In January 2023, new regulations were enacted requiring companies and organizations to strengthen their protection against cyber attacks. When do companies have time to prepare, and what exactly do European Union regulations require of them?
The role of technology in business and social life is growing. With it comes a growing threat of cyber attacks. This is why the European Union has developed new regulations – the DORA regulation and the NIS 2 directive. They are expected to raise the level of cyber security across the Union.
Who is affected by DORA and NIS 2?
The DORA regulation, which will take effect in EU Member States on January 17, 2025, covers entities operating in the financial sector, including banks, credit institutions, investment and payment companies, or insurance companies, as well as technology providers to these institutions.
NIS 2, on the other hand, is a directive with an implementation deadline of October 17, 2024. It applies to a much more comprehensive range of companies. This is because it covers organizations that provide services critical to the economy and society, such as energy, transportation, water management, healthcare, and digital infrastructure. Importantly – it is primarily applied by entities with the status of at least a medium-sized enterprise.
– The new regulations affect a large number of companies. The most important thing, however, is for each entity operating in the sectors covered by the regulation and the directive to analyze its situation and check whether it must comply with these regulations and, if so, to what extent. It is a good idea to familiarize yourself with the content of the documents today and discuss the topic with your lawyers. Time is short now. It is also worth remembering that both DORA and NIS 2 are aimed at raising the level of cyber-security, so any actions taken in connection with their entry into force will serve both the organizations themselves and their contractors and customers – says Krzysztof Góźdź, Sales Director at Secfense, a company developing cyber security solutions.
How to prepare for new regulations
Neither DORA nor NIS 2 give specific guidance on technologies that implementation will help prepare for the implementation of the new regulations. Instead, they indicate areas for action and possible steps companies can take.
DORA focuses on protecting against cyber attacks and restoring a company’s operations smoothly during a security incident. Among other things, it requires organizations to prepare a cyber security policy, implement appropriate security measures (including encryption, authentication, access control, monitoring, and auditing tools, among others), implement processes for detecting and managing ICT-related incidents, and prepare action scenarios in the event of a cyber attack or other security incident. The NIS 2 Directive, on the other hand, focuses on cyber security risk management measures. It requires critical and essential players to implement appropriate and proportionate technical, operational, and organizational measures to help manage the security risks of networks and information systems and prevent the impact of incidents on their service recipients or other services.
– However, NIS 2 requires essential players to adopt many basic cyber hygiene practices. They include zero-trust, regular software updates, proper device configuration, network segmentation, and identity and access management. Raising user awareness, including organizing employee training and spreading awareness of cyber threats, phishing, and social engineering techniques, is also an important responsibility. – Krzysztof Góźdź adds.
A concrete recommendation – implement strong authentication
While DORA and NIS 2 do not dictate specific solutions to be used, they unequivocally point to the need for strong authentication mechanisms.
– In the DORA regulation, we find explicit language stating that financial entities implement strong authentication mechanisms. There is no room for personal interpretation. In other words – organizations throughout the sector are obliged to implement such solutions. Anyway, this requirement is part of the recommendations of the Financial Supervisory Commission which in October 2022. recognized the lack of use of strong, multi-component authentication customers for unacceptable risks – explains Krzysztof Góźdź. According to NIS 2, organizations themselves should assess their cybersecurity capabilities and, where appropriate, deploy appropriate security technologies such as systems based on artificial intelligence (AI) or machine learning (ML) to improve their ability to protect themselves from cybercriminals.
– What is there to hide – these are far-reaching requirements and recommendations. Therefore, if AI or ML-based solutions are to become standard in enterprises, all the more reason why strong authentication mechanisms should be recognized as a core protection mechanism and form the foundation of an organization’s cyber security ecosystem – concludes an expert from Secfense.
Especially since public administrations and regulators of various sectors, including the Office of Personal Data Protection or the Financial Supervision Commission are increasingly recommending the technology.
Read our detailed study: “Report on the Impact of the DORA Regulation and the NIS2 Directive on the Cyber Security of Companies in the European Union – Analysis Study. Visit the site and download the report.
What is Strong Authentication?
Strong authentication is an advanced method of verifying a user’s identity in processes related to electronic payments and access to online accounts and services. It requires at least two independent verification steps that are difficult to forge. These can use something the user knows (password), has (phone) or is (biometrics).
– Experience shows that the passwords widely used today are not a sufficient barrier to cybercriminals. First of all, because they are easy to steal or guess. Even text messaging is no longer a problem for intruders today. An average criminal can work out SMS 2FA with a few tutorials available on YouTube and break the security in a dozen minutes. The future is phishing-proof multi-factor authentication based on biometrics and cryptography, or FIDO – explains the Sales Director from Secfense. Many MFA solutions are on the market, but they take many months to implement in an organization. In addition, it involves interference with the code. It also forces users to change their habits, which can cause resistance and even the need to change the provider of, for example, banking services.
– Recognizing these issues, we have developed a User Access Security Broker solution that enables you to deploy MFA on any application in 5 minutes and roll out MFA across your organization in 7 to 14 days. The technology allows easy and fast implementation of any MFA, including today’s most effective FIDO2, on any application without interfering with its code – concludes Krzysztof Góźdź of Secfense.
Time to comply with the new regulations is running out. Companies that analyze their situation, security systems, procedures, and strategies now and put in place the required technologies and policies will not only be able to look to the future with peace of mind but will also be able to combat the increasing attacks of cyber criminals effectively.
Get the unique guide: an Overview of the DORA and NIS2 Regulations from the Perspective of Cyber Security of Companies in the European Union. Visit the site and download the report.