NIS2 & DORA: Staying ahead of the curve
Preparing businesses for the NIS2 and DORA deadlines
With less than a month away before the updated landmark Network and Information Security (NIS2) Directive deadline, organizations across the EU are preparing for the new regulation to come into full force on the 17th October. However, it doesn’t stop there. On the 17th January 2025, the new Digital Operational Resilience Act (DORA) will also come into effect for financial organizations and the sector’s third-party IT suppliers.
Organizations across the EU, and those based elsewhere that do business with the region’s entities, are facing increasing pressure to align with these regulatory requirements. The convergence of these frameworks looks to impact over 170,000 European organizations in total — with 150,000 organizations affected by the NIS2 and estimates suggesting over 22,000 financial entities and ICT service providers impacted by DORA.
What are NIS2 and DORA?
NIS2 aims to provide comprehensive EU-wide legislation on cybersecurity. It expands the scope of the NIS Directive and introduces stricter security requirements for 18 sectors of business. Similar to the General Data Protection Regulation (GDPR), NIS2 will work to bridge cybersecurity measures and approaches across organizations to help fortify European digital infrastructure.
DORA is a sector-specific directive for financial institutions, targeting their approach to operational risk. DORA has two clear objectives. Firstly, to tighten IT risk management across the financial services sector. Secondly, to harmonize current IT risk management regulations already in existence across EU member states.
DORA leaves no room for discretion at the member state level, while NIS2 is a directive that allows countries to develop rules based on their specific national needs.
Compliance strategies for NIS2 and DORA
While it might seem a lot to put on businesses that are already struggling in a rocky economic situation, regulations such as these are brought about in response to the growing threat landscape, and implementing the changes required will bring new opportunities to enhance cyber resilience and overall security posture. To take advantage of these opportunities and stay ahead of the incoming regulations, below are nine compliance strategies organizations must adopt:
Comprehensive risk assessment: Organizations should conduct a thorough risk assessment that covers the requirements of both NIS2 and DORA. This should include identifying critical assets, assessing potential threats, and evaluating the impact of various risk scenarios. A unified risk assessment approach helps in identifying common vulnerabilities and developing a streamlined mitigation strategy.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Education and training: Due to limited resources, organizations often find themselves particularly vulnerable to cyber threats. But even when resources are limited, businesses can implement continuous training and awareness sessions, as well as create and implement well-defined security measures. With this regular training, organizations can foster the necessary culture for compliance and security awareness.
Adopting a shared responsibility model: In recent years, cybercriminals have advanced their tactics, putting businesses under immense pressure to act quickly. A way to address these concerns is to adopt a shared responsibility model to ensure security policies and practices are up to date and applied evenly across organisations – leaving no stone unturned. An active compliance strategy starts with clearly defined roles, responsibilities and objectives documented within corporate policy, in line with the NIS2 and DORA directives.
Integrated incident reporting: Organizations need to put in place a coherent, unified incident response plan to meet the requirements of both NIS2 and DORA, given they both mandate incident reporting mechanisms. This includes streamlining communication channels effectively, transparent communications with consumers and ensuring timely reporting to relevant authorities.
Making cybersecurity a core value: Security leaders must work hard to demystify cybersecurity and demonstrate how a few behavioral changes can protect the whole organization in line with NIS2 and DORA. It is the responsibility of senior leadership teams to embed security and privacy across data-related initiatives from the start.
Cross-framework governance: Firms must consider creating dedicated compliance teams or integrating responsibilities into existing risk management functions to oversee compliance in accordance with multiple frameworks. In creating a clear governance structure, organizations can maintain consistency – avoiding duplication of efforts and ensuring accountability.
Cyber resilience testing: There is no compliance without regular testing of systems and processes. Organisations must develop a comprehensive testing schedule that includes penetration testing, red teaming and business continuity exercises to meet the requirements of both NIS2 and DORA. Organizations must align their testing procedures with the frameworks’ requirements to ensure a more resilient security posture.
Leveraging technology: To facilitate compliance management, firms must utilize and imbed technological solutions into their overall security strategy. This includes data-led solutions for risk assessment, incident management and resilience testing. To ensure more accurate reporting, automated solutions must be considered to help streamline processes and reduce manual efforts.
Developing trust and transparency: For trust to exist, organizations must, in line with NIS2 and DORA, share how the business handles data and personal information including how it is secured. Providing this information will go a long way in empowering wider cybersecurity initiatives. A robust security response extends far beyond data protection, it encompasses regulators, employees, consumers and more. Therefore, ongoing compliance can mean the difference between a necessary evil and a trusted partner.
Turning compliance challenges into opportunities
As the deadlines for NIS2 and DORA approach, adopting a unified approach to risk management, incident reporting, resilience testing, technology and more, can help organizations navigate the regulatory landscape effectively. The goal is not just to comply with these frameworks but to leverage them as catalysts for enhancing overall security posture and operational resilience.
We've listed the best network monitoring tools.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Simon Fisher is a Senior Consultant within the Orange Cyberdefense Advisory team.