NIS2 & DORA: Staying ahead
With less than a month to go before the updated, landmark deadline for the Network and Information Security Directive (NIS2), organizations across the EU are preparing for the new regulation to come into force on October 17. However, it doesn’t stop there. On January 17, 2025, the new Digital Operational Resilience Act (DORA) will also come into effect for financial organizations and external IT suppliers from the sector.
Organizations across the EU, and those based elsewhere that do business with entities in the region, face increasing pressure to comply with these legal requirements. It appears that the convergence of these frameworks will impact a total of more than 170,000 European organizations – with 150,000 organizations affected by the NIS2 and estimates suggesting that more than 22,000 financial entities and ICT service providers will be affected by DORA.
What are NIS2 and DORA?
NIS2 aims to provide comprehensive EU-wide cybersecurity legislation. It expands the scope of the NIS Directive and introduces stricter safety requirements for 18 business sectors. Similar to the General Data Protection Regulation (GDPR), NIS2 will work to bridge cybersecurity measures and approaches within organizations to help strengthen Europe’s digital infrastructure.
DORA is a sector-specific guideline for financial institutions, aimed at their approach to operational risk. DORA has two clear objectives. Firstly, IT risk management in the financial sector needs to be tightened. Secondly, harmonizing the current IT risk management regulations that already exist in the EU Member States.
DORA leaves no room for discretion at Member State level, while NIS2 is a directive that allows countries to develop rules based on their specific national needs.
Compliance strategies for NIS2 and DORA
While it may seem like a lot to impose on businesses that are already struggling in a difficult economic situation, such regulations are being created in response to the growing threat landscape. Implementing the required changes will provide new opportunities to enhance cyber resilience and the overall security posture. To take advantage of these opportunities and stay ahead of upcoming regulations, below are nine compliance strategies organizations should adopt:
Extensive risk assessment: Organizations must carry out a thorough risk assessment that meets the requirements of both NIS2 and DORA. This includes identifying critical assets, assessing potential threats and evaluating the impact of different risk scenarios. A unified risk assessment approach helps identify common vulnerabilities and develop a streamlined risk mitigation strategy.
Education and training: Due to limited resources, organizations are often particularly vulnerable to cyber threats. But even if resources are limited, companies can implement continuous training and awareness sessions, and create and implement well-defined security measures. With this regular training, organizations can foster the necessary culture for compliance and security awareness.
Adopting a model of shared responsibility: In recent years, cybercriminals have evolved their tactics, putting enormous pressure on companies to act quickly. One way to address these concerns is to adopt a shared responsibility model to ensure security policies and practices are up-to-date and applied evenly across organizations, leaving no stone unturned. An active compliance strategy starts with clearly defined roles, responsibilities and objectives, documented within company policy, in line with NIS2 and DORA guidelines.
Integrated incident reporting: Organizations must implement a coherent, unified incident response plan to meet the requirements of both NIS2 and DORA, as they both mandate incident reporting mechanisms. This includes effectively streamlining communication channels, communicating transparently with consumers and ensuring timely reporting to relevant authorities.
Making cybersecurity a core value: Security leaders must work hard to demystify cybersecurity and show how a few behavioral changes can protect the entire organization in line with NIS2 and DORA. It is the responsibility of senior leadership teams to embed security and privacy into data-related initiatives from the start.
Cross-cadre governance: Companies should consider establishing dedicated compliance teams or integrating responsibilities into existing risk management functions to monitor compliance in accordance with multiple frameworks. By creating a clear governance structure, organizations can maintain consistency – avoiding duplication of effort and ensuring accountability.
Testing cyber resilience: There can be no compliance without regular testing of systems and processes. Organizations must develop a comprehensive testing schedule that includes penetration testing, red teaming and business continuity exercises to meet the requirements of both NIS2 and DORA. Organizations must align their testing procedures with the requirements of the frameworks to ensure more resilient security policies.
Leveraging technology: To facilitate compliance management, companies must adopt and embed technology solutions into their overall security strategy. This includes data-driven solutions for risk assessment, incident management and resilience testing. To ensure more accurate reporting, automated solutions should be considered to streamline processes and reduce manual efforts.
Developing trust and transparency: For trust to exist, organizations must, in line with NIS2 and DORA, share how the company handles data and personal information, including how it is kept secure. Providing this information will go a long way toward strengthening broader cybersecurity initiatives. A robust security response extends far beyond data protection to include regulators, employees, consumers and more. Therefore, continued compliance can mean the difference between a necessary evil and a trusted partner.
Turn compliance challenges into opportunities
As the deadlines for NIS2 and DORA approach, adopting a unified approach to risk management, incident reporting, resilience testing, technology and more can help organizations effectively navigate the regulatory landscape. The goal is not just to comply with these frameworks, but to use them as a catalyst for improving the overall security posture and operational resilience.
We have listed the best network monitoring tools.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: