NIS2 and DORA: Transformation of IT Security

August 1, 2024
DORA, NIS2, SecOps, Security, Transformation, Zero-Trust

German companies and institutions with critical infrastructure are facing two major EU regulations: NIS2 and DORA. Due to the increase in dangerous cyberattacks by hacker collectives and AI-generated attacks, digital resilience is to be legally and mandatorily strengthened. Those responsible must implement sustainable measures, which range from Zero Trust-based authentication to end-to-end encryption of data traffic, backup solutions, and concepts for mandatory reporting of significant attacks on digital infrastructure. Monitoring solutions are becoming essential for ensuring security: for reliable detectability, identifying and neutralizing acute threats in real time, for example, with EDR (Endpoint Detection and Response) and NDR (Network Detection and Response) systems.

NIS2: EU-Wide Cybersecurity Directive

NIS2 (Network and Information Security Directive) came into force in 2023. EU member states must transpose the directive into national law by October 17, 2024. Its goal is to bring cybersecurity in Europe to a common acceptable standard. In Germany alone, cybercrime caused damages of around €206 billion in 2023.
The regulation applies to companies and institutions in 18 sectors whose digital infrastructures are critical to society and the economy (KRITIS). It affects organizations with 50+ employees and €10 million+ in revenue.

DORA: Financial Sector-Specific Regulation

For the financial and insurance sectors, DORA (Digital Operational Resilience Act) takes legal precedence over NIS2. These regulations must be complied with by early 2025. A key focus of DORA is risk management. The regulation is intended to ensure that companies “address ICT risks quickly, efficiently, and comprehensively and maintain a high level of digital operational resilience” (Art. 6(1) DORA).

With both NIS2 and DORA, security and operational stability become core responsibilities of management and IT, NIS2 particularly includes supply chains. Additionally, there are mandatory reporting requirements for significant incidents to the Federal Office for Information Security (BSI). DORA places special emphasis on third-party ICT and IT service providers; for good reason:

“More than half (54%) of affected companies experienced attacks on their data through the technical infrastructure of service providers.”
Regulated entities must reliably manage the risk brought by external IT partners, including contractual rights related to service fulfillment and termination.

Liability Obligations Introduced

Both regulations introduce liability obligations. NIS2 brings in personal liability for executives and board members, who can face significant fines for breaches of security duties. Management must both approve and oversee the implementation of all cyber risk management measures. Otherwise, they are personally liable.

DORA allows member states to determine how violations are penalized. Supervisory authorities can fine ICT providers up to 1% of their average daily turnover, for up to six months, until compliance is achieved.

New IT Governance and Collaboration Models

This heralds a major transformation in IT security. Over 30,000 mid-sized companies operate in critical sectors, from energy and water supply to food, IT, and telecommunications. But alongside obligations, new opportunities are emerging:
NIS2 and DORA require binding governance structures to strengthen cyber resilience. IT governance will evolve further, outlining the security responsibilities within corporate strategy and compliance, particularly in data protection and the achievement of regulatory goals.

Under DORA, external IT providers must prove regulatory compliance, via information sharing, certifications, and contractual guarantees that both their operations and client engagements meet all requirements. Only then can they be integrated into a company’s IT operations under the new governance standards.

In daily business, these regulations demand close cooperation between management, security, operations, and external services, for implementation, incident handling, and ongoing alignment through reports and feedback. It must also be ensured that standards are met during application rollouts or system changes.

IT security becomes a permanent management focus and a cross-functional initiative:
All stakeholders must meet heightened management and risk mitigation expectations through sustained awareness, relevant countermeasures, and constant improvement.

Zero Trust and Multi-Factor Authentication (MFA)

The shared objective is to achieve comprehensive digital resilience for sustained operational stability of organizations and their supply chains, across networks, systems, and interfaces.
All internal and external IT resources; hardware, devices, apps, and cloud services, must first undergo thorough risk assessment. This lays the groundwork for identifying existing risks, vulnerabilities, and compliance gaps.

Based on the findings, companies must implement long-term cybersecurity and risk management measures in accordance with the regulations, often by combining methods such as:

Zero Trust identity management (no device, network, or user is trusted by default)
Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) for secure access, especially for remote systems
Binding access control policies, mandated by both NIS2 and DORA

End-to-End Encryption and Business Continuity

To protect sensitive data and ensure secure communication, end-to-end encryption is vital. Data is encrypted using algorithms and can only be decrypted by authorized users. Additionally, endpoints must be protected with dedicated encryption, regular updates, anti-virus, and anti-malware tools.

For Business Continuity Management, immutable backups are a reliable solution, ensuring availability and rapid recovery of data in case of serious incidents.

A key security factor is employee training, humans remain the biggest vulnerability, especially against identity-based attacks like MITM (Man-in-the-Middle) or phishing. These increasingly common social engineering threats require high user awareness to build a human firewall.

Executives should go one step further: once technical measures are in place, they must be monitored, updated, and backed by 24/7 surveillance. Hence, real-time monitoring systems are crucial for intrusion detection, identifying and neutralizing threats such as malware or hacking attempts.

XDR Detectability and SecOps

For continuous network and device monitoring, XDR (Extended Detection and Response) is a powerful solution. It uses behavioral-based monitoring to detect and respond to critical incidents in real time. Integrated AI provides automated forensics and enables immediate incident response:

NDR (Network Detection and Response) combats threats within networks
EDR (Endpoint Detection and Response) protects endpoints like PCs, laptops, tablets, or smartphones

XDR spans the entire IT landscape, from endpoints and network sensors to cloud instances and microservices. It includes regular simulations to test defenses and eliminate weaknesses.

Conclusion: Time to Act

NIS2 and DORA are pushing major advancements in IT security and action is urgently needed:

58% of German companies experienced a cyberattack in 2023.
Businesses and institutions should establish dedicated Security Operations (SecOps) teams that work closely with BizOps to enhance agility and response efficiency, ensuring strong cyber resilience.