Cyber security in the company: the NIS2 directive, DORA and building resilience

nShortcuts

• Cyber security at the heart of the modern organization: definition, threat evolution and strategic necessity in the digital age
• New legal framework for cyber security in the European Union: key implications of the NIS2 Directive and the DORA Regulation for Polish companies
• Pillars of a successful cyber security strategy in an organization: from technology and processes to the key role of people and security culture
• The most common cyber threats to business and methods of protection: from phishing and ransomware to advanced APT attacks and insider threats
• Building cyber resilience step by step: from risk assessment and strategic planning to security implementation and incident management
• The role of managers and HR in shaping a cyber-secure organization: from promoting awareness to managing human risk
• Artificial intelligence (AI) in cyber security: a double-edged sword - from advanced threat detection to next-generation attacks
• The future of cyber security and strategic partnership with EITT: how to build sustainable resilience and security culture in your organization

nCyber security in the organization: from strategic risk management and NIS2/DORA compliance to building a security culture

nIn today’s hyper-connected world, where digital technology permeates every aspect of business and data has become one of the most valuable assets, cyber security is no longer just a technical issue reserved for IT departments, but is becoming a fundamental pillar of any organization’s business strategy, risk management and building sustainable value. The growing scale, complexity and sophistication of cyber attacks - from ransomware and phishing to DDoS attacks and advanced targeted campaigns (APTs) - pose a real and ongoing threat to business continuity, financial stability, corporate reputation and customer confidence. Moreover, the rapidly changing regulatory landscape, including the implementation of stringent new EU directives such as NIS2 and the DORA regulation, imposes specific obligations on companies to ensure a high level of cyber resilience.

nThe purpose of this article is to provide a comprehensive discussion of today’s challenges and strategic imperatives related to cyber security in organizations. We will look at the evolution of threats, the key pillars of an effective cyber security strategy, as well as analyze in detail the implications of the new EU legal framework for Polish companies. We will also delve into the role of managers, HR and every employee in building a security culture. EITT, as a partner supporting organizations in change management, competence development and adaptation to regulatory requirements, would like to provide you with knowledge that will allow you not only to understand the complexity of modern cyber security, but most importantly to build sustainable digital resilience in your company and turn responsibilities into a strategic advantage.

Cyber security at the heart of the modern organization: definition, threat evolution and strategic necessity in the digital age

nCyber security is the totality of practices, technologies, processes and controls designed to protect computer systems, networks, devices, programs and data from unauthorized access, attacks, damage or theft. In an era where the majority of business operations, communications and information storage take place in the digital space, the scope of cybersecurity includes protecting critical infrastructure, intellectual property, personal data of customers and employees, and ensuring business continuity of critical services. It is no longer just a matter of technical security, but a holistic approach to digital risk management, which must be an integral part of every organization’s strategy and culture.

nThe cyber threat landscape is evolving at an alarming rate. Cybercriminals are becoming more organized, have increasingly sophisticated tools and techniques at their disposal, and their motivations range from purely financial (e.g., ransomware, credit card data theft), to industrial espionage and intellectual property theft, to activities of a political or ideological nature (e.g., attacks on critical infrastructure, disinformation). Digital transformation, while bringing enormous benefits, is also increasing the so-called “attack surface,” creating new potential entry points for cybercriminals through the growing number of network-connected devices (IoT), the spread of remote work, migration to the cloud, or increasingly complex software and service supply chains.

nIn this context, cyber security ceases to be seen merely as a cost or expense center, and becomes a strategic necessity and a potential source of competitive advantage. Companies that can effectively manage digital risks, protect their information assets and ensure the security of their data for customers build trust, enhance their reputation and gain greater stability in their operations. A proactive approach to cyber security, based on continuous risk analysis, investment in appropriate technologies and competencies, and building awareness among employees, is not only a regulatory requirement, but more importantly the foundation of responsible and sustainable business in the 21st century.

New legal framework for cyber security in the European Union: key implications of the NIS2 Directive and the DORA Regulation for Polish companies

nThe European Union, recognizing the growing threats and the need to strengthen the digital resilience of the entire internal market, has in recent years introduced significant new regulations in the area of cyber security. For Polish companies, of particular relevance are the provisions of the NIS2 Directive and the DORA Regulations, which impose a number of new, more stringent obligations and significantly raise the bar for digital risk management. Timely adaptation to these requirements is not only a matter of compliance, but also an opportunity to raise your own security standards.

nDirective (EU) 2022/2555 of the European Parliament and the Council, known as NIS2 (Network and Information Systems Directive 2), replaces and significantly expands the scope and requirements of the earlier NIS Directive. Member states, including Poland, were required to transpose it into national law by October 17, 2024, and the new regulations, depending on the details of national implementation, will soon become fully applicable or are already in force to some extent. Key changes and obligations under NIS2 include expanding the scope of regulated entities to include a much broader group of sectors and companies deemed “key” or “important” to the functioning of the economy and society. This means that many companies that were previously not subject to similar rigor must now adjust their practices. The NIS2 directive also introduces strengthened cyber security risk management requirements. Covered entities must implement comprehensive technical, operational and organizational measures to manage risks to network and information system security, which must be proportionate to the identified risks. This includes, among other things, conducting regular risk analysis, implementing adequate security policies, effectively managing incidents, ensuring business continuity, and, very importantly, taking care of security throughout the supply chain, including relationships with ICT service providers. In addition, the directive tightens incident reporting obligations, requiring the immediate reporting of significant security incidents to competent national authorities (CSIRTs) and, in certain cases, informing recipients of their services, with shorter reporting deadlines and a multi-stage reporting system. Finally, NIS2 strengthens oversight and enforcement mechanisms, with stiffer financial penalties for non-compliance, which can be as high as €10 million or 2% of a company’s total annual worldwide turnover, and increases the powers of supervisory authorities. The management of key and important entities will have direct responsibility for ensuring compliance with NIS2.

nRegulation (EU) 2022/2554 of the European Parliament and of the Council on the Digital Operational Resilience of the Financial Sector, known as DORA (Digital Operational Resilience Act), which became directly applicable in all member states as of January 17, 2025, introduces harmonized and more stringent requirements for almost all financial sector players, such as banks, insurance companies, investment firms, payment service providers, as well as key ICT service providers to the sector. The goal of DORA is to ensure that the financial sector is able to withstand, respond to and recover from any type of information and communications technology (ICT) disruption or threat. Key areas regulated by DORA include comprehensive ICT risk management, including the identification, classification and handling of incidents, their reporting to competent authorities, and rigorous testing of operational digital resilience, including mandatory advanced penetration testing (TLPT) for key players. The regulation also places a strong emphasis on risk management by third-party ICT service providers, including contract monitoring and control, and on promoting the exchange of information on cyber threats between financial entities.

nPreparing for full compliance with NIS2 and DORA requirements requires Polish companies to conduct a thorough gap analysis, adjust their policies and procedures, invest in technology and competencies, and build a culture of cyber security awareness at all levels of the organization. EITT offers support in interpreting these complex regulations and designing strategies for their effective implementation.

Pillars of a successful cyber security strategy in an organization: from technology and processes to the key role of people and security culture

nBuilding sustainable cyber resilience requires a holistic and multidimensional approach that relies on three fundamental, interrelated pillars: technology, processes and people (often referred to as People, Process, Technology - PPT). Neglecting any of these elements significantly undermines the effectiveness of the overall cyber security strategy, making the organization vulnerable to attacks.

nThe Technology (Technology) pillar encompasses the totality of tools, systems and technical solutions used to protect an organization’s information assets. It is often the first and most visible line of defense. Key technologies include state-of-the-art firewalls and intrusion detection and prevention systems (IDS/IPS) that monitor and control network traffic. Endpoint protection solutions (Endpoint Detection and Response - EDR, Endpoint Protection Platforms - EPP) that secure computers, laptops and mobile devices are also essential. Security Information and Event Management (SIEM) systems aggregate and analyze logs from various systems to detect incidents. Multi-factor authentication (MFA) mechanisms, making unauthorized access significantly more difficult, and encryption of data, both stored and transmitted, are fundamental. Regular use of vulnerability management tools and automated security scanning, combined with protection against malware and spam, completes the picture of technological defense measures. The selection and implementation of appropriate technologies must be preceded by a sound risk analysis and tailored to the specifics and resources of the organization.

nThe Processes pillar encompasses formal policies, procedures, standards and guidelines that govern how cyber security is managed within the organization and ensure consistency of operations. Key processes include comprehensive cyber security risk management, which includes regular identification, analysis and assessment of risks and planning of mitigating actions. It is essential to develop and consistently enforce information security policies governing issues such as password management, use of mobile devices, security of remote work and classification of information. Every organization must have a detailed incident response plan (Incident Response Plan), detailing the steps to follow in the event of an attack, and a business continuity and disaster recovery plan (BCP/DRP), ensuring that critical processes can be resumed. In software development companies, secure application lifecycle processes (Secure SDLC, DevSecOps) are becoming crucial. And don’t forget about vendor risk management (Third-Party Risk Management) and regular security audits and penetration testing. Well-defined and consistently applied processes are the backbone of an effective cyber security system.

nThe human (People) pillar is often referred to as the weakest link in the security chain, but it is also the first and most important line of defense against many types of attacks, especially those based on social engineering, such as phishing. Key efforts in this area focus on building a strong culture of cybersecurity awareness throughout the organization, where every employee understands his or her role and responsibility for protecting company assets. Regular, engaging cybersecurity training for all employees, tailored to their roles and level of expertise, covering threat recognition, safe practices and handling procedures, is essential. Conducting simulations of phishing attacks helps test and reinforce vigilance. It is also important to clearly define roles and responsibilities for different aspects of cyber security, and to ensure that cyber security professionals are competent through ongoing development. Investing in a “human firewall” is one of the most effective forms of protection against cyber threats.

nOnly an integrated and balanced approach that takes into account all three pillars - technology, processes and people - can provide an organization with a high level of cyber resilience and effective protection against a dynamically changing threat landscape.

The most common cyber threats to business and methods of protection: from phishing and ransomware to advanced APT attacks and insider threats

nThe landscape of cyber threats is extremely dynamic and diverse, and cybercriminals are constantly refining their methods and looking for new weaknesses in an organization’s defenses. Understanding the nature of the most common types of attacks is crucial for effective prevention and defense planning, as well as for building awareness among employees.

nAmong the most common and damaging cyber threats to modern businesses are phishing attacks and other forms of social engineering. They involve manipulating people’s emotions and trust in order to trick them out of sensitive information, such as login credentials or credit card numbers, or to get the victim to perform certain actions, such as opening a malicious attachment or clicking on an infected link. Forms of phishing range from mass email campaigns to highly targeted spear phishing. Defense against these attacks relies primarily on regular awareness training for employees, the use of advanced anti-spam and anti-phishing filters, verification of the authenticity of suspicious messages, and promotion of the principle of limited trust.

nAnother dangerous threat is ransomware, a type of malware that encrypts data on a victim’s computer or network and then demands a ransom to unlock it. These attacks can completely cripple a company’s operations, leading to huge financial and reputational losses. Effective protection includes regularly backing up and testing data (stored in a secure location, preferably offline), segmenting networks to limit the spread of the attack, using modern endpoint protection solutions (EDRs), quickly patching known vulnerabilities, and continually educating employees about the imprudence of opening attachments and links.

nA broad category is malware (malicious software), which includes viruses, worms, Trojans, spyware (spyware), adware and other malicious programs. They can steal data, damage systems, monitor user activity or take control of infected devices. Methods to protect yourself include using reputable, regularly updated antivirus and antimalware software, taking care to keep operating systems and applications up-to-date, being cautious when downloading files, and implementing application controls.

nDenial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks aim to disrupt or completely disable Internet services, such as websites or online applications, by flooding them with huge amounts of artificial network traffic, often coming from multiple distributed sources (botnets). Protection against them involves the use of specialized anti-DDoS solutions, proper configuration of network infrastructure and traffic monitoring systems.

nAdvanced Persistent Threats (APTs) are very dangerous. These are long-term, complex and often targeted attacks carried out by highly motivated and highly resourced groups, such as state-sponsored or organized crime groups. The goal of APTs is usually theft of sensitive data, espionage or sabotage, and they are extremely difficult to detect and neutralize. Defense requires multi-layered security measures, advanced detection systems, threat intelligence analysis and proactive threat hunting.

nOne should also not forget about insider threats (Insider Threats), which can come from rogue employees, contractors, or, more often, from employees who inadvertently make mistakes or violate security procedures. Protection in this area includes implementation of the principle of least privilege, monitoring of privileged user activity, data leakage prevention (DLP) systems, regular training, and building a positive organizational culture based on trust and accountability.

nFinally, supply chain attacks (Supply Chain Attacks), which involve compromising an organization through its trusted software, hardware or service providers, are becoming more common. Defense requires careful verification of the security of business partners, monitoring of the integrity of components used, and appropriate network segmentation.

nEffective protection against this diverse spectrum of threats therefore requires not only the use of appropriate technological tools, but, above all, constant vigilance, systematic employee education and a willingness to adapt in the face of cybercriminals’ constantly evolving methods.

Building cyber resilience step by step: from risk assessment and strategic planning to security implementation and incident management

nBuilding real cyber resilience in an organization is a continuous and multi-stage process that requires a strategic approach, commitment at all levels, and systematic work on improving defense mechanisms. There is no one-size-fits-all solution; each company must tailor its cyber security strategy to the specifics of its business, risk profile and available resources. However, a few key steps can be identified as the foundation of the process, leading to a robust and adaptive protection system.

nThe first and most important step is a thorough understanding and assessment of the cyber risks facing the organization (Risk Assessment). This process should include identifying key information assets, such as critical data, IT systems that support core business processes, and intellectual property. This should be followed by an analysis of potential threats to these assets and existing vulnerabilities in systems and processes. An assessment of the likelihood of individual threats and the potential consequences of their materialization - financial, reputational, operational or legal - allows the creation of a risk map. The results of the risk assessment provide the necessary basis for prioritizing further actions and rationally allocating resources to safeguards, concentrating efforts where they are needed most.

nBased on its risk assessment, the organization should develop a comprehensive cyber security strategy and policy. This strategy must define long-term security goals, key priorities, roles and responsibilities of individuals and units, and a framework for all information security activities. It is also necessary to create and implement detailed information security policies that govern specific aspects, such as password management, use of mobile devices (including a BYOD - Bring Your Own Device - policy), remote working rules, data classification and protection, system access management or backup procedures. Strategy and policies should be living documents, regularly reviewed and updated in response to changing threats and business needs.

nThe next step is to implement appropriate technical and organizational measures to minimize the identified risks. This includes the implementation of technological safeguards such as firewalls, EDR systems, multi-factor authentication (MFA) mechanisms, data encryption, vulnerability management tools and others, according to the strategy. Equally important is the implementation of organizational measures, such as the aforementioned policies, operating procedures or training programs. It is important to adopt a multi-layered defense (defense in depth) approach, where different security mechanisms complement each other to create a system that is resilient to single points of failure.

nAs has been repeatedly emphasized, the human factor is crucial in a cyber security system. Therefore, it is essential to invest in regular, engaging training programs and awareness campaigns for all employees. These trainings should equip employees with the knowledge and skills necessary to recognize threats, such as phishing, and to use technology safely and comply with internal security policies.

nEvery organization, regardless of the level of security measures implemented, must be prepared for the possibility of a cyber incident. Developing and regularly testing an Incident Response Plan is absolutely key. This plan should precisely define the procedures to be followed in the event of an attack - from its detection and initial analysis, to actions to contain and eliminate the threat, to recovering full systems and learning lessons for the future (lessons learned). It is equally important to have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure that critical business processes can be resumed and data restored after a major disruption. Regular backup and testing of critical data and systems is the foundation here.

nFinally, cyber security is not a state that is achieved once and for all, but an ongoing process that requires constant monitoring, auditing and improvement. Constant monitoring of systems and networks for new threats and suspicious activity, regular security audits (both internal and external) and penetration testing are essential. Lessons learned, new threat intelligence and the changing business and regulatory environment must be the basis for systematically improving implemented safeguards and updating cyber security strategies. Building cyber resilience is an iterative journey that requires constant commitment, adaptability and a relentless pursuit of excellence.

The role of managers and HR in shaping a cyber-secure organization: from promoting awareness to managing human risk

nWhile responsibility for the technical aspects of cyber security often rests with the IT department or dedicated security teams, building a truly cyber-secure organization, where information protection is an integral part of the culture, requires commitment and shared responsibility at all levels, especially from line managers and the Human Resources (HR) department. It is these groups that play a key role in shaping employee attitudes, behaviors and awareness, which are the foundation for effective protection against cyber threats, especially those involving the human factor.

nLine managers are the direct leaders for their teams and have a huge day-to-day impact on their security practices. Their key tasks in this area include, first and foremost, actively promoting cyber security awareness within the team. They should regularly remind people of the fundamentals of security, discuss current threats (e.g., new phishing campaigns), encourage and motivate participation in training, and discuss the importance of cyber security in achieving the goals of the team and the company as a whole. Equally important is consistent enforcement of the company’s security policies and procedures. Managers need to ensure that their team members follow policies such as creating and protecting passwords, using company-owned and private software, protecting sensitive data or reporting suspicious activity. Their role also includes identifying and reporting potential security risks and incidents in their area of responsibility, as well as supporting employees in the safe use of technology and resolving security issues. Crucially, managers must set a good example (lead by example) through their own responsible and policy-compliant behavior in cyberspace. They should also integrate security aspects into the induction (onboarding) processes of new team members, ensuring that they are properly introduced from the very beginning.

nThe HR department plays a strategic and multidimensional role in managing the “human dimension” of cyber security, supporting the organization in building the competencies, attitudes and culture necessary to effectively protect against cyber threats. Key HR tasks in this area include:

• Recruitment and selection processes: Consideration of security awareness aspects in recruiting for all positions, as well as careful verification of the competencies of candidates for cybersecurity specialist roles. In some cases, background verification of candidates for high-risk positions.
• Effective onboarding of new employees: Ensure that every new employee, regardless of position, is thoroughly briefed on existing information security policies from their first days with the company and receives appropriate introductory training on cyber threats and safe practices.
• Systematic training and development programs: Design, implement and monitor the effectiveness of comprehensive, engaging cyber security training programs for all employees. These trainings should be repeated regularly, updated and adapted to changing threats and the specifics of different employee groups. EITT specializes in creating such interactive and practical training that realistically raises awareness and changes behavior.
• Internal communication and building a safety culture: Actively support communication activities (e.g., information campaigns, newsletters, posters, contests) aimed at continuously building risk awareness and promoting safe behavior as an integral part of organizational culture. It is important that safety is seen not as an onerous duty, but as a shared responsibility and value.
• Develop and update personnel policies that take into account aspects of information security, such as remote work policies, use of private devices for business purposes (BYOD), clean desk and screen policies, or incident handling policies.
• Internal risk management (insider threat management) and offboarding processes: Work with security and IT to identify and minimize risks associated with employee actions (both unintentional and intentional). Procedures for safely disconnecting employees from company systems upon termination of employment (offboarding) are also key.
• Promote the mental well-being of employees, as stress and job burnout can lead to lower alertness and greater susceptibility to safety-related errors.

nA synergy of consistent action by line managers and strategic initiatives by the HR department, supported by the unequivocal commitment of top management, is absolutely essential to create an organization where cyber security is prioritized as a common concern and an integral part of every employee’s daily work.

Artificial intelligence (AI) in cyber security: a double-edged sword - from advanced threat detection to next-generation attacks

nArtificial intelligence (AI) and machine learning (ML) are revolutionizing many fields, and cybersecurity is no exception. AI is becoming an increasingly powerful tool in the hands of both defenders and attackers, making it a kind of “double-edged sword” in the battle for digital security. Understanding both sides of this coin is key to effectively harnessing AI’s potential in defense and preparing for new types of threats that are becoming increasingly sophisticated.

nOn the defense side (Blue Team), artificial intelligence offers a range of advanced capabilities that significantly enhance traditional security systems. Machine learning algorithms can analyze vast amounts of data from system logs, network traffic or user behavior in real time, detecting subtle patterns and anomalies that could indicate an attack in progress or a new, previously unknown vulnerability (known as a zero-day exploit). AI excels at identifying unusual behavior that would elude traditional systems based on predefined signatures. What’s more, SOAR (Security Orchestration, Automation and Response) platforms, often enhanced with AI components, allow automation of many routine security incident handling tasks, such as initial analysis and prioritization of alerts, collection of additional contextual information, blocking of malicious traffic or isolation of infected systems. Such automation significantly speeds up response times and relieves overburdened security analysts, allowing them to focus on more complex threats. AI is also being used to automatically analyze and classify new malware (malicious software) variants, allowing faster creation of signatures and defense mechanisms. Another promising application is behavioral authentication systems, where AI analyzes users’ unique behavioral patterns (e.g., the way they type, move the mouse, typical hours of activity) to continuously authenticate them and detect unauthorized access attempts, even if login credentials have been stolen. In addition, AI can assist in predictive vulnerability management by forecasting which security vulnerabilities are most likely to be exploited by attackers, allowing for more effective prioritization of patching efforts.

nUnfortunately, cybercriminals (Black Hat) are also increasingly willing and able to use artificial intelligence tools to increase the effectiveness, scale and sophistication of their attacks. AI can be used to create much more sophisticated and harder-to-detect malware, for example by generating new malware variants that can dynamically change their code (polymorphic or metamorphic malware) to evade traditional antivirus systems. Artificial intelligence also significantly improves phishing attacks and other forms of social engineering. NLP algorithms can generate extremely convincing, personalized phishing messages tailored to the profile of a specific victim, as well as create fake social media profiles or deepfakes (manipulated audio and video) that are difficult to distinguish from authentic ones. AI can also be used to automate the process of finding and exploiting vulnerabilities in systems (automated vulnerability discovery and exploitation), as well as to crack passwords or CAPTCHA systems on a much larger scale. What’s more, attackers can use AI to analyze defense systems and adapt their attack methods in real time to avoid detection (adversarial AI). This kind of “arms race” between defenders and attackers using increasingly sophisticated AI tools will certainly be one of the key cyber security challenges in the coming years.

The future of cyber security and strategic partnership with EITT: how to build sustainable resilience and security culture in your organization

nThe cybersecurity landscape is in a state of constant evolution, driven both by advances in technology and the constant adaptation of methods used by cybercriminals. Organizations that want to effectively protect their assets and ensure lasting digital resilience must not only respond to current threats, but also proactively prepare for the challenges of the future. Several key trends will shape the future of cyber security.

nFirst, the Zero Trust architecture, which departs from the traditional model based on trusting users and devices inside the corporate network, will become increasingly important. In the Zero Trust approach, no connection or user is considered secure by default; every attempt to access resources is verified and authorized based on a number of factors, regardless of location. Second, cloud security will play an increasingly important role as more organizations move their data and applications to cloud environments. This requires specialized tools and expertise in cloud data protection, identity and access management (IAM), and monitoring the configuration of cloud services. Third, the security of the Internet of Things (IoT) and industrial (OT) systems will become an increasing challenge as the number of networked devices, which are often not designed with security in mind, grows. Fourth, the impact of quantum computing on cryptography is a potential, albeit more remote, threat that may require the development of new quantum-resistant encryption algorithms. Finally, regulations (such as NIS2, DORA, RODO) will continually grow in importance, imposing increasingly stringent cybersecurity and data protection obligations on organizations.

nAs a trusted partner in strategic risk management, regulatory compliance, and competency development, EITT offers comprehensive support for organizations looking to build sustainable cyber resilience and a security culture that is ready for the future. We help our clients with:

• Conduct a comprehensive cyber risk assessment and gap analysis against best practices and regulatory requirements (including NIS2 and DORA).
• Develop and implement a coherent cybersecurity strategy that is integrated with business goals and includes all key pillars - technology, processes and people.
• Design and implement engaging cyber security training programs and awareness campaigns for all employees, from management to front-line staff, building a “human firewall” and promoting safe behavior.
• Support in the development and testing of incident response plans and business continuity plans (BCP/DRP).
• Advice on building an organizational culture based on risk awareness and shared responsibility for security.
• Interpret and implement the requirements of new regulations, helping organizations achieve compliance and minimize risks. Our goal is not only to help implement specific solutions, but more importantly to support you in building a sustainable capacity for your organization to adapt, respond and continuously improve its defenses in the face of the ever-evolving cyber threat landscape.

nIn summary, cyber security in today’s world is not a sprint, but a marathon - a continuous process requiring a strategic approach, constant vigilance, investment in appropriate technologies and competencies, and above all, building a strong security culture at all levels of the organization. In the face of growing threats and increasingly stringent regulatory requirements, proactive and holistic cyber security management is becoming an absolute priority and the foundation for stable development of any modern enterprise. It’s an investment in customer trust, reputation protection and business continuity that is simply indispensable in this day and age.

nIf your organization faces the challenge of strengthening its cyber resilience, complying with new regulations such as NIS2 or DORA, or wishes to build a stronger culture of security awareness among its employees, we warmly invite you to contact EITT. Our experts are passionate and committed to helping you diagnose your needs, design effective strategies and implement solutions that will realistically improve your company’s security. Together, we can build a future where your organization is not only digital, but also cyber secure.

Read Also

• ‘AI in cyber security: defense, threats and security of AI systems’
• ‘AI in cyber security: how does artificial intelligence help detect threats, automate defense and protect your business?’
• ‘The NIS2 Directive: what do companies need to know and how to prepare?‘

Develop Your Skills

This article is related to the training Cyber security for employees in the context of NIS2 and KSC. Check the program and sign up to develop your skills with EITT experts.

Read also

• The NIS2 Directive: what do companies need to know and how to prepare?
• AI in cyber security: how does artificial intelligence help detect threats, automate defense and protect your business?
• NIS2 Training - What Your IT Team Needs to Know

Frequently Asked Questions

What is the main difference between the NIS2 Directive and the DORA Regulation?

NIS2 applies broadly across many sectors of the economy, imposing cybersecurity risk management and incident reporting obligations on entities deemed “key” or “important.” DORA, on the other hand, specifically targets the financial sector and focuses on digital operational resilience, including mandatory advanced penetration testing and strict oversight of third-party ICT service providers.

Does NIS2 apply to small and medium-sized enterprises?

Yes, NIS2 significantly expands the scope of regulated entities compared to the original NIS Directive. Many SMEs operating in covered sectors — such as energy, transport, healthcare, or digital infrastructure — may now fall under its requirements, particularly if they are classified as “important” entities.

How can organizations start preparing for NIS2 and DORA compliance?

Organizations should begin with a thorough gap analysis comparing their current cybersecurity practices against the specific requirements of each regulation. This includes reviewing risk management processes, incident response procedures, supply chain security, and employee awareness programmes. Engaging specialized training and advisory support can accelerate this process significantly.

Why is building a security culture as important as implementing technical safeguards?

Technical controls can be bypassed through human error or social engineering attacks such as phishing. A strong security culture ensures that every employee understands their role in protecting the organization, recognizes common threats, and follows established procedures — making people an active line of defence rather than the weakest link in the security chain.