The global implications of DORA and NIS 2 Directive are significant, extending beyond the European Union. Amongst others, the webinar covers: • DORA and its Implications • Nis 2 Directive and its Implications • How to leverage directive and regulation as a marketing tool and competitive advantage • How to use new compliance framework to request additional budget Presenters: Christophe Mazzola - Senior Cyber Governance Consultant Armed with endless Excel files, a meme catalog worthy of the best X'os (formerly twittos), and a risk register to make your favorite risk manager jealous, I swapped my computer scientist cape a few years ago for that of a (cyber) threat hunter with the honorary title of CISO. Ah, and I am also a quadruple senior certified ISO27001/2/5, Pas mal non ? C'est francais. Malcolm Xavier Malcolm Xavier has been working in the Digital Industry for over 18 Years now. He has worked with Global Clients in South Africa, United States and United Kingdom. He has achieved Many Professional Certifications Like CISSP, Google Cloud Practitioner, TOGAF, Azure Cloud, ITIL v3 etc. His core competencies include IT strategy, cybersecurity, IT infrastructure management, data center migration and consolidation, data protection and compliance, risk management and governance, and IS program development and management. Date: April 25, 2024 Tags: Information Security, Digital Operational Resilience Act (DORA) ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: Digital Operational Resilience Act (DORA) - EN | PECB NIS 2 Directive - EN | PECB Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION

3. Agenda
 Introduction
 Regulation vs Directive
 DORA
 NIS2
 Q&A

4. Decoding the differences
Directive (NIS2) vs Regulation (DORA)
Key Differences
1. Definition
• Directive: A legislative act that sets out a goal that all EU countries must achieve.
• Regulation: A binding legislative act that must be applied in its entirety across the EU
without requiring member states to pass any enabling legislation.
2. Implementation
• Directive: Must be transposed into national law by member states within a set deadline.
• Regulation: Automatically becomes law in all member states simultaneously.
3. Enforcement
• Directive: Depends on national authorities and the specificities of national laws.
• Regulation: Enforced uniformly across the EU by relevant EU-wide and national bodies.

5. Decrypting the brand-new EU Regulation
DORA Overview
The strategic mission of DORA is to ensure that the financial sector
in Europe can handle and recover quickly from any type of
technology-related disruptions or attacks, aiming to keep the
financial system stable and trustworthy.
The Digital Operational Resilience Act is a European Union
regulation enacted in December 2022 and entered into force in
January 2023. It will apply to financial institutions starting on 17
January 2025.

6. Decrypting the brand-new EU Regulation
DORA Overview

7. NIS2, GDPR and CRA
Relations with other EU regulations/directives
• DORA and NIS2 aims to enhance digital resilience and mitigate
cyber incidents in the EU.
• DORA will take precedence over NIS2 avoiding overlap.
• DORA is built on GDPR requirements and does not overwrite them.
• The Cyber Resilience Act aims to increase cybersecurity posture
across a large range of industries while DORA focus on Financial
entities

8. Using ISO 27k family to aim compliance
Relations with standard
• ISO27001 to leverage governance, structure and global approach of
Information Security
• ISO27005 to leverage Information Security Risk Management
• ISO22301 to leverage business resilience

9. A revolution in Risk Management
ICT (Third Party) Risk Management
DORA mandates strict oversight and management of third-party ICT service
providers
Impact:
• Introduces a requirement for financial entities to maintain a register of all
information regarding their ICT third-party relationships and risk
management policies.
• Requires due diligence processes and ongoing monitoring to manage and
mitigate risks associated with third-party service providers.

10. A revolution in Risk Management
ICT (Third Party) Risk Management
Revolutionary Aspect
DORA's regulatory framework brings critical ICT third-party service providers
under strict regulatory oversight for the first time.
Impact:
• Addresses key vulnerabilities in the financial sector’s supply chain, ensuring
that
critical service providers meet robust security standards.
• Complements the focus of the NIS 2 Directive on enhancing supply chain
security, highlighting modern digital ecosystems and the need for holistic
security approaches.

11. A revolution in Risk Management
ICT (Third Party) Risk Management

12. Marketing tool and competitive advantage
How to leverage Directive and Regulations
1.Historical Context with GDPR:
• Companies prominently display GDPR compliance as a trust factor.
• Public claims of GDPR compliance helped companies gain initial trust.
• Organizations that adopted a proactive approach to GDPR compliance
benefited from reduced stress and enhanced business opportunities.
2.Leveraging Early Compliance:
• First Mover Advantage: Use the period leading up to full enforcement of
new directives/regulations to position yourself as a leader in compliance.
• Marketing and Sales Synergy: Direct your marketing team to highlight
your early compliance, and orient sales strategies to target sectors such
as finance and banking.

13. Marketing tool and competitive advantage
How to leverage Directive and Regulations
1.Professional Development:
• DORA Lead Manager Training
• Early certification benefits
2. Marketing Strategy:
• Differentiation through expertise
• Training opportunities

14. The hidden truth behind DORA and NIS2
DORA and NIS2 are two sides of the same coin
Both DORA and NIS 2 represent the European Union's effort to standardize
cybersecurity and operational resilience across key sectors.
Both DORA and NIS 2 will serve as benchmarks for global cybersecurity
standards, influencing policies beyond Europe with their approach to digital
resilience.
Just as GDPR revolutionized data privacy and protection standards globally,
DORA and NIS 2 are poised to do the same for cybersecurity and resilience.
Initial skepticism about GDPR’s impact parallels the reception to DORA and NIS
2.

15. The hidden truth behind DORA and NIS2
DORA and NIS2 are two sides of the same coin
Both DORA and NIS 2 are PRAGMATIC, and measures shall be REASONABLE or
PROPORTIONATE.
How to demonstrate pragmatism?
You can’t. You demonstrate that you effectively mitigate risks.

17. Introduction & Overview of the NIS 2.0 Directive
NIS2 Directive
Introduction
The purpose and significance of the NIS 2
Directive.
NIS 2 Timelines
Key changes from the previous NIS
framework.
The relevance of cybersecurity in today’s
interconnected world.
what organizations need to do to comply
with the updated NIS requirements.
Practical steps, best practices, and
challenges.

18. NIS
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to
boost the overall level of cybersecurity in the EU.
The Network and Information Security (NIS) Directive was the first EU-wide legislation on
cybersecurity.
Its primary goal was to achieve a high common level of cybersecurity across the EU Member
States.
27
Member States
46 articles in
the NIS2
Directive
10 EUR Million
or up to 2% of
the Total
worldwide
turnover of an
entity for non-
Deadlines for
transposition
into national
Law –Oct 17-
2024

19. NIS 2 Timelines and Important Dates
Jul
2016
May
2022
Nov
2022
Dec
2022
Jan
2023
Oct 17
2024
NIS 2
Enters into
Force
NIS 1
Enters into
Force
Post-October 17, 2024: EU authorities will
continue to carry out regular work to review
and cement aspects of the Directive, such as
establishing a list of the Essential and
Important entities by Member States.
Deadline for
transposition
into Law
EU
Parliament
Votes to
Adopt NIS 2
Official
Journal of the
EU as Directive
EU 2022/2555
NIS 2
Approved

20. The purpose and significance of the NIS 2 Directive
The NIS 2 Directive, officially known as the Directive (EU) 2021/250 of the European Parliament and of the
Council, aims to enhance the cybersecurity and resilience of critical infrastructure and digital services across the
European Union (EU).
It builds upon the original NIS Directive (NISD) and addresses the evolving threat landscape, technological
advancements, and the increasing reliance on digital systems.
The primary purpose of NIS 2 is to establish a harmonized framework for managing cybersecurity risks and
incidents, thereby safeguarding essential services and ensuring trust in the digital economy.

21. Significance
Strengthened Scope: NIS 2 extends the scope beyond just essential services to include a broader range of digital service
providers (DSPs), such as online marketplaces, cloud computing services, and search engines.
Risk Management: It emphasizes risk-based approaches, requiring organizations to assess and manage cybersecurity
risks effectively.
Incident Reporting: NIS 2 mandates timely reporting of significant cybersecurity incidents to national authorities,
promoting transparency and collaboration.
Cooperation and Information Sharing: The directive encourages cross-border cooperation among EU member states
and facilitates information sharing to respond swiftly to threats.
Penalties and Enforcement: NIS 2 introduces stricter penalties for non-compliance, ensuring accountability and
incentivizing organizations to invest in cybersecurity measures.
Digital Single Market: By enhancing cybersecurity resilience, NIS 2 contributes to a secure and competitive digital single
market within the EU.

22. Key changes from the previous NIS framework.
Expanded Scope: It includes more sectors and types of entities, broadening
the range of companies that must adhere to cybersecurity requirements.
Stricter Security Requirements: The directive imposes more rigorous
security and incident reporting obligations.
Enhanced Enforcement: It establishes stricter supervisory measures and
higher sanctions for non-compliance.

23. The relevance of cybersecurity in today’s
interconnected world.
Protection of Sensitive Data
Business Continuity
National Security
Economic Impact:
Privacy Preservation
Global Collaboration
Emerging Technologies
Individual Responsibility

24. What organizations need to do to comply with the
updated NIS requirements.
Risk Management Corporate Accountability
Reporting Obligations Business Continuity Planning
Baseline security measures

25. Practical steps, best practices, and challenges related
to NIS 2 Directive compliance
• Risk Assessment
• Policy
Development
• Incident Response
Plan
• Employee Training
• Vendor
Management
• Regular Audits
• Secure
Development
• Patch
Management:
• Multi-Factor
Authentication
• Defense in Depth:
• Continuous
Monitoring:
• Encryption
• Access Controls
• Threat Intelligence
• Collaboration
• Incident
Communication:
• Privacy by Design
• Complexity
• Resource
Constraints
• Cross-Border
Coordination:
• Rapidly Evolving
Threats
• Balancing Security
and Usability
• Vendor
Compliance
• Employee
Awareness
Practical Steps Best Practices Challenges

26. THANK YOU
Q&A
c@celasconsulting.eu
malcolm.xavier@eetfuels.com
https://www.linkedin.com/in/christophemazzola/
https://www.linkedin.com/in/malcolmxavier/