DORA AND NIS2: Digital supply chain resilience

Blog DORA AND NIS2: Digital supply chain resilience

DORA AND NIS2: Digital supply chain resilience

Today's society is unprecedentedly dependent on digital technologies. This dependence, and the associated systemic interconnectedness between actors in critical sectors, creates a new vulnerability for the entire European digital ecosystem. The European Union is responding to this challenge with a series of measures, the most important of which are the DORA Regulation and the NIS Directive2. These regulations are not mere cosmetic changes to the rules, but introduce a digital resilience obligation and move cyber security from the IT department to the level of strategic management.

DORA AND NIS2: Digital supply chain resilience

Certification to demonstrate regulatory compliance of suppliers

In the context of DORA and NIS2, it appears that trust is no longer based on a mere promise, but must be objectively demonstrable and auditable. For obliged entities that have to demonstrate supply chain risk management, and for suppliers themselves who want to be partners in regulated sectors, the implementation of selected international ISO standards is becoming a key enabler. Certification to these standards provides formal, independently audited evidence that a supplier has implemented and maintains effective management systems.

 

Digital Operational Resilience Act (DORA)

The DORA regulation primarily targets the financial sector (banks, insurance companies, investment companies) and their critical ICT service providers. It sets out a comprehensive framework for ICT risk management, incident reporting, digital resilience testing and, crucially, third party risk management. DORA de facto makes financial institutions responsible for the cyber resilience of their key suppliers, requiring detailed vetting and contractual embedding of security standards. The goal is to prevent cascading failures within the financial system that could result from the failure of a single critical vendor.

Network and Information Security Directive 2 (NIS2)

The NIS2 Directive extends and tightens the cybersecurity rules for a much wider range of actors in key and important sectors such as energy, healthcare, transport and digital infrastructure. Supply chain protection, as in the case of the DORA Regulation, is also an essential element of NIS2. Obliged entities must also consider the risks associated with their suppliers and service providers, including processes related to data collection, processing and protection, as part of their cyber risk management.

Benefits for trust
The introduction of these harmonised and stringent requirements increases the overall trustworthiness and resilience not only of individual obliged entities but of the entire digital ecosystem. Suppliers that demonstrate the ability to meet these requirements become more reliable and less risky for their customers.

The following standards are particularly relevant for assessing compliance with DORA and NIS2, especially in view of the increasing use of cloud services:

  • ISO/IEC 27001 (Information Security Management System - ISMS): this standard is the universal basis for ICT risk management required by both regulations. It demonstrates the establishment of systematic processes for risk identification, implementation of security measures and incident reporting. For regulated entities, it provides assurance that the supplier is managing information according to internationally recognised standards.
  • ISO 9001 (Quality Management System - QMS): although primarily focused on quality, in the context of digital resilience it demonstrates the supplier's ability to maintain operational continuity and consistent quality of service, which is key to Digital Operational Resilience (DORA).
  • ISO/IEC 27017 (Security of cloud services): this standard specifically addresses the security of cloud services. It demonstrates that the vendor effectively addresses the risks associated with the provision and use of the cloud, which is essential for those DORA and NIS2 entities that use cloud platforms for critical processes.
  • ISO/IEC 27018 (Protection of PII in the Cloud): the standard focuses on the protection of personally identifiable information (PII) in cloud environments. It is critical for vendors who manage or process data for their customers and ensures that high standards of data protection are maintained beyond the general GDPR.

 

It is not for nothing that both DORA and NIS2 regulations have been significantly inspired by ISO 27001, the new version of which, which everyone must switch to this year at the latest, helps with the preparation for these new regulatory frameworks by its breakdown and definition of the required measures. For suppliers, these certifications represent a significant competitive advantage, as they provide customers with direct proof of compliance with the organisational and technical requirements arising from the new European regulations.

Technological depth: HSM, PKI and eIDAS digital trust

In addition to formal certifications, obligated entities must also focus on technological depth and experience in implementing basic security building blocks when selecting contractors. This is especially true for services that are themselves critical to legal sufficiency and data integrity.

An important guideline for assessing suitable suppliers, especially in sectors with a strong emphasis on security (finance, public administration, energy), is their experience with specialized security technologies such as:

  • Hardware Security Modules (HSM): are essential for the secure management and protection of cryptographic keys used in the creation of electronic signatures and seals, data encryption and authentication. The vendor's competence in implementing and managing certified HSMs indicates the ability to provide the highest level of security for key operations, a requirement implicit in the more stringent DORA and NIS2 security measures.
  • Public Key Infrastructure (PKI): the PKI forms the technological backbone for issuing digital certificates, which serve as a key element for ensuring the security of many different aspects related to the operation of information systems and technologies, as they ensure electronic identity and data integrity. Experience in the design and operation of a robust PKI is crucial for the implementation of basic security mechanisms, but especially for the provision of electronic signature and seal services under the eIDAS regulation. These digital trust services are now essential for digital transactions and archiving, and their secure and provable operation is directly linked to the fulfilment of legislative obligations.

 

A supplier with proven experience in these areas provides assurance that critical digital processes (e.g. data security, digital contract signatures, long-term archiving) are built to the highest security standards, again reducing regulatory risk for their customer, i.e. you.

Conclusion: rely on proven partners

The DORA and NIS2 regulations define a new minimum for digital resilience and trustworthiness. For obliged entities, this means the need to carefully vet their suppliers, not only on the basis of price, but more importantly on the basis of demonstrable security and compliance. ISO certification and technological expertise in cryptography and eIDAS services are the strongest evidence of reliability. Partnering with a vendor that itself stands under strict regulatory scrutiny and meets standards is the best way for any obligated entity to fulfill its own digital resilience.

SEFIRA meets the requirements of NIS2 and DORA

SEFIRA is a Qualified Trust Service Provider and therefore must meet the requirements of NIS2 at the level of higher obligations. Compliance with the requirements is demonstrated by regular audits.

SEFIRA holds ISO 27001, 27017, 27018 and 9001 certifications and security clearances at Secret and NATO Secret level.

Electronic signature

Correct signature in the correct place in accordance with eIDAS.

Sign anytime, anywhere
In accordance with legislation
For organisations

Read more

Electronic seal

Electronic seal recognised throughout the EU. Integrated with signature.

Qualified seal
Advanced seal
Plain seal

Read more

Trusted archiving

Long-term provability of electronic documents.

In accordance with eIDAS
Qualified time stamps
Signature integration

Read more

Related
products and services

OBELISK Signing Portal

Consultation on the digitization of organizations

OBELISK Digitalization Platform

QTSP Accreditation

QTSP Accreditation

NATO Secret clearance

NATO Secret clearance

Membership of the ESD

Membership of the ESD

ISO

ISO