The NIS2 Directive and the Digital Operational Resilience Act (DORA) now going into effect significantly tighten cyber risk management and disclosure standards for critical infrastructure in the EU. Look for expert advice on navigating the new requirements from a panel at the FAIR Institute Europe Summit (March 13, 2024, in Paris – register now).
Panel Discussion: “The Significance of the NIS2 Directive and of the Digital Operational Resilience Act (DORA)”
Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM
Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA
Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm
Martina Dvar, Advisor, European Central Bank
We checked with panel discussion leader Anne Leslie of IBM for a preview of the session.
Q: What was your path into cybersecurity?
A: I’m not the archetype of the person you would typically find in cybersecurity. I came at it later in my career from a business background and more from a risk and compliance perspective.
I realized that there are a lot of underserved dimensions in cybersecurity, particularly around governance, risk management, and managerial mindset. Given all the threats that are out there in the world and the limited resources organizations have to deal with them, how do we choose what we protect?
A lot of the work I do is helping executive and operational teams in deciding what matters most and what’s the best way to operationalize their security and resilience strategies in a way that wins buy-in from the organization and delivers business value.
Q: Does that get easier with more recognition that cyber risk = business risk?
A: It’s getting easier for a number of reasons. There’s a natural progression of maturity across industry sectors. And there have been high-profile cases, particularly in banking where there have been some very heavy fines and additional capital requirements applied in response to severe operational disruptions and outages. In turn, this is having an impact on the level of attention executives are paying to the topic because the incentives are changing,
Q: NIS2 and DORA – what’s the difference?
DORA applies only to the financial services sector. NIS2 applies more broadly across all sectors of the economy that provide critical infrastructure. DORA is a regulation that’s immediately applicable and will be applied uniformly across EU states. NIS2 is a Directive that needs to be transposed into national law by each member state, so theoretically we could end up with 27 flavors of NIS2 – that could make implementation harder for the organizations in scope, particularly ones that have cross-border activities.
NIS2 provisions are broadly replicated in DORA but there are still some discussion areas in relation to the consistency of requirements; we’re hopeful that these remaining details will be ironed out because any level of ambiguity can slow things down when it comes to implementation.
Q: What are some positive results of the new rules?
A: There’s an opportunity to address one of the big pain points in security which is knowing where to focus resources. DORA and NIS2 are about resilience and require organizations to prioritize their efforts and resources on the critical functions of the organization that are essential in terms of delivering important services.
We are seeing organizations have more constructive conversations across business lines with IT, cybersecurity, and risk management because there is a shared enterprise resilience objective that cross-functional and multidisciplinary teams can rally around, with top-down executive support.
Q: How can FAIR practitioners contribute?
A: The methodology and data-driven approach of FAIR can land really well in organizations dealing with NIS2 and DORA because these regulatory triggers are creating a context where the value it adds is increasingly apparent. FAIR can be extremely powerful in helping organizations make risk-informed choices and securing organizational buy-in backed by data.
The regulatory triggers of NIS2 and DORA are helping to make the target outcome much clearer on what organizations are trying to protect and the impact tolerances these organizations have for specific scenarios of disruption.
Also, the regulators seem to be intimating to the organizations they oversee ‘We are not expecting perfection from the get-go, but you do have to explain to us why you think your approach and decisioning is right, and how you are going to iteratively improve the organization’s security outcomes over time.’
Having sound critical thinking to inform the subjective aspect of the analysis, combined with quantitative data, creates a very coherent and intelligible narrative, particularly when you are trying to explain the rationale of the organization’s resilience strategy to an external stakeholder group, such as banking supervisors or a national cybersecurity agency. FAIR can be invaluable in this context.
Register for the FAIR Institute Europe conference, March 13, 2024, Paris
