NIS2 and DORA – Strengthening IT Security

Discover how the EU’s NIS2 and DORA directives mandate strengthening cyber resilience across critical sectors. Learn about the methods for ICT risk management and the rules for protecting against and responding to ICT-related incidents. This article delves into the significance of these directives, the challenges they address, and the steps organisations must take to comply with these comprehensive frameworks.

Intro

In the ever-evolving landscape of cybersecurity, regulatory requirements play an essential role for ensuring that organisations across sectors maintain a robust posture against cyber threats. The European Union has been at the forefront of this effort, introducing two pivotal directives: the Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). Both aim to enhance the resilience of critical infrastructures and financial institutions against the growing tide of cyber threats.

What is NIS2?

The Network and Information Systems Directive 2 (NIS2) is an updated version of the original NIS Directive, which was introduced in 2016 to improve the cybersecurity posture of the EU member states. The original directive primarily focused on operators of essential services, such as energy, transport, and healthcare, and digital service providers. However, with the rapid digital transformation across all sectors, the EU recognized the need for a more comprehensive framework that addresses the evolving cyber threat landscape in more sectors.

NIS2 expands the scope of the original directive, bringing more sectors under its purview, including public administration, space, waste management, and food supply chains. The directive also introduces stricter supervisory measures and enforcement powers for national authorities, ensuring that organisations are held accountable for their cybersecurity practices. One of the key aspects of NIS2 is its emphasis on cross-border cooperation and information sharing, which is critical in the fight against transnational cyber threats.

The NIS2 directive mandates that all covered entities implement risk management measures that address both technical and organisational aspects of cybersecurity. These measures include incident reporting, supply chain security, and crisis management. By doing so, NIS2 aims to create a more resilient digital ecosystem across the EU, capable of withstanding and recovering from cyberattacks.

 ICT Risk and Rules on ICT Risk-Management

In the context of NIS2, ICT risks refer to the potential threats and vulnerabilities associated with an organisation’s information and communication technologies. These risks can stem from a variety of sources, including cyberattacks, system failures, human error, and supply chain disruptions. NIS2 places a strong emphasis on the identification, assessment, and management of ICT risks as a critical component of overall cybersecurity strategy.

Organisations covered by NIS2 are required to adopt a comprehensive approach to ICT risk-management. This includes implementing technical measures such as firewalls, intrusion detection systems, and encryption, as well as organisational measures such as employee training, incident response planning, and regular security audits. The directive also mandates that organisations conduct regular risk assessments to identify new and emerging threats, and adjust their security measures accordingly.

One of the significant challenges in managing ICT risks is the complexity and interconnectivity of modern IT environments. With the proliferation of cloud computing, IoT devices, and remote work, the attack surface has expanded significantly, making it more difficult for organisations to maintain control over their digital assets. NIS2 addresses this challenge by requiring organisations to implement robust supply chain security measures, ensuring that third-party vendors and partners adhere to the same high standards of cybersecurity.

Why is DORA Needed?

The Digital Operational Resilience Act (DORA) is another critical piece of legislation introduced by the EU, specifically targeting the financial sector. The act is designed to ensure that financial institutions, including banks, insurance companies, and investment firms, can withstand, respond to, and recover from all types of ICT risks. The need for DORA arises from the increasing reliance of financial institutions on digital technologies, which has made them prime targets for cyberattacks.

Financial institutions are considered the backbone of the global economy, and any disruption to their operations can have far-reaching consequences. The rise of fintech, digital banking, and cryptocurrency has further increased the complexity of the financial sector’s digital landscape. DORA recognizes these challenges and aims to create a unified regulatory framework that strengthens the cyber resilience of the entire financial sector.

One of the key features of DORA is its focus on ICT-related incidents. The act requires financial institutions to implement measures that enhance their ability to detect, contain, and recover from cyber incidents. This includes establishing incident reporting mechanisms, conducting regular resilience testing, and ensuring that all critical systems and data are adequately protected. DORA also emphasises the importance of third-party risk management, requiring financial institutions to assess the cybersecurity posture of their service providers and take appropriate measures to mitigate any risks.

Rules for the Protection, Detection, Containment, Recovery, and Repair Capabilities Against ICT-Related Incidents

Both NIS2 and DORA set out specific rules and guidelines for organisations to follow in order to protect, detect, contain, recover, and repair from ICT-related incidents. These rules are designed to ensure that organisations are not only able to prevent cyberattacks but also to respond effectively when incidents occur.

1. Protection: Organisations must implement a multi-layered security approach that includes both technical and organisational measures. This involves deploying all modern technologies such as NG firewalls, encryption everywhere, access controls including zero trust and other security technologies, as well as establishing policies and procedures that promote a security-aware culture.

2. Detection: Early detection of cyber threats is critical to minimising their impact. Organisations are required to deploy monitoring tools (e.g. SIEM) that can identify potential threats in real-time, such as anomaly detection systems and intrusion detection/prevention systems (IDS/IPS). Regular security audits and penetration testing are also essential for identifying vulnerabilities before they can be exploited.

3. Containment: In the event of a cyber incident, organisations must be able to contain the threat quickly to prevent it from spreading. This involves isolating affected systems, shutting down compromised networks (if feasible), or disabling access to certain resources.

4. Recovery: After an incident has been contained, organisations must focus on restoring normal operations as quickly as possible. This includes recovering lost or corrupted data, restoring affected systems, and ensuring that all business processes can resume without further disruption.

5. Repair: Finally, organisations must conduct a thorough post-incident analysis to understand how the attack occurred and what can be done to prevent similar incidents in the future. This may involve patching vulnerabilities, updating security policies, and conducting additional training for employees.

Conclusion

The introduction of NIS2 and DORA represents a significant step forward in strengthening the cyber resilience of organisations across the EU. By providing a comprehensive framework for ICT risk-management and establishing rules for protecting against and responding to ICT-related incidents, these directives aim to create a more secure digital environment for businesses and consumers alike. As the threat landscape continues to evolve, it is essential for organisations to stay ahead of the curve by implementing the measures outlined in NIS2 and DORA, as well as being updated by participating in the NEXT IT SECURITY – the most exclusive cybersecurity C-level event to stay informed about the latest developments in the field.

Share this post
Next IT Security Team
Next IT Security Team
Articles: 84

Nordics Edition

C-Level IT Security Event

BeNeLux Edition

C-Level IT Security Event

DACH Edition

C-Level IT Security Event