Building cyber resilience: Complying with NIS2 and DORA
There is a growing inequality between organisations that are cyber resilient and those that are not. Smaller organisations are typically less able to prevent critical operational disruption from a significant cyber event. These organisations are consequently being targeted by bad actors using sophisticated supply chain attacks because they have less mature cybersecurity risk-management practices. The attacks then escalate to larger entities to whom they supply either products or services and can rapidly have a systemic impact across an entire industry.
This cyber threat landscape is matched in scale and complexity by the raft of regulations that are coming into force to manage and mitigate those threats. Governments and industry regulators are targeting the improvement of operational resilience across highly critical sectors. Operational resilience is the goal, and our digitally dependent world means cyber security is front and centre. And not just in terms of our own organisation, but also throughout our supply chain ecosystem. For professionals across the spectrum of cybersecurity governance, risk, and compliance in EMEA, meeting the requirements of regulations such as the EU’s Network and Information Security (NIS2) Directive and Digital Operational Resilience Act (DORA) is a key focus area.
In its recent cyber risk virtual summit, Diligent convened an experienced panel of cyber risk management, security, and compliance experts to share their insight into the EMEA cyber risk landscape and the role of technology in addressing regulatory compliance. Here, we explore the key takeaways from the discussion.
The Cyber Leadership Playbook
Align your CISO, GC, and board for smarter cyber risk management. Discover practical insights and strategies to bridge the gaps between security, legal, and board leadership.
Download hereResilience beats resistance in a high-risk cyber environment
In the current cyber threat environment, attacks and breaches are inevitable. While prevention plays a role, it is more important to plan for mitigation and recovery, as Paulo Glórias, Cyber Risk Expert at Moody’s, explained:
Oliver Newbury, former Group CISO of Barclays and now senior advisor at TPG Capital, agreed, pointing out that the ability to rapidly recover from incidents such as ransomware attacks is critical in competitive markets where “long outages often see competitors thrive.”
Risk-based DORA and NIS2 focus on third-party cyber risk and incident reporting
Modern organisations have highly complex, interconnected supply chains and partner ecosystems, which creates vulnerabilities that – if successfully exploited – can have significant impacts not just on commercial outcomes but on people and society. Nick Frost, Co-founder of Cyber Risk Management Group, explained the rationale behind the NIS2, which focuses on critical national infrastructure and key industries, and DORA, which applies to the financial sector:
Both NIS2 and DORA specify that organisations take a risk-based approach, with a particular focus on third-party risk and incident reporting, which Frost believes is a positive development: “[It] is making sure organisations focus on things that are most critical because they are the things you’ve got to protect at all costs […] the message is pretty clear and quite helpful for organisations to build in the capability to respond effectively to incidents.”
The regulations’ focus on supply chain also means organisations that aren’t directly in scope – but supply businesses that are – will also feel their impact. Glórias felt that this is a positive direction of travel: “These two regulations are actually adding value so that the whole of Europe would become more secure and resilient overall.”
Key compliance challenges for NIS2 and DORA
The panel identified three key areas of overlap in NIS2 and DORA that organisations must factor into compliance activities:
Incident reporting
Timely incident detection and reporting feature in both regulations, meaning organisations must ensure their systems and processes are capable of responding within the prescribed timeframes and with the level of detail required. Newbury highlighted that: “it is important for organisations […] to make sure that their playbooks in their operation centres are actually updated to ensure that at 4 a.m. at night, or wherever it is in the world, the people on the ground are able to hit the reporting requirements.”
This capability must be part of a wider resilience framework that ensures the business has the right technology in place to detect and respond to incidents. Exercises should be conducted to make sure all involved know what they need to do when an incident happens.
Navigate NIS2 with confidence
Simplify NIS2 compliance and transform regulatory challenges into growth opportunities with our NIS2 IT Compliance Toolkit.
Book a demoThird-party risk
DORA and NIS2 both make it clear that organisations are responsible for managing cyber risk within their supply chain. Frost remarked: “One of the key principles I think organisations need to get their head around is that you can outsource a service or a product, but you can't outsource a risk.” Getting visibility and insight into third-party cyber risk can be a daunting prospect when you have hundreds of supply chain partners, but this is a requirement that must be addressed. This inclusion of security-related requirements between each organisation and its direct suppliers or service providers will ensure a top-down, contractually driven, effect that impacts an entire ecosystem of suppliers supporting the organisations that are directly in scope of NIS2 and DORA.
Glórias noted that both incident reporting and third-party risk management “cut across different parts of the organisation, and so it’s not something that you just give to one team.” The organisation must be aligned across the processes required for compliance. This should involve procurement teams who are engaging directly with suppliers, as well as legal teams who can draft compliant contracts and, crucially, cybersecurity teams who can provide the expertise needed to assess supplier performance.
Board accountability for cyber risk management
Both NIS2 and DORA emphasise the board’s role in overseeing cyber risk. Management bodies are increasingly being assigned a much more active role and the responsibility to approve the cybersecurity risk-management measures taken by their organisations and to oversee implementation. As Frost explained, under both regulations “the board needs to be reviewing and approving policies. They need to have visibility of the risks. So, we're giving them information for them to make better decisions. It's now down to the board to reach over to that world called cybersecurity and start getting a better understanding.”
Achieving that understanding means thinking outside the box when it comes to cyber risk reporting to the board to ensure it receives information in the language it understands. Frost recalled working with the Head of Legal to have them report to the board, ensuring they appreciated the significance of cyber risk and could present the narrative in a way the board could engage with.
The Role of technology in NIS2 and DORA compliance
Technology plays a crucial role in supporting organisations' compliance efforts through streamlining and rationalising control and reporting mechanisms – especially given the overlaps between the two regulations and various other regulations, frameworks and best practices.
Frost believes that “what a lot of organisations are probably screaming out for now is some kind of harmonised control library.” This would help organisations map back to policies and standards that they already meet, creating a robust and auditable record of compliance. This can link to automated reporting, removing a large administrative burden at the same time. Glórias agreed on the value of automation, saying:
He pointed to third-party risk management as a valuable application for an automated, ongoing process. “Having a tool that helps you understand what’s the landscape? Where are my critical vendors? Which are the ones that are not so critical? What do I do for those critical vendors compared to less-critical vendors? […] Having tools to help you automate this will take you a long way to becoming compliant.”
But is there tension between technology progress and technology regulatory compliance? Newbury thought so, but believes technology can also solve it:
Looking ahead: Strengthening your cyber resilience
Looking ahead, the panel anticipates a stronger shift towards risk-based regulatory approaches. A good example is in Australia, which has very similar regulations such as the Security of Critical Infrastructure Act 2018 (SOCI) and CPS 230, a standard issued by the Australian Prudential Regulation Authority which focuses on operational risk management.
The webinar provided valuable insights into the complexities of complying with NIS2 and DORA. By adopting a risk-based approach and leveraging technology to automate some of the compliance burdens, organisations can navigate these regulations effectively and contribute to a stronger regional cyber resilience posture to defend against adversaries which, ultimately, is the end goal. As Newbury put it: “Regardless of whatever the compliance regime is, adversaries are real, risks are genuine, so you can’t ever lose sight of this.”
Cyber risk isn’t going away — but with the right leadership strategy, you can turn it into a competitive advantage. Download the Cyber Leadership Playbook today and start building a more collaborative, resilient and proactive approach to cyber governance.
Keep exploring
The Cyber Leadership Playbook
Learn how to bridge the gaps between cybersecurity, legal and board leadership for smarter cyber risk management & governance. Download the guide today.
Preparing for the Digital Operational Resilience Act (DORA)
Prepare for DORA compliance with our comprehensive checklist. Stay compliant and stay ahead in the financial sector with confidence.
NIS2 webinar: Adopting a risk-based approach for compliance
Read our blog to discover key insights from our NIS2 webinar.
