Organizations and society have become dependent upon digital services which has increased the impact of cyber threats on businesses and the general public. Recent incidents demonstrate how ransomware attacks and even mistakes can disrupt public services including healthcare. You need to prepare for and implement these regulations effectively, not only to meet your obligations, but also to protect your organization.
NIS2 and DORA scope and regulatory approach
The EU NIS2 (Network and Information Security Directive 2) and the EU DORA (Digital Operational Resilience Act) are two regulatory frameworks designed to enhance the cybersecurity and operational resilience of organizations within the European Union. Although they have overlapping goals in promoting robust cybersecurity practices, they differ in their scope, objectives, and target sectors.
NIS2 has a broader scope and applies to multiple sectors beyond finance, including healthcare, transport, energy, digital infrastructure, and public administration. It aims to enhance cybersecurity across a diverse range of critical sectors. On the other hand, DORA focusses exclusively on the financial industry. It addresses how financial entities, and their Information and Communication Technology (ICT) providers should handle operational resilience and cybersecurity risks.
NIS2 takes a principles-based approach, offering guidelines that can be adapted by different sectors. It establishes minimum requirements and allows individual member states to implement additional rules if needed. DORA, however, takes a more prescriptive approach, with detailed rules and requirements for financial entities. It defines clear guidelines for risk management, incident reporting, testing, and monitoring of third-party ICT providers.
Third-Party Risk Management
Both emphasize the importance of organizations managing risks in their cyber supply chains. DORA places a strong emphasis on third-party risk management within the financial sector, introducing stricter oversight of ICT service providers. It requires financial institutions to monitor and manage risks arising from third-party ICT dependencies, with critical ICT providers being subject to direct regulatory oversight. On the other hand, NIS2 encourages managing supply chain risks but does not impose as strict controls over third-party service providers as DORA.
NIS2 and the British Library Hack
In October 2023, the British Library was the victim of a cyber-attack which copied and exfiltrated some 600GB of files, including personal data of library users and staff. As well as the exfiltration of data for ransom, the attackers’ methods included the encryption of data and systems, and the destruction of some servers to inhibit system recovery and to cover their tracks.
It is interesting to consider how this incident could have been prevented or its impact significantly reduced by compliance with the NIS2 Directive. Here are some suggestions based on comparing the reported results of the investigation into the incident with the requirements of NIS2.
Implementation of Multi-Factor Authentication (MFA). The lack of MFA on certain systems allowed unauthorized access, which was a significant factor in the attack's success. NIS2 emphasizes the implementation of appropriate technical and organizational measures, including MFA, to protect network and information systems. Had MFA been in place across all remote and privileged access points, it would have added a critical layer of security and could have prevented the attackers from gaining access as easily.
Improved Network Segmentation and Monitoring. The library's legacy network infrastructure allowed attackers broader access once they breached the system. NIS2 mandates that organizations employ risk management practices, including network segmentation and continuous monitoring, to limit the spread of potential breaches. Implementing a modern, segmented network design as required by NIS2 could have restricted the attackers’ movement, minimizing the impact.
Regular Security Assessments and Testing. Although the Library had conducted some security assessments, the NIS2 Directive encourages regular and more comprehensive security testing, such as penetration testing and vulnerability assessments. These assessments could have highlighted weaknesses, particularly in legacy systems, and prompted remedial actions that might have prevented the attack.
Your Weakness is their Opportunity
The UK telecoms and services provider BT logs 2,000 signals of potential cyber-attacks every second; 200 million per day. According to IBM the average cost of a data breach in 2023 was $4.88 million. You need to act now to protect your organization’s cyber infrastructure against cyber-attacks and to prepare to respond to when an incident occurs. Your weakness is the threat actors’ opportunity.
The NIS2 directive and the DORA regulation set out the basic rules you need to follow. Act now to build a clear view of the risks that your organization faces, identify the gaps in your controls and implement best practices for cyber hygiene. Check out your cyber maturity. To get more details on how to navigate the final stretch attend cyberevolution 2024.
cyberevolution 2024
We are excited to invite you to our cyberevolution event in Frankfurt on December 3-5, 2024. We will be exploring a wide range of cybersecurity topics, with plenty of chances to chat with industry experts. Cyber resilience will be one of the big topics on the agenda. In a combined session, Mike Small will discuss “Why you need data backup and how AI can help” and Joshua Hunter will provide insights into “Focus on Cyber Resilience - Prepare, Respond, Resume”. We look forward to seeing you there and have some great discussions.
