On 5 March 2024, the investigator submitted a report on the transposition of the EU Directive on measures for a high common level of cybersecurity across the Union (the NIS2 Directive). One question beforehand concerned the extent to which the legislation would be applicable to financial companies.
In the inquiry’s proposed new legislation, it may be noted that financial companies that are either included or explicitly excluded from the Regulation on digital operational resilience in the financial sector (the DORA Regulation) will not be subject to the rules on risk management and reporting under the new Cybersecurity Act and will therefore also not be subject to the rules on supervision. The reason for this is that the requirements of the DORA Regulation are considered to correspond sufficiently to the obligations under the Cybersecurity Act.
The investigation period for the part of the investigation that relates to the transposition of the Critical Entities Resilience Directive (the CER Directive) was extended in January 2024,. This part will be reported by 16 September 2024 at the latest.