Name: Compliance by Design – A Unified Approach to Cyber Security and Resilience
Uploaded: 2025-05-21T10:06:58.688Z
Duration: 50 min 48 s
Description: Compliance by Design – A Unified Approach to Cyber Security and Resilience

Transcript for "Compliance by Design – A Unified Approach to Cyber Security and Resilience": Welcome to today's webinar, Compliance by Design, A Unified Approach to Cybersecurity and Resilience. Joining us today are two industry experts, Patrick Beckman Lapré, digital trust specialist at DigiCert, and Carolyn Romer, principal consultant from ISG. Before we start today, I'll take you through some housekeeping items. Today's webinar will be recorded, and throughout the webinar, you can ask questions. If there's any questions at the end of the, event that we haven't been able to respond to, we will reply to you directly. And if you're finding any technical issues, please check your Internet connection, try refreshing your browser. And if the technical issues persist, please send a message in the chat, and we'll be there to help. Thank you again for joining us. I will now hand over to our speakers, Patrick and Carolyn. Thanks, Rina, for the introduction and your explanation. I'm Patrick Beckmann Labre. I'm senior director at DigiCert working for the digital trust specialist group, already working since 1990 '89 in the cybersecurity space, especially because located in in Europe, focusing on, European regulations and compliance parts there. And I'm also part of the cyber of the cloud signature consortium signatures there. And I would like to introduce to you Caroline Rimmer, who will be our guest speaker today in this webinar. Yes. Thank you very much, Patrick. My name is Caroline Rimmer. I'm a principal consultant at information services group, ISG, and I'm doing a consulting regarding cybersecurity for more than ten years. I had my first project on Dora in 2021 when it was still a draft. It was an initial compliance assessment, including a remediation road map. And since then, I've always been engaged in some way. And this two is also one of our focus topics in my team, so naturally, I gained some insights into it as well. Thanks for your introduction, Carolin. Let's start at the at the first, let's say, setting there. In today's inter interconnected world, organizations operate within an increasingly complex and dynamic global regulatory environment. Governments and regulatory bodies across jurisdictions are enacting in a growing number of rules and standards to address emerging challenges, ranging from cybersecurity and data protection to environmental sustainability and financial integrity. If you look at this evolving landscape, is, it is really shaped by technology enhancements, heightened geopolitical tensions, and rising expectations from customers, investors, and civil society. As a result, business must have navigate overlapping sometimes conflicting regulations across the regions while maintaining compliance, ensuring operational resilience, and safeguarding their reputation. If you look at this map and then specific to the European, we have two key regulatory frameworks that have been implemented, DORA and NIST two. Those are very important, and understanding nuances of global regulation, we need to create a critical building for compliance, sustainable, and competitive operations worldwide. What you also see is, for example, if you look at Dora, which is, main focusing on the financial industry, whereby NIST two is looking at critical infrastructures. If you look at critical infrastructures, finance is also part of it, similar to energy, water, and everything which is related that could disrupt our operational life there. Can you give us a little bit more insights on, what you see in DORA and these two regulations there? Yes. Thank you, Patrick. So let's have a look at DORA. So DORA is the Digital Operation Resilience Act. And the number of cyberattacks is constantly growing, as well as the number of ICT breaches, meaning breaches regarding information and communication technology, and banks and the financial industry in general, they are critical for business and also for our daily lives. So it's important to protect them. And DORA is the European approach and meaning we have the same rules for all in scope companies in Europe. And let's have a look at the companies that are in scope. So as Patrick mentioned, we have financial institutions in scope. For example, credit institutions and investment firms, and also credit rating agencies and trading venues, but also service providers. So we have, for example, crypto asset service providers in scope, but and this is also really essential. We have the ICT third party service providers in scope, meaning that Dora is considering the supply chain. And, this is really key as most ICT breaches are coming through a leak in the supply chain. Let's have a look at the Dora timeline. So, Dora was drafted in 2020, and the final version was published in January 2023. And now since January 2025, it's in effect. But why are we talking about it? So many companies, they are still struggling with reaching door compliance as some requirements, lead to long lasting projects, which are not yet completed. Or for some