The EU's NIS2 and DORA Security Directives: What You Need to Know

The financial and essential services sectors were top targets for ransomware in 2022.

Organizations in these industries are under tremendous pressure. They need to transform and digitize to boost efficiency - and do so fast while maintaining availability and security.

At the same time, ransomware actors are intentionally targeting financial and operators of essential services. They know these industries cannot afford any downtime, and in turn offer the greatest chance of paying out a ransom.

In the last year, we've seen countless cybersecurity incidents in banking and financial services and essential services sectors including energy, water, and transport. These attacks have caused huge financial losses and the potential for huge damage to the economy, underlying infrastructure, and the safety of consumers.

Why financial services and essential services need cyber resilience

Every year there's a new business buzzword that takes center stage.

This year's? Resilience. And for good reason.

Over the past 12 months, there's been a significant shift in the way businesses manage cyber risks. Cyberattacks have evolved from simply stealing data, to impacting business availability. With the average cost of a data breach now $4.35 million, it's no longer enough to simply respond to attacks - it's about surviving them.

Learn why resilience is the banking sector's top security priority right now.

The problem is exacerbated by business leaders' lack of confidence in their organization's resiliency in the event of an attack. According to recent research by Enterprise Strategy Group, only 19% of business leaders feel their organization is prepared to handle the impact of a cyberattack. And over half think an attack would result in catastrophic business consequences.

Learn how Illumio Zero Trust Segmentation delivers cyber resilience here.

The European Union's response to cyber resilience - NIS2 and DORA

To boost resilience and incident response capabilities across Europe, European Union (EU) recently approved updates to the network and information system (NIS) directive for essential services, called NIS2, which is anticipated to come into force in the next few years.

Though no longer part of the EU, the UK has adopted the NIS directive and has confirmed that they will also be making updates. The update will strengthen the existing directive to ensure UK essential and digital services are protected against increasingly sophisticated and frequent cyberattacks.

Additionally, the EU has created the Digital Operational Resilience Act (DORA) which aims to ensure that banking and financial services organizations can withstand, respond to, and recover from security incidents.

After the directives are published, organizations get a 24-month implementation period. But proactive changes are always better than reactive fire drills. Business leaders recommend getting started now to achieve compliance.

What is NIS2?

The main aim of the new NIS2 directive is to improve knowledge sharing and strengthen the post-breach response by essential services, including energy, transport, banking, and healthcare. It's an evolution of the original NIS directive which outlined legal measures for network and information system security.

Access the NIS2 directive draft here.

Why NIS2 matters for essential services

The goal of this directive is to improve the resilience and incident response capacities of both the public and private sectors as well as the EU as a whole.

But it's also a signal of a wider trend - an acceptance that breaches will happen. While the directive helps protect critical IT assets, it also burdens essential services providers with a new compliance challenge.

What is DORA?

While NIS2 includes banking and financial services organizations as part of its directive, DORA is for the financial sector, specifically.

The upcoming DORA directive aims to ensure that firms can withstand, respond to, and recover from breaches. The banking sector supports the global economy, and without strong cybersecurity measures, breaches can quickly become catastrophic. DORA requires banks to strengthen their cyber resilience, protect customer data, and ensure business continuity in the face of a security breach.

Set to come into force by early 2023 and applicable by 2025, DORA will be a game changer for the financial services industry.

Access the DORA directive here.

Why DORA matters for banking and financial services

For many years, the industry has been trying hard to connect business and security outcomes together. DORA not only improves the resilience of financial organizations but will make the link more explicit between security capabilities and operational resilience.

In-scope firms must be able to manage and address risk quickly. In fact, chapter II section II of DORA mandates that organizations develop an appropriate risk management framework to address security risk quickly, efficiently, and comprehensively, and to ensure a high level of digital operational resilience.

But this is no easy feat - and organizations must start to lay the foundations now or risk falling behind.

3 ways Illumio Zero Trust Segmentation can help achieve NIS2 and DORA compliance

What should organizations immediately do to build resilience and be NIS2 and DORA compliant? Start with Zero Trust Segmentation (ZTS).

1. Get visibility into application and workload communication

As a first step, it's important to perform a gap analysis comparing your organization's current security initiatives and risk with NIS2 and DORA requirements.

An important tool in this process is application dependency mapping offered by the Illumio ZTS platform. Get quick, easy-to-understand visibility into application and workload traffic and communication across the entire hybrid attack surface. For example, see which servers are talking to business-critical assets or which applications have open lines to the Internet - giving bad actors simple access to your organization's network.

This visibility allows your security team to prioritize their work towards NIS2 and DORA compliance. They can see where the organization is already compliant and where better security controls need to be in place.

2. Set flexible, granular segmentation policy

After getting visibility into your hybrid network, you're ready to prioritize setting informed security policy that increases your cyber resilience and helps you achieve NIS2 and DORA compliance.

Illumio ZTS allows you to automatically set flexible, granular segmentation policies that control communication between workloads and devices. This only allows what is necessary and wanted. For example, you can restrict communications for server-to-app, dev to prod, or IT to OT.

Setting segmentation policy is a vital step towards building a Zero Trust architecture - a security model implicit to the NIS2 and DORA directives.

3. Proactively isolate assets or reactively contain breach spread

Segmenting your network with Illumio ZTS delivers both proactive and reactive security against inevitable breaches, achieving the core goal of attack resilience from the NIS2 and DORA directives.

Proactively isolate high-value assets to restrict access to only that which is critical and necessary. This means you're assured that ransomware or other breaches cannot spread to these assets, stop business, and create catastrophic damage.

During an active attack, reactively stop the spread of a breach and contain it to only a small part of your network in minutes. In fact, a recent Bishop Fox cyberattack emulation found that Illumio ZTS can stop the spread of a breach in less than 10 minutes. This is four times faster than endpoint detection and response (EDR) solutions alone.

Read more about how Illumio aligns with the existing NIS directive, the basis of the upcoming NIS2 directive.

Ready to use Illumio ZTS to achieve NIS2 and DORA compliance? Contact us today for a consultation and demo.