and well-documented ICT risk management framework, to address ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience.

The need for an information security management system based on recognized international standards and in accordance with supervisory guidance.

The segregation of ICT management functions, control functions, and internal audit functions, according to the three lines of defense model, or an internal risk management and control model.

The rules for the timely verification and remediation of critical ICT audit findings, taking into consideration the conclusions from the audit review, while having due regard to the nature, scale and complexity of the financial entities’ services and activities.

The digital resilience strategy setting out how the framework is implemented.

The identification, classification and documentation of all ICT-related business functions, the information assets supporting these functions, and the ICT system configurations and interconnections with internal and external ICT systems.

The identification of all sources of ICT risk, in particular the risk exposure to and from other financial entities, and the assessment of cyber threats and ICT vulnerabilities relevant to the ICT-related business functions and information assets.

The detection of anomalous activities, including ICT network performance issues and ICT-related incidents, and the identification of all potential material single points of failure.

The ICT Business Continuity Policy through dedicated, appropriate, and documented arrangements, plans, procedures, and mechanisms.

ICT-related incident reviews after significant ICT disruptions of core activities, including analysis of the causes of disruption and identification of required improvements to the ICT operations or within the ICT Business Continuity Policy.

Communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts, as well as to the public.

The need to establish, maintain and review a sound and comprehensive digital operational resilience testing programme, as an integral part of the ICT risk management framework.

ICT concentration risk, and sub-outsourcing arrangements.

Designation of critical ICT third-party service providers.

The role of the Lead Overseer to assess whether each critical ICT third-party service provider has in place comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks.

Investigations of ICT third-party service providers.

Information-sharing arrangements on cyber threat information and intelligence.

Administrative penalties and remedial measures.

Criminal penalties.

Professional secrecy.

Closing remarks.

Target Audience, duration

We offer a 60-minute overview for the board of directors and senior management of EU and non-EU firms, tailored to the products or services of their firm. We also offer 4 hours to one day training for risk, compliance, audit, and IT groups, depending on the needs, the content of the program, and the case studies.

You may also visit:

NIS 2 Directive

Digital Operational Resilience Act (DORA)

European Chips Act