FAIR Inst Europe Summit Panel: Strategies to Comply with the EU’s NIS2 and DORA

Bottom-line advice from a panel of experts at the recent FAIR Institute Europe Summit in Paris on complying with the EU’s new cyber resilience regulations, the NIS2 Directive and DORA: Prioritize on a  proportional response with a risk management approach.

Watch the video:

The Significance of the NIS2 Directive and of the Digital Operational Resilience Act DORA

(left to right in the photo) 

Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA

Moderator: Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM

Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm

Martina Dvar, Advisor, European Central Bank


DORA (Digital Operational Resilience Act) regulates cyber resilience in the financial services sector and has been applied uniformly across the EU since 2023 (with regulatory supervision starting in 2025). NIS2 (Network and Information Security Directive) applies to all critical infrastructure companies and will be adopted into national law by each member country by October 17, 2024.

“It’s a great benefit for Europe,” said Iva Tasheva. “For once, we will have regulations touching on different sectors but also setting minimum standards for cybersecurity.” But “it is quite complicated,” said Cathie-Rosalie Joly, “because it takes time to analyze each regulation, and interpret. We have general principles, but we don’t know in detail how to implement them.”

Some actionable advice from the panelists:

>>“The best starting point is to understand what operational resilience means,” said Martina Dvar. “That means that your critical services can be delivered in times of stress.”

>>“Master incident response,” Iva said. “It’s going to be the easiest way to get fined.” NIS2 requires an initial incident report within 24 hours, followed by an impact assessment within 72 hours, a significant new burden on covered companies to recognize material risk.

>>Get very specific about regulatory compliance in agreements with clients or vendors. “It’s a lot of work when everyone wants to get the agreement signed,” Anne Leslie said. “But downstream doing that work up front will let you know where the line sits in terms of responsibility.”

>>Define for your organization two key terms in the rules. “Proportionality” – your risk management program focuses on your top risks. “Hygiene” – you follow best practices in cyber risk management. The panelists agreed that each term must be implemented in a way tailored to each organization.

>>Don’t just follow a checklist, one-size-fits-all approach to compliance. “You would be spending billions without any benefit to security,” said Iva.

>>Take a whole-of-business view to your risk assessment for compliance. “We need cross functional teams,” said Anne. “No single domain has all the answers on these topics.”

“Where I see firms struggling is trying to balance risks,” Anne said. “They are missing the data that will make people feel safe that they have a model behind it that is very robust. That’s where a methodology like FAIR comes in…to make people feel safe they made a decision they can stand behind.”

Gain access to more expert advice on managing your cyber and operational risk - become a FAIR Institute member

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37