No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Beyond Box-Checking: How EU’s NIS2 and DORA Elevate Security Standards

New regulations put CISOs in the spotlight while demanding stronger third-party oversight

by Steve Purser and Nadine Hoogerwerf
December 9, 2024
in Cybersecurity, Opinion
checking boxes on list

With cyberattacks surging across Europe, NIS2 and DORA regulations establish new security standards and enforcement mechanisms — putting boards and management teams squarely in the accountability spotlight. Steve Purser, a former official at the EU Agency for Cybersecurity, and Nadine Hoogerwerf, Zivver’s CISO, explore how these landmark regulations will reshape organizational security from the boardroom to the supply chain.

From GDPR to CRA, NIS2 to DORA, the number of acronyms connected to data compliance and regulation is enough to make your head spin. These legislative instruments are not designed to make life difficult for organizations but to standardize cybersecurity and risk management to create a more secure landscape for all. While some eyes may roll at the introduction of two new pieces of legislation, they are arguably the most important legislative updates in history — not necessarily for their depth or breadth but for the new security standards they aim to establish and preserve across the entire digital landscape.  

The Network and Information Security Directive (NIS) is a sector-agnostic directive that aims to standardize a set of goals that all organizations within the EU must achieve. Those goals include the need for proactive risk management frameworks, incident reporting protocols and — new to NIS2 — supply chain security measures. Crucially, NIS2 brings stronger enforcement and greater penalties for noncompliance and shifts responsibility and accountability to those at the top of the organization. It will be down to individual EU countries to translate the NIS2 directive into actionable laws, but it will soon become an EU standard.  

The Digital Operational Resilience Act (DORA), on the other hand, specifically targets the finance sector, requiring financial entities to establish comprehensive frameworks to manage ICT risks, including risk identification, anomaly detection, response and recovery procedures and continuous testing. Like NIS2, this also includes a renewed focus on third parties, requiring organizations to conduct thorough assessments before they enter into new ICT partnerships. DORA will come into force for every organization it applies to at the same time, regardless of which EU country they operate in. This is currently planned to occur Jan. 17, 2025.  

But what does all this mean for businesses? What do data governance professionals need to be mindful of? What kind of effect will NIS2 and DORA have on the business landscape and what should companies be doing — or not doing — to prepare?  

What impact will DORA and NIS2 have? 

The ideas behind NIS2 and DORA are not revolutionary; both focus on well-established cybersecurity practices, such as detecting anomalous network behavior, documenting and reporting incidents and taking a “zero trust” approach to third-party suppliers. Rather than change the game, these new legal instruments are designed to elevate the game and give these best practices an established structural framework.  

All sectors will be affected, but the financial sector will have more to do because it will be covered by both NIS2 and the finance-focused DORA. Cyberattacks on European financial services companies increased by 119% between 2022 and 2023, according to Akamai, and an EY survey showed 82% of finance leaders now regard cybersecurity as the most significant threat to their business. The majority of businesses should be doing much of the heavy lifting outlined in DORA and NIS2 already, so the impact on businesses, ideally, will be minimal.

Compliance isn’t really the goal here; instilling a culture of risk management is. Both regulations emphasize the importance of risk management as a cultural and policy-driven goal rather than just compliance for its own sake. The legislation is a positive step, because too many businesses still treat their own security initiatives as afterthoughts or box-checking exercises; the legislation creates an impetus for better data governance and the formation of better organizational habits. 

Most chief information security officers (CISOs) will welcome DORA and NIS2. They know that security is no longer optional, and some might even think the legislation doesn’t go far enough. It strengthens their role and makes security a team endeavor, rather than something they have to justify.

One of the critical aspects of these regulations is their focus on supply chain security and the control of third-party IT service providers. Supply chain security is a big part of NIS2, and DORA puts a lot of emphasis on controlling third-party service providers. This requires businesses to evaluate not just their internal processes but also the security measures of the vendors and partners they work with. As a result, the impact of this aspect of the regulations will likely be far-reaching, with many organizations reassessing their supply chains and forging new, carefully vetted partnerships.  

hand holding binoculars digital art collage
Cybersecurity

Focus on Cyber Resilience Fundamentals and Compliance Will Naturally Follow

by Christos Tulumba
October 29, 2024

Building a robust security foundation in an era of evolving regulations

Read moreDetails

Reframing responsibility: A win for data governance 

One of the standout elements of both NIS2 and DORA is the direct responsibility placed on management boards. For too long, cybersecurity has been viewed as the domain of IT departments, but these new regulations require a hands-on approach from leadership.  

It’s good that management boards will now shoulder some of the responsibility for risk management. While board members may not need to understand every technical detail, they must be aware of the major risks affecting their organization and work with their teams to mitigate them.

These changes will significantly impact the role of CISOs, which is often the bridge between technical teams and the board. We expect CISOs and their teams to have more seats at the table, particularly in organizations that are less mature in terms of their security posture.

