At the beginning of 2023, two new regulations – DORA and NIS 2 – came into effect. Their goal is to enhance the cyber resilience of European companies. Although the regulations do not specify the exact tools that organizations should implement to increase their security, they contain provisions indicating the need to apply strong authentication mechanisms.
DORA (Regulation on the financial sector’s operational resilience) and NIS 2 (Directive on measures for a high common level of cybersecurity) broadly discuss how to secure corporate resources. However, they require the use of appropriate strategies, policies, procedures, protocols, and ICT tools that will secure systems, applications, and databases, especially preventing unauthorized access.
What security tools to use? Together with experts from the Law4Tech Foundation, we analyzed the content of both documents. It turns out that both DORA and NIS 2 indicate multi-factor authentication mechanisms (MFA) as a crucial security tool in organizations.
DORA: “Financial entities implement strong authentication mechanisms.”
The message of the DORA regulation is clear. It contains an unequivocal statement: financial entities implement strong authentication mechanisms. Organizations should have no doubts about the interpretation of this provision – this regulation directly imposes on financial entities the obligation to implement strong authentication mechanisms, leaving no room for discretion.
Let’s add a few explanatory words. DORA, specifically Article 4, allows for differentiating ICT protection according to the principle of proportionality. In other words, financial entities should adjust the protection of their resources to their size, overall risk profile, and the nature, scale, and complexity of the services provided. Larger entities operating on a larger scale should have higher-level security than smaller organizations.
However, how do we distinguish organizations considered smaller from those considered larger? DORA does not provide clear answers. Each company must independently assess its size and scale of operations and then implement appropriate protective measures. Will it do it correctly? The Financial Supervision Commission in each country should decide this during inspections.
It can be assumed that as the DORA regulations are applied, further interpretations of the regulations issued by the national commissions will appear. However, one should not expect to abandon the requirement to use strong authentication mechanisms. It is in line with the current recommendations of national supervisory institutions. Already in October 2022, the Financial Supervision Commission of one of the EU members emphasized in one of its letters that “the lack of strong, multi-factor customer authentication is an unacceptable risk.” In the opinion of the lawyers we consulted, there should be no doubt about the position of the national supervisory body on this matter.
NIS 2: The basis is the implementation of appropriate security measures
The NIS 2 Directive imposes on key and important entities the obligation to introduce basic cyber hygiene practices. These include the zero-trust principle, regular software updates, proper device configuration, network segmentation, identity and access management, user awareness, employee training, and spreading knowledge about cyber threats, phishing, and social engineering techniques.
According to NIS 2, organizations should independently assess their cybersecurity capabilities and, where appropriate, implement appropriate security technologies, such as systems based on artificial intelligence (AI) or machine learning (ML), to enhance their ability to protect against cybercriminals.
There’s no denying it – these are far-reaching requirements and recommendations. Therefore, if AI or ML-based solutions are to become standard in companies, strong authentication mechanisms should be recognized as a basic protective mechanism and form the foundation of the cybersecurity ecosystem in the organization.
What is strong authentication, and how to implement it quickly?
The regulations leave no doubt – financial sector companies and organizations operating in areas considered key and important for the economy and society will have to apply strong authentication mechanisms. Strong, i.e., requiring at least two elements confirming the user’s identity. Why is this so important?
Multi-factor authentication (MFA) is one of the best ways to protect against phishing, social engineering, and credential theft. It enhances the security of the login process, requiring the use of at least two independent authentication components. It can be something a person knows (knowledge component), something a person has (possession component), or who a person is (characteristic component).
- Knowledge components include, among others, lock patterns, passwords, PIN codes, and personal questions, such as a mother’s maiden name.
- Possession components are physical objects, including cryptographic keys or local authenticators (e.g., smartphones).
- Characteristic components are based on biometric data, including facial recognition, fingerprint lines, and voice.
If an organization wants to improve the security of its applications, it can add more components or use more advanced authentication methods.
Many MFA solutions are on the market, so companies have a choice. One option is to choose the User Access Security Broker solution, which allows you to implement MFA on any application in 5 minutes and introduce MFA throughout the organization in 7 to 14 days. The technology allows the implementation of any MFA, including the most effective FIDO2 or Passkeys today, on any application without interfering with its code.
DORA starts to apply on January 17, 2025. The deadline for implementing NIS 2 is October 17, 2024. There is less and less time to adapt to the new regulations. Companies that now analyze their situation, security systems, procedures, and strategies and introduce the required technologies and policies will not only be able to look to the future with peace of mind but also effectively fight the increasing attacks of cybercriminals.
More information about the obligations imposed on companies by the new regulations can be found in the free e-book “Analysis of DORA and NIS2 regulations in the context of cybersecurity of enterprises in the EU” prepared based on an independent report by the Law4Tech Foundation: secfense.com/ebook-dora-nis2/