DORA and NIS2: Europe and the challenges of cybersecurity

In order to create a harmonized European regulatory framework to address cybersecurity challenges in the financial sector as well as beyond, the implementation of the Digital Operational Resilience Act ("DORA Regulation") in January 2025, and Directive (EU) 2022/2555 ("NIS2 Directive") expected in October 2024, represents an important step forward.

Let us take a look at the most significant points and how S2E supports companies that need to comply with the security requirements of these two standards.

DORA: operational resilience in the financial industry in the EU.

A requirement of DORA is that financial entities establish adequate safeguards against cyber-attacks as well as improve the requirements for ICT risk prevention in the financial and insurance sectors, including third parties that provide critical ICT services to the sector.

The regulation emphasizes the need to ensure digital operational resilience to address cybersecurity threats throughout the business lifecycle.

Five key "pillars" form the basis of DORA regulations:

1. Define the ICT risk management framework
2. Reporting incidents and attacks and managing them
3. Ensure operational resilience
4. Managing the risks associated with third parties involved in risk management
5. Compliance management and monitoring/reporting

NIS2 Directive: Information Security Standards in Europe

The NIS2 directive aims to ensure an acceptable and widespread level of cybersecurity among organisations defined as essential and important by enhancing cooperation and information exchange.

Its scope is therefore broader than DORA and includes a wide range of industries, not only companies operating in "high criticality" sectors such as energy, transportation, finance, and health care, but also those in other critical industries such as digital service providers, postal services, waste management, and other essential services.

The directive introduces crucial cybersecurity risk management measures and significant incident reporting requirements.

For non-compliance with NIS2, as well as the DORA regulations, there are also fines and penalties: essential entities could be punished by administrative penalties up to 10 million euros or 2 % of their total annual worldwide turnover, whichever is greater. A major player could be fined up to 7 million euros or 1,4% of its annual worldwide turnover, whichever is greater. Also, managers may be held liable if they fail to take necessary measures to manage cybersecurity risk. These measures will be provided for in national legislation.

Specifically, Article 20 clarifies the framework for action to governance and accountability:

1. Member States shall ensure that the governing bodies of essential and important entities approve the cybersecurity risk management measures taken by such entities to comply with Article 21, oversee its implementation, and may be held liable for any violations of Article 21 by such entities. (...)
2. Member States shall ensure that members of the management body of essential and important entities are required to undergo training, and encourage essential and important entities to offer similar training to their employees. (...)

S2E: which approach?

In order to ensure unified and effective management of this complex framework, S2E proposes a four-phase design intervention strategy:

• Perimeter definition, which may consist of the entire organization or, in the case of complex organizations or simple knowledge transfer requirements, a subset of operational activities or services that are delivered to customers. During this phase, documentation is shared, supplemented by interviews in order to clearly establish the relationship between assets, stakeholders, cybersecurity processes, supply chain, and active contracts.
• The next phase, the gap analysis, is conducted by providing analytical insight regarding the relevant regulatory constraints of the applicable regulations according to the target market. The result of this analysis will be an assessment of whether security controls are adequate and how well they are applied. In detail, relevant regulatory articles are first mapped against the relevant international frameworks for information security (ISO/IEC27001 and others), information is gathered from the client, and the level of adequacy and evidence regarding the application of security controls is assessed so as to achieve the necessary awareness and thus be able to demonstrate compliance with regulatory requirements; in order to be more effective and reduce the time of any remedial actions, a follow up towards the customer is provided in advance with respect to any nonconformities detected, while in case of a positive verification, the analysis concludes with the confirmation of compliance with the regulations under consideration.
• In case of inadequacy in security measures with respect to the principles and indications provided by the regulations, a structured improvement plan is suggested, taking into account the path that will need to be followed to fill the gaps detected, as well as the client's priorities as well as the resources allocated to the project, both as a financial and personnel resource. Following the sharing of the choices with the client, the final detailed plan is developed, which includes all responsibilities, the expected completion date for the activities, and the methods for confirming that they were conducted as planned.
• The information gathered in the previous stages is then organized into a final report that is addressed to both the Corporate Project Working Group and the corporate management. This report contains a summary section, the management summary intended to be presented at the workshop to share the results with key people in the organization.
  
  

All gap analysis projects with respect to emerging European cybersecurity regulations are carried out by S2E through a dedicated business line composed of a team of authoritative experts on cybersecurity strategy, governance and compliance issues, with the possibility of involving other corporate organisational units with distinctly technological skills. S2E's business line CSA&C - CyberSecurity Advisory & Compliance acts as the customer's partner and is able to map out the path, lead projects and guarantee multidisciplinary support in the phases of analysis, execution of remediation plans, training and possible customer support to spread the culture of security among business partners.