Home Editor's Choice PKF launches talks on Dora and NIS2

PKF launches talks on Dora and NIS2

It’s acknowledged that we require greater efforts to increase our awareness of NIS2 and Dora, along with other important frameworks like ESG. However, multinational corporations operating in Malta will also need to align their operations with Dora and NIS2 when conducting business within the EU. Furthermore, PKF Academy has scheduled a series of lectures at their Birkirkara offices to help the business community and the general public familiarise themselves with the practical aspects of implementing both Dora and NIS2.

One might question how countries outside the EU are gearing up for these two directives. Do they promulgate similar measures and if not, is the international investor well geared to face such differences? To start with, one must learn how the cybersecurity and operational resilience frameworks in the USA, Singapore and Japan compare to the EU’s approach under Dora and NIS2.

Beginning with the USA, one notices a sector-specific approach to cybersecurity, with no direct equivalent to Dora or NIS2. Financial services, for example, are regulated by a mix of federal and state-level regulations, including guidelines from the Federal Financial Institutions Examination Council for financial institutions and the Cybersecurity and Infrastructure Security Agency for critical infrastructure cybersecurity. The USA emphasises public-private partnerships for cybersecurity resilience, with mechanisms for information sharing like the Financial Services Information Sharing and Analysis Centre. While the regulatory framework is robust, it is more fragmented, compared to the EU’s comprehensive approach under Dora and NIS2.

Moving on to Singapore, here one meets with a proactive stance on cybersecurity and operational resilience, with the Monetary Authority of Singapore (MAS) issuing guidelines that are somewhat similar in spirit to Dora for the financial sector. Singapore’s Cybersecurity Act focuses on protecting critical information infrastructure across various sectors. Similar to the EU’s approach, Singapore emphasises a high level of preparedness, incident reporting and information sharing. However, Singapore’s approach is more centralised and guided by specific national laws and regulations tailored to its context, differing in scope and detail from the EU directives.

The next country to examine is Japan. Its dedicated approach to cybersecurity and operational resilience is guided by its Basic Act on Cybersecurity, which establishes a comprehensive framework for protecting critical information infrastructure across different sectors, including the financial industry. The Financial Services Agency in Japan plays a similar role to the EU’s regulatory bodies in enforcing cybersecurity standards within the financial sector. However, again the legal and regulatory specifics differ from the EU’s Dora and NIS2.

Let us now discuss how these directives will impact local companies, gaming units, financial institutions and banks. The NIS2 Directive, formally known as the Directive on measures for a high common level of cybersecurity across the Union, is an update to the original Network and Information Systems (NIS) Directive, which was the first EU-wide legislation on cybersecurity. Recognising the evolving cybersecurity landscape and the need for more robust measures, the EU introduced the NIS2 Directive to strengthen and expand the scope of its cybersecurity requirements. While direct compliance with Dora and NIS2 is not a requirement outside the EU, multinational companies in the USA, Singapore and Japan must align their EU operations with these directives. This can lead to a harmonisation of some cybersecurity and resilience practices globally. What regulatory changes can be expected in Malta? Will the drive to implement both directives be adequately addressed by the business community? Will regulators give the necessary training to the business community, particularly banks and gaming companies? As in the case of ESG implementation, will there be financial assistance to SMEs for timely adoption? Some may question, if cybercrime is prevalent in Malta, and if not, do we need to build expensive infrastructure and safeguards to implement the directives? As expected, both Dora and NIS2 are being transposed into national laws of member states, with a clear timeline and harmonised standards.

Outside Europe, there is a growing consensus on the importance of cybersecurity and operational resilience, with international bodies like the Financial Stability Board and the International Organisation of Securities Commissions. Both are working towards global standards. This international dialogue includes contributions from the EU, the USA, Singapore and Japan, among others, fostering a move towards more uniform practices. The question arises, do businesses in Malta require extra protection from cybercrime since in the past, this topic was given little public awareness neither on state TV nor social media? Perhaps, the incidence of such crime in private or parastatal companies is conveniently not disclosed (any incidence is perceived as a blow to reputation).

So what are the next steps for companies in Malta to get acquainted with the mandatory obligations falling under the directive. Given the typical transposition period, we would have until approximately early 2024 to complete this process, depending on the formal adoption date. Regarding financial assistance for companies to implement the NIS2 Directive, the EU itself does not directly fund private entities for compliance with new regulatory requirements. Companies are generally expected to bear the cost of complying with regulatory requirements including those under NIS2 and Dora.