With cyberattacks surging across Europe, NIS2 and DORA regulations establish new security standards and enforcement mechanisms — putting boards and management teams squarely in the accountability spotlight. Steve Purser, a former official at the EU Agency for Cybersecurity, and Nadine Hoogerwerf, Zivver’s CISO, explore how these landmark regulations will reshape organizational security from the boardroom to the supply chain.
From GDPR to CRA, NIS2 to DORA, the number of acronyms connected to data compliance and regulation is enough to make your head spin. These legislative instruments are not designed to make life difficult for organizations but to standardize cybersecurity and risk management to create a more secure landscape for all. While some eyes may roll at the introduction of two new pieces of legislation, they are arguably the most important legislative updates in history — not necessarily for their depth or breadth but for the new security standards they aim to establish and preserve across the entire digital landscape.
The Network and Information Security Directive (NIS) is a sector-agnostic directive that aims to standardize a set of goals that all organizations within the EU must achieve. Those goals include the need for proactive risk management frameworks, incident reporting protocols and — new to NIS2 — supply chain security measures. Crucially, NIS2 brings stronger enforcement and greater penalties for noncompliance and shifts responsibility and accountability to those at the top of the organization. It will be down to individual EU countries to translate the NIS2 directive into actionable laws, but it will soon become an EU standard.
The Digital Operational Resilience Act (DORA), on the other hand, specifically targets the finance sector, requiring financial entities to establish comprehensive frameworks to manage ICT risks, including risk identification, anomaly detection, response and recovery procedures and continuous testing. Like NIS2, this also includes a renewed focus on third parties, requiring organizations to conduct thorough assessments before they enter into new ICT partnerships. DORA will come into force for every organization it applies to at the same time, regardless of which EU country they operate in. This is currently planned to occur Jan. 17, 2025.
But what does all this mean for businesses? What do data governance professionals need to be mindful of? What kind of effect will NIS2 and DORA have on the business landscape and what should companies be doing — or not doing — to prepare?
What impact will DORA and NIS2 have?
The ideas behind NIS2 and DORA are not revolutionary; both focus on well-established cybersecurity practices, such as detecting anomalous network behavior, documenting and reporting incidents and taking a “zero trust” approach to third-party suppliers. Rather than change the game, these new legal instruments are designed to elevate the game and give these best practices an established structural framework.
All sectors will be affected, but the financial sector will have more to do because it will be covered by both NIS2 and the finance-focused DORA. Cyberattacks on European financial services companies increased by 119% between 2022 and 2023, according to Akamai, and an EY survey showed 82% of finance leaders now regard cybersecurity as the most significant threat to their business. The majority of businesses should be doing much of the heavy lifting outlined in DORA and NIS2 already, so the impact on businesses, ideally, will be minimal.
Compliance isn’t really the goal here; instilling a culture of risk management is. Both regulations emphasize the importance of risk management as a cultural and policy-driven goal rather than just compliance for its own sake. The legislation is a positive step, because too many businesses still treat their own security initiatives as afterthoughts or box-checking exercises; the legislation creates an impetus for better data governance and the formation of better organizational habits.
Most chief information security officers (CISOs) will welcome DORA and NIS2. They know that security is no longer optional, and some might even think the legislation doesn’t go far enough. It strengthens their role and makes security a team endeavor, rather than something they have to justify.
One of the critical aspects of these regulations is their focus on supply chain security and the control of third-party IT service providers. Supply chain security is a big part of NIS2, and DORA puts a lot of emphasis on controlling third-party service providers. This requires businesses to evaluate not just their internal processes but also the security measures of the vendors and partners they work with. As a result, the impact of this aspect of the regulations will likely be far-reaching, with many organizations reassessing their supply chains and forging new, carefully vetted partnerships.
Reframing responsibility: A win for data governance
One of the standout elements of both NIS2 and DORA is the direct responsibility placed on management boards. For too long, cybersecurity has been viewed as the domain of IT departments, but these new regulations require a hands-on approach from leadership.
It’s good that management boards will now shoulder some of the responsibility for risk management. While board members may not need to understand every technical detail, they must be aware of the major risks affecting their organization and work with their teams to mitigate them.
These changes will significantly impact the role of CISOs, which is often the bridge between technical teams and the board. We expect CISOs and their teams to have more seats at the table, particularly in organizations that are less mature in terms of their security posture.
Ensuring that management teams are knowledgeable enough to ask the right questions and make informed decisions will undoubtedly be a key challenge. While board members don’t need to know the finer details, they should be capable of asking their teams the right questions about risk. Governance also needs to be a team effort, with legal, compliance and technical teams working closely together to ensure a coherent approach to risk management.
Establishing a culture of resilience
At the core of both NIS2 and DORA is the emphasis on creating a culture of resilience. Employee training and awareness are crucial components of any cybersecurity strategy, but they are often areas where organizations struggle. Traditional training methods, such as lengthy security documents, can be easily forgotten or inconsistently applied. Organizations should advocate for more interactive and engaging methods, including the use of technology to “nudge” employees toward more secure behavior.
While you can’t completely eliminate human error, you can minimize it through regular training, engagement and technological support. The importance of buy-in from staff emphasizes that storytelling and clear communication can help empower employees to take ownership of their role in maintaining the organization’s security. Instead of taking a top-down approach to compliance, organizations should encourage employees to play an active role in the formation of new security policies, making them more likely to apply them and encourage others to do the same.
Getting the technology right
Technology will play a critical role in both complying with new NIS2 and DORA regulations, as well as enhancing an organization’s overall security posture. DORA, in particular, pushes financial institutions to invest in technologies that can help them monitor and mitigate risks in real-time. For instance, organizations can leverage threat intelligence platforms to share information and collaborate on emerging threats. Good governance and risk management require access to the right tools and technologies. These might include integrated risk management (IRM) platforms, incident detection and response systems, third-party risk management (TPRM) solutions, data encryption and network discovery tools.
Complying with NIS2 and DORA, and investing in appropriate technologies, should also stand businesses in good stead for other incoming regulations. The AI Act and the Cyber Resilience Act (CRA) are set to introduce new ways of addressing product security and teaching end users how to navigate security challenges in the real world. The AI Act went into force in August this year, and while the CRA is still in the pipeline, both represent the next phase of cybersecurity governance, where the security of products and services will be scrutinized as closely as the security of networks and systems.
Security is a team sport
Governance is one of the trickiest aspects of implementing the new regulations, but it’s also one of the most important. The new wave of regulations introduces legal, compliance and technical components that require different parts of an organization to gel and exchange information effectively. This demonstrates the importance of having a solid and well-coordinated governance structure.
The success of any cybersecurity strategy hinges on a company’s ability to bring together different teams to manage risks coherently. This means not only ensuring that board members are engaged but also that the legal, technical and compliance teams are communicating effortlessly and have access to the same threat intelligence. Risk should always be thought of as a team effort, with clear accountability at every level of the organization. It may be tempting to assign security responsibilities to a small team and forget about it, but without transparency and coordination, a small incident can quickly turn into a major data breach. The role of the CISO is likely to become more centralized and far-reaching for that reason, and it will become a more important role, even in smaller enterprises.
As NIS2 and DORA come into force, organizations must move beyond a reactive approach to cybersecurity. Risk management, employee engagement and governance structures all need to evolve to meet these new regulatory demands. NIS2 and DORA are raising the bar for cybersecurity, pushing organizations to adopt more rigorous, proactive measures. By investing in the right technologies, fostering a culture of resilience and ensuring strong governance, businesses can not only comply with the new regulations but also improve their overall risk posture.