Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s Chief Information Security Officer, Nadine Hoogerwerf, get into the weeds on NIS2 and DORA
From GDPR to CRA, NIS2 to DORA, the number of acronyms connected to data compliance and regulation is becoming quite overwhelming for businesses. These legislative instruments are not designed to make life difficult for organisations, but to standardise cybersecurity and risk management to create a more secure landscape for all. While some eyes may roll at the introduction of two new pieces of legislation, they are arguably the most important legislative updates in history – not necessarily for their depth or breadth, but for the new security standards they aim to establish and preserve across the entire digital landscape.
The Network and Information Security Directive (NIS) is a sector-agnostic directive that aims to standardise a set of goals that all organisations within the EU must achieve. Those goals include the need for proactive risk management frameworks, incident reporting protocols, and – new to NIS2 – supply chain security measures. Crucially, NIS2 brings stronger enforcement and greater penalties for non-compliance, and shifts responsibility and accountability to those at the top of the organisation. It will be down to individual EU countries to translate the NIS2 directive into actionable laws, but it will soon become an EU standard.
The Digital Operational Resilience Act (DORA), on the other hand, specifically targets the finance sector, requiring financial entities to establish comprehensive frameworks to manage ICT risks, including risk identification, anomaly detection, response and recovery procedures, and continuous testing. Like NIS2, this also includes a renewed focus on third parties, requiring organisations to conduct thorough assessments before they enter into new ICT partnerships. DORA will come into force for every organisation it applies to at the same time, regardless of which EU country they operate in. This is currently planned to occur on January 17, 2025.
But what does all this mean for businesses? What do data governance professionals need to be mindful of? What kind of impact will NIS2 and DORA have on the business landscape, and what should companies be doing – or not doing – to prepare?
What Impact Will DORA and NIS2 Have?
Steve Purser kicked off the discussion by making the point that the ideas behind NIS2 and DORA are not revolutionary; both focus on well-established cybersecurity practices such as detecting anomalous network behavior, documenting and reporting incidents, and taking a “zero trust” approach to third party suppliers. Rather than change the game, these new legal instruments are designed to elevate the game and give these best practices an established structural framework.
All sectors will be impacted, but the financial sector will have more to do because it will be impacted by both NIS2 and the finance-focused DORA. Cyberattacks on European financial services companies increased by 119% between 2022 and 2023, and 82% of finance leaders now regard cybersecurity as the most significant threat to their business. The majority of businesses should be doing much of the heavy lifting outlined in DORA and NIS2 already, so the impact on businesses, ideally, will be minimal.
“Compliance isn’t really the goal here,” notes Steve. “Instilling a culture of risk management is.” Both regulations emphasise the importance of risk management as a cultural and policy-driven goal rather than just compliance for its own sake. Nadine Hoogerwerf commented that the legislation is a positive step, because too many businesses still treat their own security initiatives an afterthought or box-checking exercise – the legislation creates an impetus for better data governance and the formation of better organisational habits. “Most CISOs I’ve spoken with are welcoming DORA and NIS2,” says Nadine. “They know that security is no longer optional, and some might even think the legislation doesn’t go far enough. It strengthens their role and makes security a team endeavor rather than something they have to justify.”
One of the critical aspects of these regulations is their focus on supply chain security and the control of third-party IT service providers. “Supply chain security is a big part of NIS2, and DORA puts a lot of emphasis on controlling third-party service providers,” noted Purser. This requires businesses to evaluate not just their internal processes but also the security measures of the vendors and partners they work with. As a result, the impact of this aspect of the regulations will likely be far-reaching, with many organisations reassessing their supply chains and forging new, carefully vetted partnerships.
Reframing Responsibility: A Win for Data Governance
One of the standout elements of both NIS2 and DORA is the direct responsibility placed on management boards. For too long, cybersecurity has been viewed as the domain of IT departments, but these new regulations require a hands-on approach from leadership.
“It’s good that management boards will now shoulder some of the responsibility for risk management,” said Purser. “While board members may not need to understand every technical detail, they must be aware of the major risks affecting their organisation and work with their teams to mitigate them.”
Both Purser and Hoogerwerf agreed that these changes would significantly impact the role of Chief Information Security Officers (CISOs), who are often the bridge between technical teams and the board. “We expect CISOs and their teams to have more seats at the table,” said Hoogerwerf, “Particularly in organisations that are less mature in terms of their security posture.” Ensuring that management teams are knowledgeable enough to ask the right questions and make informed decisions will undoubtedly be a key challenge. Purser stressed that while board members don’t need to know the finer details, they should be capable of asking their teams the right questions about risk. Governance also needs to be a team effort, with legal, compliance, and technical teams working closely together to ensure a coherent approach to risk management.
Establishing a Culture of Resilience
At the core of both NIS2 and DORA is the emphasis on creating a culture of resilience. Employee training and awareness are crucial components of any cybersecurity strategy, but they are often areas where most organisations struggle. Traditional training methods, such as lengthy security documents, can be easily forgotten or inconsistently applied. Hoogerwerf advocated for more interactive and engaging methods, including the use of technology to “nudge” employees toward more secure behavior. “Motivate people to make better choices,” said Hoogerwerf, noting the importance of small prompts—like password strength reminders—that encourage compliance without overburdening employees.
Both speakers agreed that while you can’t completely eliminate human error, you can minimise it through regular training, engagement, and technological support. Purser highlighted the importance of buy-in from staff, emphasising that storytelling and clear communication can help empower employees to take ownership of their role in maintaining the organisation’s security. Instead of barking orders down from the top, encourage employees to take an active role in the formation of new security policies, making them more likely to apply them and encourage others to do the same.
Getting the Technology Right
Technology will play a critical role in both complying with new NIS2 and DORA regulations, as well as enhancing an organisation’s overall security posture. DORA, in particular, pushes financial institutions to invest in technologies that can help them monitor and mitigate risks in real-time. For instance, Nadine emphasised the importance of leveraging threat intelligence platforms that allow organisations to share information and collaborate on emerging threats. Steve echoed the sentiment, noting that good governance and risk management require access to the right tools and technologies. These might include integrated risk management (IRM) platforms, incident detection and response systems, third-party risk management (TPRM) solutions, data encryption, network discovery tools, and more.
Complying with NIS2 and DORA, and investing in these technologies, should also stand businesses in good stead for other incoming regulations. Steve mentioned the upcoming AI Act and the Cyber Resilience Act, both of which are set to introduce new ways of addressing product security and teaching end users how to navigate security challenges in the real world. The AI Act went into force in August this year, and while the CRA is still in the pipeline, both represent the next phase of cybersecurity governance, where the security of products and services will be scrutinised as closely as the security of networks and systems.
Security is a Team Sport
Governance is one of the trickiest aspects of implementing the new regulations, but it’s also one of the most important. As Steve pointed out, the new wave of regulations introduces legal, compliance, and technical components that require different parts of an organisation to gel together and exchange information effectively. “Make sure your governance structure is solid and well coordinated,” he commented.
The success of any cybersecurity strategy hinges on a company’s ability to bring together different teams to manage risks coherently. This means not only ensuring that board members are engaged but also that the legal, technical, and compliance teams are communicating effortlessly and have access to the same threat intelligence. Nadine noted that risk should always be signed off as a team effort, with clear accountability at every level of the organisation. “It’s tempting to assign security responsibilities to a small team and forget about it, but without transparency and co-ordination, a small incident can quickly turn into a major data breach,” said Nadine. “The role of the CISO is likely to become more centralised and far-reaching for that reason, and it will become a more important role, even in smaller enterprises.”
As NIS2 and DORA come into force, organisations must move beyond a reactive approach to cybersecurity. Risk management, employee engagement, and governance structures all need to evolve to meet these new regulatory demands. The takeaway from Steve and Nadine’s insights is clear: NIS2 and DORA are raising the bar for cybersecurity, pushing organisations to adopt more rigorous, proactive measures. By investing in the right technologies, fostering a culture of resilience, and ensuring strong governance, businesses can not only comply with the new regulations but also improve their overall risk posture.
Readers can watch the webinar in full here: https://www.zivver.com/your-compliance-checklist.