Ensuring that management teams are knowledgeable enough to ask the right questions and make informed decisions will undoubtedly be a key challenge. While board members don’t need to know the finer details, they should be capable of asking their teams the right questions about risk. Governance also needs to be a team effort, with legal, compliance and technical teams working closely together to ensure a coherent approach to risk management. 

Establishing a culture of resilience 

At the core of both NIS2 and DORA is the emphasis on creating a culture of resilience. Employee training and awareness are crucial components of any cybersecurity strategy, but they are often areas where organizations struggle. Traditional training methods, such as lengthy security documents, can be easily forgotten or inconsistently applied. Organizations should advocate for more interactive and engaging methods, including the use of technology to “nudge” employees toward more secure behavior. 

While you can’t completely eliminate human error, you can minimize it through regular training, engagement and technological support. The importance of buy-in from staff emphasizes that storytelling and clear communication can help empower employees to take ownership of their role in maintaining the organization’s security. Instead of taking a top-down approach to compliance, organizations should encourage employees to play an active role in the formation of new security policies, making them more likely to apply them and encourage others to do the same.  

Getting the technology right 

Technology will play a critical role in both complying with new NIS2 and DORA regulations, as well as enhancing an organization’s overall security posture. DORA, in particular, pushes financial institutions to invest in technologies that can help them monitor and mitigate risks in real-time. For instance, organizations can leverage threat intelligence platforms to share information and collaborate on emerging threats. Good governance and risk management require access to the right tools and technologies. These might include integrated risk management (IRM) platforms, incident detection and response systems, third-party risk management (TPRM) solutions, data encryption and network discovery tools.  

Complying with NIS2 and DORA, and investing in appropriate technologies, should also stand businesses in good stead for other incoming regulations. The AI Act and the Cyber Resilience Act (CRA) are set to introduce new ways of addressing product security and teaching end users how to navigate security challenges in the real world. The AI Act went into force in August this year, and while the CRA is still in the pipeline, both represent the next phase of cybersecurity governance, where the security of products and services will be scrutinized as closely as the security of networks and systems. 

Security is a team sport 

Governance is one of the trickiest aspects of implementing the new regulations, but it’s also one of the most important. The new wave of regulations introduces legal, compliance and technical components that require different parts of an organization to gel and exchange information effectively. This demonstrates the importance of having a solid and well-coordinated governance structure.

The success of any cybersecurity strategy hinges on a company’s ability to bring together different teams to manage risks coherently. This means not only ensuring that board members are engaged but also that the legal, technical and compliance teams are communicating effortlessly and have access to the same threat intelligence. Risk should always be thought of as a team effort, with clear accountability at every level of the organization. It may be tempting to assign security responsibilities to a small team and forget about it, but without transparency and coordination, a small incident can quickly turn into a major data breach. The role of the CISO is likely to become more centralized and far-reaching for that reason, and it will become a more important role, even in smaller enterprises.

As NIS2 and DORA come into force, organizations must move beyond a reactive approach to cybersecurity. Risk management, employee engagement and governance structures all need to evolve to meet these new regulatory demands. NIS2 and DORA are raising the bar for cybersecurity, pushing organizations to adopt more rigorous, proactive measures. By investing in the right technologies, fostering a culture of resilience and ensuring strong governance, businesses can not only comply with the new regulations but also improve their overall risk posture. 

 


Tags: Board of DirectorsSupply Chain
Previous Post

The Ultimate Contact Compliance Checklist for 2025

Next Post

Recalibrating Cross-Border Corruption Risk Controls

Steve Purser and Nadine Hoogerwerf

Steve Purser and Nadine Hoogerwerf

Steve Purser is the former head of core operations at the EU Agency for Cybersecurity.
Nadine Hoogerwerf, CISSP, CIPP E, CIPT, is chief information security officer at Zivver.

Related Posts

4 pillars on building

4 Pillars for Effective Trade Risk Management Amid Tariff Uncertainty

by Gareth Lake
August 29, 2025

Challenges extend far beyond accounting

data abstract pixelated

FinServ Enforcement Actions Drop by More Than One-Third So Far This Year

by Staff and Wire Reports
August 8, 2025

Cybersecurity, AI & supply chains rise on directors’ agendas; nearly one-third of workers have witnessed workplace violence

news roundup new

Boards Increasingly Tout AI Expertise

by Staff and Wire Reports
August 1, 2025

CCI staff share recent surveys, reports and analysis on risk, compliance, governance, infosec and leadership issues. Share details of your...

shipping containers in the sun

Importers Face Increased DOJ Scrutiny & Heightened Risk for Criminal Prosecutions

by Husch Blackwell
July 31, 2025

Criminal Division’s MIMF unit expands scope to tariff fraud

Next Post
engine tune-up

Recalibrating Cross-Border Corruption Risk Controls

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights