NIS2 and DORA Compliance: Maximize the Potential of Your Identity Data

Thank you everybody for joining us today for our webinar where you’re going to learn, a little bit more in detail about the NIS2 and DORA compliance regulations that are out there and how you and your company can maximize the potential of your identity data. So during this presentation, please do not hesitate to put your questions in the question box and at the end we will be answering those questions for you.

So who will you be speaking with today?

Well, you’ll be hearing from myself. My name is Leanne Debeurre, and I am one of the product marketing managers here at Radiant Logic, and you will also be hearing for most of the webinar from my colleague Khadija. Khadija, why don’t you introduce yourself?

Yes, hi everybody and hi Leanne. So my name is Khadija. I’m a senior technical enablement specialist at Radiant Logic, and I specialize in providing training programs for our customers and partners on our identity analytics offering.

Excellent, thank you very much.

So let’s get started here. Well, just a little bit of an overview for those of you who may not know Radiant Logic. We are the leader in identity data management and identity analytics, and what we do is help you turn your identity data into a strategic accent to help you with automated governance, inherent I’m sorry, enhanced security and operational efficiency related to identity data. And what we do is we transform identity into an accelerator for our customers. We’ve been in business for twenty nine years.

We have a customer retention rate that we are very proud of, of ninety eight percent, and you can see the power of our Radiant One platform that is able to manage two eighty million objects in a single deployment. And for those of you who may know or may have known Brainwave GRC, Radiant Logic and Brainwave GRC have now merged our strengths into the Radiant One platform today of Radiant Logic.

So let’s look at the agenda for today and what you’re going to be hearing about. So the first part of the webinar will be around the NIS2 directive and the door regulation.

We will give you a little bit of an introduction to both and the respective scopes that you need to be aware of. And then we’re going to talk a little bit about how identities and accesses play out under these the NIS two and DORA regulations, what you need to be aware of. And then the last piece will be the NIS two and DORA overlap, or what we are going to refer here today as the competing or completing piece. So this will be very interesting for you guys to hear where this overlap is.

So we’re going to start with the first part of our agenda, which is an introduction and a presentation of the respective scopes of both NIST two and DORA, and for this I’m going to pass it to my colleague Khadija.

All right, thank you Leanne for this awesome introduction.

Okay, so first let’s take a look at what DORA is.

So the DORA Act is a piece of regulation that was released by the European Union back in twenty twenty two, and it should be directly applicable for the financial companies operating in the EU and their service providers providing information and communication technology services.

DORA stands for Digital Operational Resilience Act and that basically states the main requirement, the key concern for this piece of legislation. So the purpose of DORA is to enforce requirements that will will target these companies and make them and turn them into companies that would basically recover more easily after there may be incidents or catastrophes.

And basically, would would need to improve their digital resilience, especially regarding IT risks, IT incidents. So we’ll take a deeper look at that later on.

The financial service companies and their service providers will have to be complying to DORA starting January seventeenth, twenty twenty five. So, DORA will come into effect a little, so almost six months from now, seven months from now.

And for now, we are still waiting for further details regarding the risks that companies may have if they’re not compliant with DORA requirements, like what would be the amounts of the fines or financial sanctions or jail sentences or anything like that.

That has yet to be determined.

On the other side, we’re also going to be talking today about NIST two. So NIST stands for Network and Information Security, and it’s, so NIST two is the second version of that framework. And this directive is actually a piece of legislation that is not applicable directly for companies operating in the EU, but has first to be transposed into national law within each EU member states.

So more specifically, NIST two aims at setting up high levels of cybersecurity requirements for sized and large companies operating in the EU. So what we call mid size and large companies would be any company that has more than two fifty employees, and that makes over fifty million global annual turnover.

And we’re also dealing with companies that are working in critical and important industries. So I’ll give a few more details about what that means in the next slide, but basically it’s an extension of what some countries may already have in their national law regarding industries or sectors of high criticality activities that are actually essential to a country.

The main deadline that we know about NIST two so far is that each country has to transpose NIST two into their national law before October eighteenth, twenty twenty four. So that’s going to be four months from now.

And for each of these countries, after transposing NISTO into their national law, they still have to come up with a specific date of entry into effect for the companies that are operating in their respective countries.

For companies that may not be compliant with NIS2 requirements, the fines may go up to two percent annual global turnover or ten million euros Keep in mind that the highest amount of these two methods will be kept to define the financial sanctions for a company that is non compliant.

And whether we are talking about DORA or NIST two, today for the purposes of this webinar, our main focus is going to be about user access rights, identities and access rights, and in particular user access observability, governance and compliance.

So, let’s take a first look at which cybersecurity requirements each of these regulations mention. So, some of these cybersecurity requirements may be common, maybe available in both regulations. So that’s why they appear with a similar color code on the left and right sides.

So if we take a look at DORA, basically DORA has several chapters that would define requirements around ICT risk management, ICT incident management, resilience testing, and risk management on ICT external service providers.

And these requirements would mostly be applicable to financial service companies, as I stated in the previous slide.

On the NIS2 side, so on the right side of this overview, in addition to these requirements that Dora already stated, NIST two added some specifics, some additional requirements such as access control, multi factor authentication, cyber hygiene, and network and application security. And these requirements are supposed to apply to all sectors of high criticality, as they were listed in the appendixes one and two of the NIST two directive content. So among these sectors, I’m not gonna quote all of them of course, but just to give you an idea, the NIS two requirements should apply to utility companies, food processors and distributors, transport companies, telecom operators, public administrations, media companies, labs and research facilities, etc.

Just to give a few examples.

All right, well thank you, Kat. That was very thorough, a good introduction to all of this. So anyway, with relation to the identities and access and how they’re handled and regarded under NIST two and DORA, can you talk a little bit more can you give us a few more details, I should say, about the security requirements for each regulation and how user access governance plays a part in it.

Yeah, let’s deep dive in these cybersecurity requirements.

Okay, so let’s get started with the DORA requirements. So for each of these pillars that I mentioned earlier, so ICT risk management, ICT incident management, resilience testing and external access, external risk, risk management on ICT third party critical providers. So, I’ll basically give you the breakdown of the way that identities and access rights could play a part in meeting these requirements.

So, regarding ICT risk management, one of the key parts that you’ll have to keep in mind is that you’ll need to include an identities and access rights section to your risk management framework, and you’ll also need to come up with unified KPIs and reports on user access governance in order to share alerts, to share updates on the state of risks within your organization.

Regarding handling of ICT incidents, the most obvious type of incident that we can have in mind regarding user access governance would be illegitimate access rights.

So, each time an illegitimate access right has to be handled, you need to set up a dedicated incident management process that would cover all the steps from identifying and classifying these anomalies all the way down to actually performing remediation, revocation, or updates on these illegitimate access rates.

The topic of resilience testing may be a bit further away from our expertise, but there would still be the need to include user access governance in your resilience recovery exercises. So whenever you play your resilience testing, need to also simulate the scenarios where you would lose your identity and access governance infrastructure, for example, and make sure that you can set them back up and retrieve access rights for people to actually keep doing their jobs.

Dora also states the need for access control on the data that is related to resilience testing. So your resilience testing input, protocols and results need to be accessed on a need to know basis.

And finally, regarding your external identities access rights, here access governance is a key part of this chapter, and you will need to set up a dedicated risk management framework for your ICT critical service contractors, in addition to the oversight that European agencies may already provide on these service provider companies.

And in all of these chapters there is a common concern that is mentioned all across the DORA Act, and that is the need for reporting and information sharing. Meaning that financial service companies need to set up reporting circuits and processes to share incidents and vulnerability details with their national authorities, with their European agencies. So, that could be the European Banking Agency, the European Agency of Interest and Pension Funds, or Securities and Markets, depending on the industry they operate in.

And that is really mentioned in all of these chapters.

If I have to come up with a checklist of all the recommendations we could give our customers and leads regarding how to meet DORI requirements with user access governance. So, will I’m displaying our checklist here, and of course I will will advise you to take a closer look at it after this webinar using the replay and the slideshow that we will send you afterwards. Just to name a few, our key recommendations would be to set up a three sixty vision of your user access rights, set up a remediation process on your illegitimate accesses, set up controls on non compliant accesses coming from contractors on your information system, and setting up a backup and restoration process for identities and access rights.

All these can be part of the offerings that Radiologic provides to our customers.

