Dora & NIS2 Directive

Regulations are necessary for managing risk frameworks, including incident reporting resilience testing, third-party risk management including threat monitoring. 

These are some of the important factor that was required to be addressed with regulations in place mounting cyber risks reduces cyber fraud that impacts global GDP specifically the financial sector.

Recently the Digital Operational Resilience Act (DORA) by EU has been passed and the foremost requirement is that financial organizations and entities like service providers should comply with enhanced cyber security risk management measures.

And the goal is clear when the DORA resolution was passed to protect the financial sector from ICT disruptions and a new generation of cyber threats.

Effective regulation is a requirement in present day for addressing cybersecurity challenges, big and small and unlock benefits from risk mitigation.

Why regulations are required?

Having good processes for developing, implementing and reviewing regulation is vital to ensuring regulatory policies achieve policy goals that maximize benefits and minimize costs for organisations and Government.

The Cyber security threat landscape has change over the years and now mostly these attacks are more sophisticated, targeted, widespread and undetected. The pandemic gave us glimpse of the grim situation where preparing for having strong regulations was utmost important

• The European parliament came together and passed the Digital Operational Resilience Act (DORA) on 17^th Jan 2025. The DORA act was essential as the Act places additional resilience compliance requirements on the European financial sector that can be logged in one place making it centralized log management helping them for effective management.

• Similarly NIS2 Directive i.e. Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity, and its specific aim was to achieve a high common level of cyber security across the Member States was passed on 2016.

While it increased the Member States’ cyber security capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market.

To respond to the growing threats posed with digitalization and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.

DORA Regulatory Framework

DORA regulation ensures that companies operating within Europe fall within a framework that is consistence in supporting Europe’s aim economic benefit with diligence to national legislative procedures and act in a compliant manner.

Organizations headquartered outside Europe may still be subject to PSD2 compliance requirements if they have customers or users in the region.

DORA Objective

• Objective of DORA regulation is to establish a comprehensive ICT risk management practices for the financial sector that will include standards set for risk assessments, incident reporting, and resilience testing.

• The second is reduce compliance challenges for financial entities operating in multiple EU countries and  Dora regulation will be directly applicable in all EU member states without the need for national proposition  and  being compatible with ICT risk management regulations. This will ensure that dependencies on over-reliance on a single or limited group of suppliers are reduced.

• DORA ACT will apply mainly over 22,000 financial institutions and ICT services providers working within the and the entire financial ecosystem that include Banks, Insurance companies, Investment firms, Payment processors, Stock exchanges, Market infrastructure, Credit rating agencies, Crypto-asset service providers.

• To comply with DORA, organizations are required to demonstrate that they are conducting an appropriate set of security testing on “critical” systems and applications. This includes adhere to range of assessment & test every year that includes penetration testing every 3yrs.

• It is required to appoint a responsible party for ICT risk management who can oversee to ensure accountability, governance one of the major objectives of DORA act. This include Incident management and reporting as central aspects of DORA.

• When the ACT is legally implemented financial institutions need to set up systems to track and categorize ICT-related incidents. Under Article 15, organizations must submit: initial report within a defined time frame interim report if the incident’s status significantly changes, final report after completing analysis.

NIS2 Directive

• NIS2 directive on the other hand is aimed specifically at companies and an organisation that operates in critical sectors having great importance in economic value and safety. The scope of the directive requires updating and expanding to meet current risks and future challenges, one such challenge being to ensure that 5G technology is secure.
• NIS2 applies to organizations operating in the EU that are defined as either “essential entities” or “important entities.” Essential entities include companies that are categorized as large enterprises and provide essential services to customers.

NIS2 covers a total of 18 sectors and include energy, transport, healthcare, water supply and digital infrastructures. These sectors have a significant contribution to public safety, order and economic stability.

Objective of NIS2

• The objective of NIS2 is improving cyber resilience and cyber posture in these vulnerable sectors which are often target of cyber-attacks and contribute to  
• These targeted applications is intended secured, ensuring cyber security is strengthened with legal measures to boost the overall level of cyber security in the EU by ensuring member states’ preparedness.
• To strengthen overall security & incident reporting requirements that include reporting within 72 hrs & final report within 1 month and managing cyber risk with updated measures.
• NIS2 mandates that essential service providers implement comprehensive risk management processes, identifying and addressing vulnerabilities in the software development lifecycle and integrate security by design to minimize the risk of cyber threats from the start.

IntruceptLabs is actively working to help organisation achieve regulations requirement in an unified platform to manage compliance.

Intrucept  help organisations stay alert and follow key compliance requirements that include cyber analytics, BISO, mirage cloak technology and apsec ops( sast dast sca) combined and mirage cloak.

Our products are AI-driven and as a security platform help organizations navigate ICT and cyber security risks. We also ensure business continuity is maintained while and compliance assessment of DORA and NIS2 is followed.