requirements, the companies are still looking for good solutions. So it's still important to talk about Dora. And now let's have a look at NIST two. So NIST two is the network and information systems directive two. So it's the predecessor of NIST, and it expands the scope in comparison to the original NIST directive, meaning we have more sectors and also also additional requirements in scope. Its target is to protect critical infrastructures, essential services, and also key sectors from cyber threats. Also, let's have a look at, what is in scope. So we have, the differentiation between essential and important sectors. Under the essential category, we have, for example, energy and banking, but also health. Under the important sectors, we have, for example, chemical chemicals or food. Also, regarding the timeline. So in May 2020, there was an agreement reached between the commission and the parliament. And in November, the draft was approved, and it is now enforced. Since, member states, they had the obligation to transpose the directive into national laws until October 2024. And, but in Germany, we have the situation that this was not done, so a draft was available. But due to early elections, elections, it was not, it was not transposed into national law. So, let's pause here and, briefly, talk about the comparison of, DORA and this too. So both, other have have cybersecurity requirements and and target to protect, companies in scope against cyberattacks. But let's focus on the differences. So DORA is an act, which means it's directly clickable. And, also, it has the same requirements for all EU countries, so for all in scope companies. Partonist two is a directive, which means that member states must transpose it into national law. And some countries remain with the broad requirements from directive as I go more into details. So we have here, different requirements in each country. Also, the level of granularity is different. So in Germany, these two will remain quite generic if we really go with the current draft version. But DORA goes much more into details. And also, DORA and NIST two, they have different scope. So financial institutions, they are covered by both regulations, but NIST two has much more sectors in scope. As DORA and NIST two both cover financial institutions, DORA supersedes NIST two, which means that this two also states that, some paragraphs are not relevant for financial institutions, which are covered by DORA. For example, incident reporting guidelines. They have to be followed as outlined in DORA. Also, I would like to mention that for this too, there are certain thresholds, for example, regarding a turnover and, yeah, and their member of staff. They have to be considered to be to define whether they are in scope or not for NIST two. Thanks for your explanation, Carolin. A couple of questions that popped into my mind, for example. Both DORA and NIST two have penalties in their regulation or in in the act. And you already mentioned that both DORA and NIST two are already more or less, in effect. What would be, the impact if organizations don't comply today to those or one of those regulations or x? Mhmm. Yes. So, regulators, already mentioned, but, of course, there's nothing written. But they mentioned the kind of grace period and, expect full compliance beginning of twenty twenty six, which means that directly in January, they could do an, an audit. And, I'm sure that in most companies, they would, find not completed requirements and, then companies would get, findings with different severities. And, based on the findings, they would then do regular checkups to see if the findings are closed or or not. Also, especially with Dora, we have, financial penalties, for violations of the requirements. So for example, a breach, they could lead to up to 2% of the total annual turnover or even 1% of the average daily worldwide turnover. So we have here also financial impact that needs to be considered. And they could be huge if you mention the turnover in there. But I also noticed in a couple of EU member states is that it is not one single supervisory body that was both, Dora and NIST two. It might be two different, supervisory bodies. What might be the impact if you have to deal with two supervisory bodies? Yes. So, of course, we have additional overhead for the companies. But I would say it's even more than just two supervisory bodies because we have also the national supervisory bodies. So if a company operates in several countries in the EU, they have then, yeah, they could have multiple supervisory bodies. And, also, it's important to note that even though we have for Dora, for example, we have, EU write the same requirements. Sometimes it happens that supervisor bodies, they have a different interpretation of the requirements. And, so I'm really looking forward to see the first r audit that is is done for Dora to see how, the requirements are interpreted. And business two, it's, it's even severe because then we have different requirements in each country. So, of course, the audits will also be very different. And, yeah, this is just something that companies need to be prepared for that they really see if an audit is coming that they assign enough, yeah, enough, people to to deal with it, to to get the the answers that are required, to the, regulators and in general that they really plan for this high effort that's expected to come. Thank you. What I hear in a in a lot of, let's say, conversations is that companies often think that Dora and NIST two are, let's say, onetime activities. I go through a checklist, and I check all the boxes which to to check whether I'm compliant or not. But due to, let's say, changes in regulations, but also the changes in cybersecurity attacks, more or less, it is an ongoing compliance activity that you do year after year or month after month or even day after day. How prepared in your view are organizations today, to make this, let's say, compliance by design, make it part of their daily operations? Yeah. So I would say some have, like, one or two persons which are regularly overseeing regulatory landscape. They are checking for changes in existing regulations. They are looking for upcoming regulations. They also, yeah, regularly check the sweat landscape. But I would say these are only very few companies. Most, struggle. They they still have the the old mindset to as as you mentioned there that they really say, okay. There's a there's a regulation. Let's let's check boxes. And once it's done, just put it somewhere and don't look at it again. So, yeah, this is something that, still needs to be addressed, I would say. Yeah. It should be a a mindset change, if I would call it that way. Definitely. You mentioned a couple of times also already the requirements on DORA and and and NIST two. Can you give some some insight are there let's say, is there overlap? Are they totally different? Or do you do you see some kind of, let's say, unified approach? Yes. So, if we, again, go back to the presentation, we can see that, Dora, there are some basic requirements. So, these are applicable to all in scope companies. So, for example, in the ICT risk management chapter, we have the settlement of cyber threats and ICT vulnerabilities. Companies need to implement and test an ICT business continuity plans. And, also in addition, for example, we have the requirements for crisis communication plans, or comprehensive testing programs including different kind of assessments, tests, practices, and tools. So those are basic requirements. In addition, we have then also the option on information sharing, which means that financial institutions, they can share cyber spread information, including, the related intelligence with other financial institutions. So they could kind of join forces, to, and to tackle, cyber threats. And, also, we have, one chapter on outsourcing. So I would say this affects, like, 99% of in scope companies because more or less are doing, yeah, are doing outsourcing and, of course, in different in different ranges. And, if the company does outsourcing, then there are also clear requirements for it. So for example, companies need to define exit strategies for all ICT services, which are supporting critical or important functions. And also, they need to review and test the defined exit strategies. There are also, yeah, ask for very clear, for ask very clearly, to, include certain requirements in their contracts. So company must go through all their ICT contracts to check if, certain requirements are in there. If not, they need to adjust their contracts, for example, to, door amendments. So there's also, a high operational effort involved here. As mentioned, Dora, Dora main target is to prevent and mitigate cyber threats. And, also, it's important to note that the supervisory authority, they can directly oversee critical third party providers. I mean, the list of the critical third party providers is not yet published as well as the, the criteria, how they were defined. But, we are looking forward to getting this list and also to understand, what will be the impact, what will, how will they be, yeah, how how will, the supervisory authority, how will they oversee the providers, what exactly will be done, and how this helps then the financial institutions in scope. And let's have a look at the NIST two. So, also NIST two has cyber measures. We have similar topics as Dora. So for example, we also have here incident handling. We have requirements on business continuity and, and also, risk management. Yes. So it's, I would say, a high overlap between dora and these two, but as they have different as they have a different scope, I mean, this is understandable. Thank you. If if you look at those requirements that you just explained a little bit to us, let's say some of the things are not finalized yet. We are waiting for overviews on what is critical, what is not critical, etcetera, etcetera. What do you see as the most challenging activities companies are facing at this point in time? Mhmm. Yeah. So I would say in general, we have, budget constraints, which are a big issue. So, each new regulation, they create additional effort, because company, they need to review the requirements. They they need to, assess whether they're compliant or not, need to do remediation plans, and so on. So either they can do it with their, with their with internal effort, so with the existing staff. But sometimes they also need, experts or just just additional manpower, to to do the assessment. But this always, leads to additional budget that's required. Also, Dora. So for Dora, there's a big advantage that the banking sector has always been heavily regulated in the past. And, at least also the mid and the large the the mid sized banks and the large banks, they already had regular audits. So they are kind of aware what their, what their gaps are. And, and, also, most banks, they already have a certain level of cybersecurity implemented. Of course, Dara has some specific requirement, like encryption of data in use or penetration test on live production environment, which are now coming in addition. And, yeah, some banks I'm currently advising. They are still struggling to find solutions to to meet those requirements. Also, they need to ensure that the day that the daily business is not slowed down or endangered. So they have to kind of balance the daily operations and also those, additional those additional regulatory requirements, how to how how to deal with both at the same time. And with this two, we have a wide scope. We have new sectors in scope in comparison to NIST. And, also some of the, new sectors, they were not or at least not heavily regulated. So some companies, they start slightly above zero. And now they're required to have good cybersecurity measures in place in a short timeline. And so I think for some, this is a huge burden they they are now facing. Also, as I mentioned, different from DORA, and this too has in each EU country, yeah, different requirements as they need to put it into country specific law. So companies operating in various countries in the EU, they need to review each specific law, which is high effort. And, also, they need to identify, if their if their current requirements, are compliant with all, requirements. And so this is high effort. To pick just a few concrete challenges, I would mention, supply chain security, which is, high effort especially if they are, like, sub sub subcontracting. Also incident handling, as you need to define the reporting pros process, timelines. You need to have communication plan, and and and you need to prepare a communication plan. And, also, I would mention cryptography and encryption as the third big challenge. Thank you for, for your explanation there also. I I was reading a a report, and it was from a a German, researcher there, that more or less says, hey. Compliance also drives or impacts businesses, how you do it. And I was a little bit surprised on on the outcome there because, 75 no. 57. Sorry. My mistake. Say that digital compliance enhances customers' trust, but it also says it supports business growth. So, in my view, compliance by design or compliance being part of your daily operation, it must be in your DNA, also helps customers to, to get more trust trust in services that they consume in there. And it also says it it enhances brand integrity and loyalty. So if you have your certification, for example, as a financial institute, people are more, let's say, willing to do this with you in in that regard. I also noticed in the same report that, let's say, still a lot of companies are having manual compliance activities instead of a, let's say, automated unified approach. So, also, there you see, hey. What happens in the market and how do people make more or less benefit of being compliant, in there? And, also, the next one there, and this that is what you see. If you look at the security breaches that were happening last year, everything has a human element in there in a lot of cases. So my question more to you is also, what would be the approach that customers should do if they look at, Dora NIST two, but, let's say, implementing compliance activity as their daily operation? Yeah. So I would say instead of addressing each requirement by itself, so currently, most companies, they are building or buying solutions for individual requirements. I would say that companies, they need to create a holistic target picture, which is, of course, built from current regulatory requirements, but also from best practice and from expected upcoming requirements. And they should, they should look for holistic solutions. So, something that covers more than maybe just a requirement that is, for for their department, but really that benefits the whole organization that's required from my point of view. Yeah. So no no I'm sorry. Go ahead. No. No. I was just curious, Patrick. How do you advise organizations to address those challenges? Let's say I I strongly believe in a in that what you will call holistic approach or I would call it unified approach, and and not looking for point solutions because I I think if you if you if you work or work in in a in a world that needs, compliance, you only can reach and similar to what we spoke about about before a little bit, you can only reach that, business, benefits there if you do it as in one unified approach. Because if you have point solutions, you probably spend a lot of money, and then you only have one thing there. But at the moment that you change something different or there will be a new regulation, how you will start over. So that unified holistic approach, that should be the way forward in my in