How Zero Trust Makes You DORA-Compliant

In this dynamic risk management landscape, DORA compliance requires the development of new tools and processes. Organizations that proactively invest in cybersecurity and comply with DORA regulations can not only avoid significant financial losses, but also increase employee, customer, and stakeholder confidence.

Five Pillars of the DORA Framework

European companies affected by the NIS2 or DORA regulations must take several steps to meet the requirements: from establishing an ICT risk management framework that includes identifying, assessing, and addressing risks to establishing processes for handling, classifying, and reporting ICT-related incidents. Another step is to test operational resilience, including regular penetration testing. Organizations must also implement risk management for third-party ICT providers and a monitoring framework for critical third-party ICT service providers. These five pillars form the framework for DORA compliance.

The NIS2 and CER directives must be implemented from October 18, 2024, while the DORA regulations apply from January 17, 2025. It is, therefore, crucial that companies use 2024 to implement the new requirements.

NIS2 or DORA: that is (not) the question here!

The NIS2 Directive and DORA are therefore both important pieces of EU legislation to strengthen cybersecurity, but they have different focuses and objectives. NIS2 specifically targets the security and resilience of critical sectors. The NIS2 Directive can apply to companies of all sizes, especially if they are classified as providers of essential services or digital service providers.

DORA is specifically aimed at the financial sector. It focuses on the risk management of third-party ICT providers. DORA is designed to ensure that companies can withstand, respond to and recover from security breaches. The assessment of sanctions is left to the Member States and their competent authorities. As DORA applies throughout the EU, it will be implemented in the national legislation of the Member States. Companies should check the national implementation in their respective countries.

Despite their different focuses, the NIS2 Directive and DORA have a number of similarities:

• Both regulations aim to strengthen digital resilience and improve the security of digital services, critical infrastructure, and information.
• Both intend to help improve EU-wide coordination in the fight against cyber-attacks and to strengthen the response to security incidents.

The DORA regulation thus complements NIS2 with a sector focus. Compliance with both requires swift action from affected companies.

To prepare for DORA, you should:

• get an overview of the requirements and identify which business units are affected,
• conduct a gap analysis to determine the expected effort and identify potential compliance gaps,
• develop a roadmap for implementing the DORA requirements and start the implementation, stay on top of regulatory changes, and participate in industry collaboration and discussions with regulators,
• invest in the right technologies, processes and well-trained staff.

Extra tip: consider the option of external service providers at an early stage, but check carefully whether the IT service providers can meet your specific requirements. Companies affected by NIS2 or DORA should work with various partners, including cybersecurity consultants, Network Detection & Response (NDR) providers, IT service providers, legal advisors and auditors.

And Switzerland?

The NIS2 and DORA regulations are decisive steps towards improving cybersecurity in the EU. They offer European and Swiss companies the opportunity to review and improve their cybersecurity practices. Implementing these measures not only strengthens systems against cyber threats, but also ensures compliance with regulations. Swiss companies should take similar measures, regardless of their geographical location, as cybersecurity is a global issue. They should also keep an eye on developments in the EU, which often serve as a benchmark.

In addition, Swiss companies doing business with EU companies may be indirectly affected by these regulations. Regardless of regulatory requirements, it is in every company's interest to have strong cybersecurity measures in place. Compliance with NIS2 and DORA is not only a matter of regulatory compliance, but also an important step towards improving overall cybersecurity practices. Therefore, Swiss companies should consider these regulations as a guide to good cybersecurity practices.

Impact and implementation

Here are the 10 points you should consider when preparing for DORA.

1. Know your business: Identify all of your organization's critical processes, services and assets.
2. Know your gaps: Carry out a gap assessment on DORA and NIS2 at an early stage.
3. Compare your gaps with your risk landscape: identify gaps that arise within the risks you have already identified.
4. Only invest in areas where you see a real benefit: prioritize areas such as supply chain risk where many companies have under-invested and paid little attention to.
5. Consider NIS2 and DORA together: take steps to address both regulations to achieve seamless compliance.
6. Track regulatory changes: stay up to date with the latest regulations relevant to your industry.
7. Implement and maintain strong risk management practices.
8. Focus on compliance culture: foster a culture of compliance within your organization
9. Prepare for regulatory audits: keep accurate records and ensure clear documentation of policies and procedures.
10. Invest in technology: robust solutions such as NDR streamline compliance processes, and increase efficiency and cyber security.

Zero Trust + ExeonTrace = NIS2 and DORA compliance

Zero Trust is a security framework that assumes no implicit trust within the network. Every user, device, and application is treated as untrusted, and anyone wishing to access must be verified (more in our cyber security knowledge base).

Integrating a Zero Trust strategy into compliance requirements can be driven with a powerful NDR solution, as its network monitoring capabilities increase security and reduce the risk of data breaches or ransomware attacks. Here’s why it’s so efficient and suited for both regulations:

1. Identity verification: Zero Trust models require constant identity verification, which contributes to NIS2 and DORA compliance by ensuring that only authorized users have access. The ExeonTrace NDR platform supports this by detecting unusual network activity that could indicate unauthorized access.
2. Minimization of the attack vector: Zero Trust minimizes the attack vector by restricting access to the bare essentials. NDR complements this by monitoring network traffic and detecting unusual patterns that could indicate an attack.
3. Data flow control: Zero Trust enables better control of data flow, which helps to comply with NIS2 and DORA. ExeonTrace provides this by monitoring traffic on the network and detecting unusual data movement.
4. Micro-level security: Zero Trust improves micro-level security, which contributes to NIS2 and DORA compliance. NDR enables this by monitoring all network traffic at the micro level and detecting unusual activity.
5. Automated responses: Zero Trust enables automated responses to security incidents, and NDR contributes to the efficiency here by enabling automated responses to detected anomalies or threats.
6. Continuous compliance: Zero Trust is thus an engine for continuous compliance – ExeonTrace sustains this through constant monitoring and reporting of your corporate network and all devices within and related to the organization.

To conclude, integrating a Zero Trust strategy through a robust NDR solution enhances compliance with these regulations. This type of advanced cyber protection and reporting capability has been proven by many of our clients in the financial sector and beyond. If you would like to learn more, please don’t hesitate to talk to our expert team or download the NIS2 compliance checklist.