Can NIS2 and DORA improve firms’ cybersecurity?
Recognition of the threat that businesses face from cyberattacks is increasing.
According to Allianz’s 2024 Risk Barometer, incidents such as ransomware attacks, data breaches, and IT disruptions rank as the top global risk by a clear margin.
Equally, looking at PwC’s 2024 Global Digital Trust Insights survey, almost half (47 per cent) of executives actively worry about cloud-centric cyber threats, with 36 per cent of respondents having experienced a data breach of more than $1m in the previous year – up from 27 per cent.
It’s an escalating issue – one that regulatory bodies across the world are working to combat by updating and enhancing guidelines to help enterprises become more resilient and secure.
Here, the European Union has garnered particular attention in recent times, announcing two significant cybersecurity compliance alterations that will soon be applicable as law to a variety of businesses.
The first of these is the NIS2 Directive. Having come into effect in January 2023, it represents an expansion of the previous EU directive, requiring operators of critical infrastructure and essential services to develop more robust security policies.
You can find out more about the NIS2 Directive here
The second, meanwhile, is the Digital Operational Resilience Act (DORA). Set to become legally binding as of January 2025, it establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems.
You can find out more about the DORA here
The problem with subjective regulations
The message behind these frameworks is similar: that organisations providing essential services must prioritise cybersecurity, ensuring they are more holistically protected from digital threats to reduce the potential for disruption.
Their reasoning is sound. However, they do leave many firms wanting.
One of the biggest issues with both NIS2 and DORA is the fact that they overly focus on promoting security and resilience without providing end-users with a blueprint for success. In paying too much attention to the outcomes that enterprises should be working towards, they fail to offer clear step-by-step guidance on the actions that businesses should take to reach those end goals.
This is in part due to a recognition that every business is different. With each individual organisation having a better understanding of its own unique digital footprints, the belief is that it makes more sense for enterprises to interpret the guidelines in a way that makes sense for them.
This is very much the case with DORA, where enterprises shoulder the responsibility of not only defining what qualifies as a business-critical service but also pinpointing its interconnected dependencies.
Unfortunately, allowing regulations to remain open to interpretation in this manner can lead to confusion and inconsistencies, creating complexity to the environment for both organisations and auditors.
For instance, within the financial sector, two enterprises offering similar services may hold entirely different viewpoints regarding the definition of business-critical services and their corresponding dependencies.
Moving beyond the why to look at the how
We have seen some improvements in the move from NIS to NIS2. Not only is the guidance a little better but there’s less ambiguity. However, in my view, it is still far from perfect.
I believe these frameworks should take a further step forward to dramatically simplify cybersecurity compliance for enterprises that often aren’t clued up on the landscape or its requirements.
Such steps have been taken in other sectors such as construction. If you want to build a house, then UK building codes provide set, clear and strict guidelines that need to be followed.
It’s vital that NIS2 and DORA move in the same direction. Of course, it’s not going to be as simple as replicating what has been achieved in industries such as construction. However, we’ve already seen successful examples of more supportive cybersecurity frameworks being implemented in other major markets globally.
Australia’s Essential Eight serves as a notable example. As well as highlighting the importance of eight key security priorities that are fundamental to achieving a more robust setup, it also provides organisations with step-by-step guidance for achieving both basic and more heightened levels of maturity.
Imagine purchasing a new lock for your front door – simply being told that your house will only be secure when the lock is engaged isn’t enough. You’d also require guidance on how to configure and operate it optimally to ensure maximum security effectiveness.
Those expectations shouldn’t be any different when considering cyber frameworks. For end users to truly understand and follow guidelines effectively, regulators should outline exactly how best practice can be achieved.
Seeing the value beyond non-compliance penalties
For enterprises grappling with how to effectively align with the heightened compliance requirements mandated by DORA and NIS2, several steps can be taken.
While UK- or EU-based organisations must adhere to their respective laws, the guiding principles and action points of more prescriptive frameworks can aid organisations in informing their decision-making processes.
By following the same path as those adhering to frameworks such as Australia’s Essential Eight, enterprises can bolster confidence in their compliance efforts as they move away from subjective interpretation, as well as providing a clear logic-trail to auditors.
However, cybersecurity compliance should not be reduced to a mere tick-box exercise.
Regulatory requirements are escalating for a reason – amid advancing cyber threats, organisations must implement the necessary controls and policies to safeguard themselves effectively.
This shift shouldn’t be viewed as a burden but rather as an opportunity. Just as IT was once perceived solely as a business cost and is now recognised as a business enabler, cybersecurity is undergoing a similar transformation. While security may not directly streamline operations or double revenues, it is a critical tool for safeguarding investments and ensuring business continuity.
Following security guidelines shouldn’t be about avoiding non-compliance fines. With IBM reporting that the average data breach now costs organisations $4.45m, effective security practices are indispensable in shielding businesses from far more damaging outcomes.
To avert such catastrophic losses, prioritising security is imperative. By adopting this approach, organisations will naturally position themselves well to meet evolving and escalating compliance requirements.
Daniel Lattimer is Area VP at Semperis.
Read more
When CISO meets CCO: leading cyber risk management – Security and compliance leadership must closely collaborate to effectively lead the management of cyber risk across the organisation
Types of social engineering attacks to watch out for – Here, we explore the most threatening social engineering attacks for organisations, and how to go about keeping them at bay
Keys to effective cybersecurity threat monitoring – A strong cybersecurity threat monitoring strategy that evolves with current and prospective threats is crucial towards long-term company-wide protection