The Network and Information Security (NIS) and the Digital Operational Resilience Act (DORA) are designed to ensure that current corporate cybersecurity practices are effective.

However, the regulations’ potential impact may be muted without third-party input.

The big emphasis is on the continuous measurement of the effectiveness of cybersecurity regulations.

Businesses, large and small, increasingly rely on their digital infrastructure to get work done. Technology provides them with the ability to connect with clients, customise products, enhance the customer journey, and differentiate themselves from competitors.

All systems under attack

However, it also means that their digital infrastructure is constantly under attack. In fact, cybercrime is expected to cost the world $9.5tr in 2024 and its impact will grow by 15% during the next two years and reach $10.5tr in damages in 2025, according to Cybersecurity Ventures.

Even the world’s most sophisticated cybersecurity entities are attacked.

As evidence, a hacker breached a payroll system used by the UK’s Ministry of Defence. The outsiders gained access to the names and banking details of current and some past armed forces members.

EU strengthens cybersecurity regulations with new practices

The EU understands that protection needs to improve and, in response, implemented two security standards. The regulations change how organisations treat their cybersecurity infrastructure.

“Risk management is moving away from art to science,” stated Darren Humphries, Group CISO & CTO-Partner at Acora.

NIS’ aim is to create high level, common cybersecurity regulations. The specification strengthens system security requirements, addresses supply chain security, streamlines reporting, and introduces stringent supervisory measures that may result in sanctions.

In January 2023, businesses were given 21 months, until October 2024, to put compliant measures in place.

DORA mandates the establishment of periodic digital operational resilience testing capabilities and requires the implementation of management systems to monitor and report significant ICT-based incidents to the relevant authorities.

This comprehensive approach strengthens the IT security of financial entities such as banks, insurance companies, and investment firms. The goal is for their systems to remain resilient in the event of any severe disruption.

Three European Supervisory Authorities – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – began creating the standard.

They established mandatory incident reporting requirements for financial firms to report significant cyber incidents and breaches to relevant authorities. The standard also encourages cooperation and information sharing among financial entities and regulators to respond effectively to cybersecurity threats.

However, not all types of assessments are effective. “Self-attestation is really not working,” Darren noted. The MOD breach occurred in part because the government agency accepted self-service attestation from their suppliers. A better option is to have a third-party cybersecurity specialist evaluate the processes.

What this means for businesses

The threat landscape continually becomes more menacing. Corporations, especially those in the financial services industry, need to become more proactive in closing potential security holes.

EU cybersecurity regulations are prodding enterprises to do so, but they need to do so while leaning on third-party specialists and not just examining their own systems.

Corporations need to ensure that they protect network transactions. They need to understand what these regulations entail and then put business processes in place to comply with them and how third-party input minimises the chance of oversights.