The European Union has introduced two important regulatory frameworks, the Network and Information Security (NIS) Directive and the Digital Operational Resilience Act (DORA), which aim to ensure that businesses of all sizes have strong cybersecurity measures in place to protect sensitive information.
But industry experts suggest that for the regulations to reach their full potential, the involvement of third-party cybersecurity experts may be necessary.
The expanding cyber threat landscape
As businesses rely more on digital infrastructure to connect with customers, customize products, and improve customer experiences, the risk of cyberattacks is also growing. According to Cybersecurity Ventures, cybercrime is projected to cost the global economy $9.5 trillion in 2024, growing 15% annually to reach $10.5 trillion by 2025.
Even the most sophisticated cybersecurity systems can be compromised, as evidenced by the recent data breach in the UK Ministry of Defence payroll system, which exposed the names and bank account details of current and former military personnel.
European Union response: NIS and DORA
Recognizing the urgent need for stronger cybersecurity measures, the European Union implemented the NIS Directive and DORA, regulations aimed at standardizing and strengthening cybersecurity practices across member states.
NIS Directive: of NIS Directive The Directive focuses on establishing high standards and common cybersecurity best practices. It strengthens system security requirements, addresses supply chain vulnerabilities, streamlines reporting, and introduces strict oversight measures with potential sanctions for non-compliance. The Directive will commence in fall 2021 and be formalized in May 2022, giving companies until October 2024 to comply with the new standards.
DoraDORA targets the financial sector and requires the implementation of regular digital operational resilience testing and management systems to monitor and report significant ICT-based incidents to the relevant authorities. The regulation is intended to ensure that financial institutions, including banks, insurance companies and investment firms, can maintain their operational resilience during severe disruptions.
DORA’s development involved three European supervisory authorities – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – who established mandatory incident reporting requirements and encouraged cooperation and information sharing between financial institutions and regulators to effectively respond to cybersecurity threats.
The Importance of Third-Party Evaluation
Darren Humphries, group CISO and CTO partner at Acora, emphasizes the need to continually measure cybersecurity practices. “Risk management is moving from an art to a science,” Humphries explains, emphasizing the importance of metrics and documentation to meet regulatory guidelines.
He has criticized the effectiveness of self-certification, noting that the Department of Defense breach was in part due to its reliance on self-service certification from suppliers. Instead, Humphreys advocates for third-party cybersecurity experts to assess and validate the process to minimize the risk of oversight.
The threat landscape is evolving and companies, especially in the financial industry, need to be proactive in addressing potential security vulnerabilities. New EU regulations are pushing companies in this direction, but they also need to leverage third-party expertise to thoroughly scrutinize and strengthen their cybersecurity frameworks. Doing so can help them better secure their network transactions, comply with regulatory requirements, and reduce the chances of cyber incidents.
Conclusion
The new EU regulations, NIS and DORA, are a major step forward in strengthening cybersecurity measures across Europe, but to be most effective and truly protect against evolving cyber threats, companies need to engage third-party assessment and expertise.
Doing so helps ensure strong protection of sensitive information, compliance with regulatory standards, and ultimately reduces cybersecurity risks in an increasingly digital world.