• Offerings from Intrucept

1.Static Application Security Testing (SAST) 

NIS2 Requirements: 

NIS2 mandates that essential service providers implement comprehensive risk management processes, which include identifying and addressing vulnerabilities in the software development lifecycle. Specifically, organizations must integrate security by design to minimize the risk of cyber threats from the start and  is being offered as a service. 

DORA Requirements: 

DORA requires financial institutions to ensure that their ICT systems, including applications, are secure and resilient. Regular vulnerability assessments and secure coding practices are crucial to avoid disruptions caused by security flaws. 

INTRUCEPT’s SAST Tool: helps developers find security vulnerabilities in the source code before an application is deployed. By scanning for issues like SQL injection, cross-site scripting (XSS), and buffer overflows, the tool enables organizations to address vulnerabilities early in the development process.

This ensures that the software is secure by design, helping meet the risk management requirements of NIS2 and ensuring compliance with DORA’s focus on secure ICT systems. 

The INTRUCEPT SAST tool supports organizations by identifying vulnerabilities early in the development process, reducing the risk of security breaches.

2. Software Composition Analysis (SCA) 

NIS2 Requirements: 

Under NIS2, organizations must manage the risks associated with third-party software components, including open-source libraries. These components can introduce vulnerabilities if not properly monitored. 

DORA Requirements: 

For financial institutions subject to DORA, it’s essential to assess the risks associated with third-party ICT service providers, including software libraries and open-source components. 

INTRUCEPT’s SCA Tool: 

Our INTRUCEPT SCA tool scans software for vulnerabilities within third-party libraries and open-source components. It checks for outdated libraries, licensing issues, and known security vulnerabilities, helping teams maintain a secure software environment. 

The INTRUCEPT SCA tool ensures that organizations comply with NIS2’s requirements for managing third-party risks. For DORA, it provides financial institutions with visibility into the security of their third-party software.

3. Dynamic Application Security Testing (DAST) 

NIS2 Requirements: 

NIS2 requires organizations to continuously monitor their systems and respond to security incidents. Identifying vulnerabilities in live applications is a critical part of this process. 

DORA Requirements: 

DORA stresses the importance of regularly testing live systems for vulnerabilities to ensure they remain resilient against cyber attacks and operational disruptions. 

INTRUCEPT’s DAST Tool: 

Our INTRUCEPT DAST tool simulates real-world attacks on running applications, testing for vulnerabilities like XSS, SQL injection. This tool helps organizations detect vulnerabilities in production environments before they can be exploited. 

The INTRUCEPT DAST tool is essential for meeting NIS2’s requirement for incident detection and vulnerability mitigation. For DORA, it supports resilience testing by continuously assessing the security of live applications.

4. Security Information and Event Management (SIEM) 

NIS2 Requirements: 

NIS2 mandates that organizations implement continuous monitoring of their network and information systems to detect and respond to security incidents promptly. 

DORA Requirements: 

Financial institutions under DORA must have real-time monitoring of their ICT systems, enabling them to quickly detect and mitigate disruptions. 

INTRUCEPT’s SIEM Tool: 

Our INTRUCEPT SIEM solution aggregates and analyses security events from across the organization’s entire IT infrastructure in real time.

The INTRUCEPT SIEM tool helps organizations comply with NIS2’s requirements for continuous monitoring and incident detection. For DORA, it provides financial institutions with the real-time visibility needed to quickly detect and respond to cyber security incidents, ensuring operational resilience. 

5. Governance, Risk, and Compliance (GRC) 

NIS2 Requirements: 

NIS2 requires organizations to establish a comprehensive risk management framework. DORA Requirements: 

DORA calls for robust operational resilience governance in financial institutions. This includes managing ICT-related risks and ensuring that compliance with resilience standards is maintained. 

INTRUCEPT’s GRC Tool: 

Our INTRUCEPT GRC platform enables organizations to define and manage their cyber security policies, track compliance with regulations, and perform continuous risk assessments. The tool helps streamline governance and risk management, ensuring that cybersecurity policies are effectively implemented and monitored. 

The INTRUCEPT GRC tool aligns with both NIS2 and DORA by providing a centralized platform for risk management, compliance tracking and ensures that organizations meet the cyber security governance requirements of NIS2 and the operational resilience mandates of DORA. 

6. Deception Technology 

NIS2 Requirements: 

NIS2 stresses the need for organizations to detect and prevent sophisticated cyberattacks.

DORA Requirements: 

For financial institutions, DORA emphasizes proactive defense measures against cyber threats, including the use of innovative technologies to detect attacks early.

INTRUCEPT’s Deception Technology: 

Our INTRUCEPT Deception Technology creates decoys and fake assets within the network to mislead attackers and detect malicious activity before it causes damage.

This tool provides early detection of advanced threats and lateral movements within the network. 

The INTRUCEPT Deception Technology tool enhances an organization’s ability to detect and respond to advanced persistent threats (APTs). For NIS2, this supports incident detection and prevention. For DORA, it bolsters operational resilience by providing an additional layer of defence against sophisticated attacks. 

References:

The NIS2 Directive