
In the vast and dynamic cyber universe, attacks are increasingly sophisticated and devastating. In 2023, a ransomware attack allegedly stole 27 terabytes of data from an organization, demanding a ransom costing 51 billion euros. In the same year, a hotel chain was attacked and saw the data of more than 10.6 million customers stolen. Faced with this global reality, the European Union (EU) aims to strengthen the cyber resilience of organizations across the continent through regulations.
The Digital Operations Resilience Act (DORA) and the NIS2 Directive (NIS II) represent the “new rules of the game” for cybersecurity in Europe. These regulations establish a set of requirements and obligations for organizations from different sectors. Together, these aim to increase cybersecurity maturity and ensure the resilience of organizations against cyber attacks.
What is DOra and NIS2?
DORA, focusing on the financial sector, strengthens the operational resilience of these institutions against cyber incidents. NIS2, aimed at several sectors, expands the scope of the 2016 NIS, including critical infrastructures such as energy, transport, health and water. Both regulations focus onainst cyber incidents. NIS2, aimed at several sectors, expands the scope of the 2016 NIS, including critical infrastructures such as energy, transport, health and water. Both regulations focus on 3 fundamental pillars:
Robust Cyber Risk Management:
Organizations must implement a robust risk management system to identify, analyze and assess their cyber risks. This includes implementing appropriate controls, such as:
Firewalls: barriers that prevent unauthorized access to networks;
Intrusion Detection Systems (IDS): monitors networks and systems for malicious activity;
Data Encryption: protects data at rest and in transit;
Log Monitoring: records and analyzes activities in systems to detect abnormal behavior;
Regular Penetration Testing: simulate real attacks to identify and fix security vulnerabilities.
Effective incident response plans:
The ability to quickly respond to cyber incidents is crucial to minimizing damage and enabling rapid recovery of operations. To achieve this, organizations must develop and maintain incident response plans, based on:
Detection: rapid identification of a cyber incident;
Containment: limiting the impact of the incident and preventing its spread;
Eradication: eliminating the cause of the incident and removing any malware or malicious software;
Recovery: restoration of systems and data affected by the incident;
Post incident analysis: investigation of the causes of the incident to prevent it from recurring in the future.
Notifcation of authorities and transparency:
Serious cyber incidents must be reported to the appropriate authorities immediately. This allows authorities to investigate the incident, take action to contain the threat, and alert other organizations. Transparency is essential to strengthen the trust of customers and partners.
The Challenges of Compliance
While DORA and NIS2 regulations establish comprehensive guidelines for strengthening cyber resilience, organizations face significant challenges when seeking compliance. Additionally, the costs associated with implementing security measures can be a barrier for many organizations, especially smaller ones. In the face of these challenges, Strategic Partnerships play a crucial role in promoting cybersecurity and regulatory compliance. Collaboration between organizations, regulatory authorities, suppliers and academic institutions can facilitate the sharing of knowledge, resources and best practices. New technologies, such as Artificial Intelligence, Machine Learning and Blockchain, also have the potential to boost compliance, in addition to the ability to strengthen organizations' cyber resilience. However, it is important to recognize that compliance with DORA and NIS2 is not just a matter of technology. Organizations must encourage a culture of cybersecurity, through employee awareness and training actions.
Conclusion
DORA and NIS2 represent a paradigm shift in European cybersecurity, setting a new standard for operational resilience and protection against cyber threats. Therefore, compliance with these regulations should not only be seen as an obligation, but also as an opportunity for organizations to stand out, protect their assets and build trust with customers and partners.