USU Logo

Our Customers

Careers
Customer Service
Let's get in touch
Do you have questions or would like to learn more about our solutions?
Contact

DORA, NIS2 and the Cyber Resilience Act

pillar-page-ITSM-GRC-cyber-reselience-act

    The new era of IT security also affects ITSM managers

    The European IT security landscape is facing a major transformation. With the introduction of DORA (Digital Operational Resilience Act), NIS2 (Network and Information System Security Directive) and the upcoming Cyber Resilience Act (CRA), companies are being forced to rethink their IT security strategies. Those responsible for IT service management (ITSM) in particular must face up to these challenges in order to ensure business continuity and resilience.

     

    What role do DORA and NIS-2 play for IT service management managers?

    Here are 4 good reasons why IT service management managers should also be concerned with the new EU regulations:


    Increased security requirements

    DORA and NIS2 set strict requirements for cyber security and critical infrastructure protection. ITSM teams must ensure that their systems and processes meet these requirements to avoid heavy fines and reputational damage.

     

    Risk management

    The two regulations, DORA and NIS2, require proactive risk management. A modern ITSM system must not only identify risks, but also be able to assess and minimize them.

     

    Incident response

    The ability to respond quickly and effectively to security incidents is becoming mandatory. ITSM teams must develop incident response plans and test them regularly.

     

    Continuous monitoring and reporting obligations

    IT service management must continuously monitor the security situation. In addition, regular reports must be provided to the relevant authorities.

    In the jungle of security regulations

     

    pillar-page-ITSM-GRC-cyber-resilience-act-infografik

    DORA and NIS-2 in a direct comparison of facts.

    ITSM and DORA: What you should know

    The financial sector faces new cyber security challenges


    IT Service Management plays a central role in the implementation of DORA requirements. ITSM teams need to ensure that their systems and processes are robust enough to cope with IT disruptions and that they are able to respond quickly to cyber incidents. Effective ITSM can help ensure business continuity and meet the requirements of DORA.

    FAQ about DORA

    What is the DORA guideline?

    The "Digital Operational Resilience Act", or DORA for short, is a financial sector-wide regulation of the European Union and aims to strengthen the digital resilience of financial institutions. ITSM plays a central role in the implementation of these regulations, especially in monitoring and ensuring the operational readiness of IT systems and processes.

     

    What is the EU Act?

    A regulation is a binding legal act that all EU countries must implement in full.

    Who does DORA apply to?

    DORA is aimed at a wide range of organizations in the financial sector, including banks, insurance companies, investment firms, payment service providers and other financial market infrastructures. Third-party providers of IT services that work for these organizations are also covered by the regulation.

    What are the main requirements of DORA?

    • Risk management: Organizations must implement comprehensive risk management frameworks that focus on IT and cyber risks.
    • Incident Reporting: Obligation to report serious IT security incidents to the relevant regulatory authorities.
    • Operational Resilience Testing: Regular operational resilience testing, including penetration testing and other security checks.
    • Third-party dependencies: Strict regulations for monitoring and controlling IT service providers and other third-party providers.

    Why is IT service management important for the fulfillment of DORA?

    IT Service Management (ITSM) plays a central role in the implementation of DORA requirements. ITSM teams need to ensure that their systems and processes are robust enough to cope with IT disruptions and that they are able to respond quickly to cyber incidents. Effective ITSM can help ensure business continuity and meet the requirements of DORA.

     

    When does DORA come into force?

    DORA has been adopted by the European Union and will apply from January 17, 2025. Companies should prepare now to ensure that they can meet the requirements in good time.

    What happens after the hard deadline of January 17, 2025?

    After the hard deadline of January 17, 2025, BAFIN will begin to collect the information registers of the financial institutions. After evaluating these registers, BAFIN will be able to decide whether and where further examinations will be carried out. Companies should be prepared for the fact that they must be able to provide information at all times, both in the event of on-site inspections and in the event of inquiries. However, it is unlikely that the authorities will be at the door immediately on the deadline. In the course of 2025, the supervisory authorities will begin DORA inspections to ensure that all companies comply with the new regulations and have adapted their IT security standards accordingly.

    What happens if a company does not meet the DORA requirements?

    Companies that fail to comply with the requirements of DORA risk significant penalties and sanctions. In addition, failure to comply with the regulations can lead to serious business and reputational damage.

    Where can I find more information about DORA?

    BaFin (German Federal Financial Supervisory Authority) provides information about the Digital Operational Resilience Act on its website and regularly publishes relevant articles in its web journal.

     

    What are the goals of DORA?

    The aim of DORA is to ensure that organizations are resistant to IT disruptions and cyber attacks. In doing so, it creates a harmonized set of rules for dealing with cyber threats.

    In the jungle of security regulations: A hail of questions with Bert Kondruß, Director Development

    pillar-page-ITSM-GRC-interview

    ITSM and NIS-2: What you should know

    The new directive on network and information security

    The NIS 2 Directive (Network and Information Systems Directive) is an EU regulation designed to strengthen cyber security in critical sectors, including IT service providers. It builds on the original NIS Directive and expands its scope and requirements.


    The NIS 2 Directive requires ITSM teams to comprehensively review and adapt their security practices and processes. It must be ensured that ITSM processes comply with current standards and work with correct data.

    FAQ about NIS-2

    To whom does the NIS 2 Directive apply?

    NIS-2 applies to a wide range of sectors, including energy, transportation, banking, healthcare, water supply and disposal, digital infrastructure, public administration and more. Providers of digital services such as cloud service providers and online marketplaces are also affectedcompanies that "keep an increasingly digitalized society running."

     

    What are the main requirements of the NIS 2 Directive?

    • Risk management: Companies must implement measures to identify, assess and mitigate cyber security risks.
    • Incident reporting: Obligation to report significant security incidents to the competent authorities within 24 hours.
    • Technical and organizational measures: Introduction of strict security measures to prevent and minimize security incidents.
    • Supply chain security: Ensuring cyber security along the entire supply chain.
    • Business continuity management: Planning and implementation of measures to ensure business continuity in the event of a security incident.

    Why is IT service management important for compliance with the NIS 2 directive?

    The NIS 2 Directive is the EU-wide cyber security legislation and contains legal measures to increase the overall level of cyber security in the EU. IT Service Management (ITSM) is critical to NIS-2 compliance as ITSM teams are responsible for making IT infrastructure and processes secure and resilient. This includes implementing risk management strategies, developing incident response plans and ensuring business continuity.

     

    When does the NIS 2 Directive come into force?

    The NIS 2 Directive will come into force from October 2024, and is an update to the EU's cybersecurity regulations introduced back in 2016. Companies should prepare now to ensure they can meet the requirements in time.

     

    What happens if a company does not meet the NIS 2 requirements?

    Companies that do not meet the requirements of the NIS2 Directive risk significant fines and sanctions. In addition, non-compliance can lead to serious business and reputational damage.

    Where can I find more information on NIS-2?

    On its website, the EU Commission provides comprehensive information on the NIS 2 Directive as part of the legislation for a higher level of cyber security. Here you will also find the latest news and further links, such as to the NIS Cooperation Group. The BSI (Federal Office for Information Security) also provides information about the NIS 2 Directive on its own website and provides valuable links to the legal basis in Germany.

    Safely through the security jungle: USU Digital Breakfast

    pillar-page-ITSM-GRC-security-jungle

    Successful strategies for DORA & NIS2

    Our experts will share their knowledge to ensure that your compliance strategy not only meets the regulatory requirements, but is also optimally tailored to the specific needs of your company. You can expect exciting keynotes, insights from the field and an open exchange.

     

    Deep-dive webinar series: Tool-supported implementation step by step

     

    Deep-dive: Successful implementation of NIS-2 in practice

    In this webinar, we show how our integrated solution helps you comply with NIS-2 regulations by focusing on risk management and vulnerability management. Our experts will also explain how business impact analysis and business continuity management can be used effectively to assess threats and strengthen resilience.

     

    Watch on-demand video now (German only)

     

    Deep-dive: Successful implementation of the DORA regulation in practice

    In our live demo, we show you step by step how to successfully implement the requirements of the DORA Regulation. Using practical use cases, we demonstrate how you can efficiently integrate these guidelines into your IT processes in order to sustainably strengthen your company's digital resilience.

     

    Watch the on-demand video now (German only)

    ITSM and the Cyber Resilience Act (CRA): What you should know

    Preparing for the future of cybersecurity for digital products

    The Cyber Resilience Act (CRA) is a groundbreaking EU regulation that was adopted by the European Parliament on March 12, 2024, and is expected to come into force in 2027. It aims to strengthen the security of products with digital elements in the EU. The CRA sets out strict cybersecurity requirements and obliges manufacturers of products with digital elements to proactively identify and rectify security vulnerabilities, for example with security updates.

     

    This includes both software and hardware products. For IT service management in particular, this means that comprehensive security measures must be integrated and continuously monitored. The CRA requires robust security protocols and regular security checks from manufacturers to ensure protection against cyber attacks. Companies that fail to meet these standards risk heavy penalties and serious business continuity implications. Further information on the CRA can be found on the European Commission's website under Cyber Resilience Act.

    Your solution for governance, risk & compliance with USU ITSM

    Find out how USU can improve and simplify your GRC management with the Governance, Risk & Compliance Manager (GRCM) and the Service Risk Manager (SERM).



    Transparent reporting and audit planning

    Efficient planning and execution of regular tasks.


    Business impact analyses

    Evaluation of the impact of failures on business processes and IT services.


    Automatic import of vulnerability reports

    Integration of current threat information from the BSI.


    Compliance and continuity

    Ensuring compliance with all regulatory requirements.


    Risk management

    Risk management of enterprise, business and IT services without media disruptions and based on operational reality.

    GRC management with USU

    Find out how USU can improve and simplify your GRC management with the Governance, Risk & Compliance Manager (GRCM) and the Service Risk Manager (SERM).



    Get in touch with an expert

    Have questions about our offering? A quick call can be way more helpful than a long email chain. Talk to one of our experts to explore our products and see them in action.

    daniel_decker

    Daniel Decker

    Sales Development

    We are here to help

    Send us a message

    No matter if you like to partner with USU or just have a few questions.

    USU Logo
    Germany (Headquarter)

    USU GmbH
    Spitalhof
    71696 Möglingen
    Tel.: +49 714 14867 0

    USA
    USU Solutions Inc.
    20 Guest St., Suite 202
    Boston, MA 02135
    Phone: +1 (617) 307-7733

    YoutubeFacebookLinkedIn

    Products

    Customer Service Knowledge ManagementIT Asset ManagementSaaS ManagementFinOpsIT MonitoringIT Service Management

    Why USU

    About usManagementLocationsPartnerCareersSupportNews

    Topics

    ITSMITILBYOLFinOpsSaaS ContractsKnowledge BaseKnowledge ManagementSoftware Asset Management
    Sign up for the latest news
    Newsletter
    See products in action
    Get a demo

    © 2025 USU Solutions Inc.