NIS 2 and DORA are undoubtedly a positive development in cyber security. However, they also raise a number of questions and challenges.

The new EU regulatory frameworks, NIS 2 and DORA, are set to revolutionize the cybersecurity landscape, pushing organizations to elevate their security maturity. 

 

The Knowledge Gap

There is a disparity in management awareness regarding NIS 2 and DORA requirements. This is particularly evident in organizations that will be classified as "important" under the Cybersecurity Act. Sectors like telecommunications, postal services, and manufacturing, previously regulated by industry-specific laws, now find themselves navigating unfamiliar cybersecurity territory.

On the other hand, the financial industry, accustomed to stringent information security standards, seems to be leading the charge in DORA compliance efforts.

 

The Budget Crunch

Preparing for NIS 2 and DORA compliance requires a significant financial commitment. Organizations that are aware of their impending obligations are allocating a larger percentage of their IT budget to compliance efforts compared to the overall average.

However, a concerning number of organizations have yet to earmark funds for compliance. This could be attributed to:

  • A lack of awareness about the new regulatory requirements.
  • A belief that there's ample time to comply.
  • An assumption that the regulations, especially NIS 2, won't be strictly enforced.

 

The Cybersecurity Talent Shortage

The new regulations, coupled with the existing shortage of cybersecurity professionals, create a daunting challenge. Organizations that have neglected information security in the past will now face an uphill battle in securing the necessary expertise.

With the talent pool shrinking, organizations are increasingly turning to outsourced services like Cyber Threat Intelligence, vCISO, and Security Operations Centers to bridge the gap.

 

Navigating the Regulatory Maze

Some of the key requirements from the new regulations, particularly NIS 2, relate to risk management, supply chain security, incident management, and business continuity.

  1. Risk Management: NIS 2 mandates risk assessments and the implementation of technical, operational, and organizational measures to mitigate cybersecurity threats.
  2. Incident Management: Robust processes for monitoring, recording, and reporting incidents are essential. "Important" entities must have the ability to swiftly report security incidents with a significant impact on their service delivery.
  3. Supply Chain Management: Concerns about supply chain management are rife. Organizations need to establish a chain of responsibility and ensure secure partnerships with service providers and suppliers. The regulations also introduce requirements related to product vulnerabilities, quality, and secure development procedures.
  4. Resilience and Business Continuity Management: Beyond basic cybersecurity hygiene, organizations need to focus on business continuity management. Establishing processes to manage unplanned situations before and after an incident is crucial for resilience.

 

Conclusion

NIS 2 and DORA present a significant challenge for organizations. Addressing the knowledge gap, securing sufficient budget, overcoming the cybersecurity talent shortage, and navigating the complex regulatory landscape will require a concerted effort. However, with careful planning and execution, organizations can turn these challenges into opportunities to enhance their security posture and build resilience.