Let’s do the same analysis on these two requirements. So among these two requirements, actually, so they’re not as detailed as they may be in the DORA Act, precisely because each country has then to transpose NIS2 into their national law and come up with additional recommendations and give priorities with their respective countries.

But, in the list of requirements that are listed within the NIST two directive, two of them are actually directly dealing with user access governance. So, the first one is HR security and access control.

So that’s one of the key requirements in the list. The second one is what NIST two calls Supply Chain Security. So it’s just a different way of mentioning cybersecurity around the accesses of external identities, contractors that operate IT services for these companies. So we had a different wording with DORA, we had like ICT third party service providers, Here we’re dealing with supply chain security. So two expressions to mention the same thing.

Then there are a few requirements for which either identity and access governance is a prerequisite, such as for multi factor authentication, you need to have proper identity management beforehand so that you can then grant your MFA tools and tokens and monitor their use properly. Or for the other requirements you may need to include sections that would deal with user ex governance as part of the whole process, as part of the whole framework. So that would be the case with cyber hygiene and awareness, that would be the case with network and application security, and so on.

We came up with a similar complaints checklist with NIST two, so again, I will let you take a closer look at it after this webinar, just to name a few key recommendations.

We would stress the importance of again having a three sixty vision of the access chain, so basically the link between your identities, accounts, access rights and authorization objects in general. Setting up periodic user access review process that would periodically ask managers, application owners, resource owners to reassess the access rates of all users to check if they’re appropriate or not, and trigger data cleaning afterwards. So, that would be your remediation, that would be your incident classification alongside it.

We would also recommend setting up user access awareness training, periodic data cleaning, whenever you find your undue access rights, setting up your backup and restoration processes for identities and access rights, among others.

So that would be the gist of our recommendation to meet DORA and these two requirements respectively.

All right, thank you. That was a very great overview of what our customers have to take a look at and make sure that they’re ready for as these regulations begin to be enforced. So now that we’ve had this overview of both NIST two and DORA, can we talk a little bit more about the overlap? In other words, we’re calling it competing or completing. Can you let us know where these two things overlap and how our customers can focus in on those spaces also?

Well, that’s an interesting question. So, let’s take a look at the intersection between DORE and NIS two. So, first, which companies would have to abide by both regulations? So, the two types of companies that would be both submitted to Door and NIST two requirements would be credit institutions, trading operators, so these would be both financial services companies and part of the critical sectors that needs to listed in its appendix.

And among those, we would be focusing on large and mid sized companies in particular alongside and their providers, their service providers alongside them.

So for these companies, there would be a foundation of common requirements that would deal with disaster recovery and resilience, risk management, reporting and information sharing on incidents and vulnerabilities. So, requirements would be common to both regulations.

And we would also need to keep in mind the question of the precedence. So as of today, the legal community has stated that DORA takes precedence over NIST two for those companies, since DORA is what we call like specialists. So in Latin, meaning a piece of legislation that is specializing in one vertical, one sector, as opposed to NIST two that applies to a wider range of industries.

There’s one question that has yet to be figured out.

Witness to, we know the maximum amounts of financial sanctions, but we don’t know them yet with DORA. There may be hints at DORA stating fines that would go up to five percent of the annual global turnover, but that has yet to be confirmed.

But what is certain is that we will have some interesting cases when both these regulations come into effect, and we’ll have to check what happens with companies that are identified as non compliant with both. Will they have to pay two different fines that would be cumulated? So that has yet to be figured out.

But what I can mention for now, the companies that have to abide by both, is that basically if they’re already, if they already have a NIST two cybersecurity framework, they would most likely already be covering DORA requirements.

And on the, so if they’re already meeting DORA requirements but not, but haven’t yet worked on NIS two, in that case they would need to include additional cybersecurity requirements such as network and application security, cyber hygiene and awareness, even though, so they are not explicitly stated in the DORA Act, but they could still appear as implicitly needed inside your ICT Risk Management Framework, for example.

And if we take a closer look at the types of features, the types of solutions that would help companies meet both requirements, both regulations requirements regarding identity and access governance, So, if if we have to sum up the checklists that I introduced earlier, there are three types of features that come back often. So, we need to keep in mind the need for ITTC controls, permanent controls in general that would monitor the risks regarding user access rights, and data quality around identities as well.

Periodic access review is also a key part in meeting both regulations requirements, and third party access control is also instrumental in making sure that the accesses that are granted to your contractors are actually appropriate and meet cybersecurity requirements.

And as this is your lucky day, we’re glad to tell you or remind you, for those of you who may already know us, that these features and some more are part of our software offerings. So we can confidently say that Radiant One would be the ideal companion to help financial service companies and companies of other critical sectors meet both DORA and NIS2 cybersecurity requirements, especially with this focus of identity and access rights.

Excellent, thank you, Kat, for that. So, we’re going to take a look at here, just a reminder of the these regulations we’re talking about and the deadlines that we have. So here we have NIST two, October eighteen, twenty twenty four, the deadline for the EU nations to transpose the NIST laws or the LIS regulations into their own laws, so we have that date. And creeping up on us right behind that is the DORA regulation.

Compliance with DORA needs to be had by the financial services companies within the European Union by January seventh seventeenth, I’m sorry, twenty twenty five. So again, that is kind of coming up quickly and we also thought that we would mention the PCI DSS compliance, which this is a version four that’s coming out and, it’s going to be effective March thirty first twenty twenty five and what we’d like to mention here is that this is the first time that user access reviews need to be done every six months with regards to this regulation, so we are going to be doing a webinar for a little bit more details about that, but we wanted to put that also on your radar.

So here’s the dates, please mark them on your calendar and start working towards compliance, and we here at Radiologic will be very happy to help you with that. So again, our automated periodic access reviews with our RADIO-one platform are going to help you meet the regulatory requirements of these three directives.

Okay, well that brings us to the end of the webinar. We have a few minutes. We did get a few questions in the question box as we were going through here. So, Khadija, if you will bear with me, I’m just gonna read through a few that would be most pertinent for the audience, and then we’ll we’ll pick a few. So alright. I think you might have mentioned this, but let’s go over it again. Is NIS2 transpose in all European countries?

Right, so as of today there are only three countries that have finalized the NIS2 transposition international law. These countries being Belgium, Hungary, and Croatia. Out of these three countries, only Hungary decided to start enforcing NIST two on October eighteenth. Belgium and Croatia actually are planning to make their national versions come into effect in the first half of twenty twenty five. So, the companies that are operating in Belgium and Croatia still have a little more time to get themselves to meet these requirements, but not much more time actually.

And in the rest the European Union, most, member states are still in the process of working on the transposition or are getting started with it. So for now, the ball is in the court of, most European countries’, parliaments and, national assemblies.

Okay, I think the second question from the same person goes along with the same idea: and will this transposition in each member state include all of the required details?

That is actually very unlikely, because as NIS two states in Article thirteen, in addition to having the law transpose the directive transposed into national law, each country has to come up with a national cybersecurity framework that will be most likely made by national cybersecurity authorities that have to be put in place. So you’ll have to, wait for your respective countries, where you’re operating to release their national cybersecurity framework. That’s where you will know about each country’s priorities and like what types of requirements you have to, set up first.

Okay, and I’m going to squeeze this last one out in this last thirty seconds here. Is there any additional content to be released regarding DORA’s entry into effect in January?

Right, so with DORA there has always been a first wave of policies that were published by the European agencies and authorities back in January twenty twenty five, and there should be a second wave of policies and technical recommendations that should be published next month, so on July seventeenth of twenty twenty four, and they should give additional knowledge about how to enforce DORA requirements for each specific sub industry, like recommendations that would be specific to banks, to insurance companies, to pension funds, to securities companies, etc, etc.

Okay, fantastic. Well, we’re right at the hour, I should say the half hour. We’d like to thank all of you for your attendance and everybody here will be receiving a recording of this as well as a slide deck so that you can go back into details on some of the things that Khadija has mentioned. Again, you see on the screen here our website radiantlogic dot com. If we didn’t get to your question or you have additional questions or want to hear more about what we can do to help you with these regulations, please don’t hesitate to reach out. Khadija, thank you very much for your thorough explanation here and your help with this webinar.

Thank you so much, Leigh Ann, for co hosting this webinar with me, and thanks everyone for joining us. Have a great day.