my point of view in there. And, what you also see there, more or less, is that, if you look at service providers in the market, similar to Dataserved, they are, following the same approach, not having point solutions for one single thingy there. And one of the things that, you see, for example, in our DC one platform, which we are following in there and try to build in all the things we could do in a holistic approach, it is exactly a sample of how it should work. And let me show you this little thing. If you look at the PKI world, it's everywhere, whether you have, software, machines, service devices, documents to sign, everywhere you need PKI. That also means that if you have a disruption in your PTI business, you will have a a problem or you have a disruption in in your service. And what we now try to do within our d c one platform is to build in as much as possible because, of course, we know that, regulations are low. X needs to be, in presented in in national law, so there might be differences. But at least the the basics are built in into our solution. So more or less with one, press button, I would almost say, you can get all kinds of reports or all kinds of audit trails out of the system that help you to provide all those, let's say, manual things if you don't have that unified approach there. So more or less, if what you see happening in, let's say, in using a compliance framework is also a framework that we see in solutions that are provided by third parties in there. One of the things that I'm I'm wondering, in that regard, because you already mentioned previously that sometimes we are waiting for things that still needs to be worked out. Do you also see other compliance gaps that we are currently facing or that customers might be facing? Yes. So in general, I would see, in general, we that most customers they're working with, yeah, in in in eyes in in silos. So each department is working on its own. They have, yeah, disparate systems. And besides, of course, going into details now what are compliance gaps. I mean, that's, of course, different from company to company. But in general, I would say that they are they are just too focused on what's really important for them instead of what's what's good for the company. That's, but what I realize every day in my project. Yes. But that also means in in that regard that, let's say, the whole compliance topic, I would almost say, should be on the agenda of upper management. It should be part of their daily business as well and not only related to what they do today, but also what they need to do tomorrow. Yes. Definitely. So it it should be, on the, yeah, on the radar of the management board to, to regularly, yeah, to regularly also ask the the the CECO, but, that's, yeah, how their progress is. I know that for for most things, they already have it. That, for example, the CECL, you give, like, a a quarterly update to the management board. And this is also, due to already done audits. So if audit findings, if they, if they have, severe, audit findings, it gets, high management attention. And, yeah, and this at the end also helps company in, getting additional budget in in getting resources to, to close identified compliance gaps. So sometimes, you could say that an audit at the end helps the company to to being compliant or to going on the way to be compliant. Yeah. Understood. Just going quickly back to to this slide, because one of the things here is that that, let's say, compliance by design drives business impact. How can organization leverage the need to be compliant, and turn into a competitive advantage versus a change? Because I can imagine you could also benefit as a company to say, hey. I am compliant because of whatever it is. What is what is your view on that one? Yeah. I would say that's that's, that's a good point. But I would also like to kind of turn it around. So if you imagine you there's a cybersecurity gap, and the company is then a victim of a DDoS attack. Customers, they are not able to to access the website. And if it's a bank, for example, they they can't do online banking and so on. So this is, of course, it's a huge reputational damage. So you could either argue from this side or, of course, from the other side. So we are we are seeing many clients who are using their their ISO 70,000 certificate on their website for marketing. And, I could imagine that we have a similar certificate for Dora or also for general cybersecurity compliance that they are using on the website saying, hey. We are we are compliant with this and that requirement, like Dora and his two and others upcoming. And, this then also attracts customers. Yeah. So more or less use it also as as a marketing tool to, to, let's say, to create or generate more fees. Yes. Definitely. So that's that's that's a key option. And we also, put this, in our regular exchanges with with, with clients. Also focusing on on this topic, if to to make more clear that, we can use regulatory requirements also, as a competitive advantage. Understood. I would like to thank you because I'm I'm looking at the time at this point in time. So I would like to thank you for your insights and your support here, and let's hand it over to Rina. Great. And thank you, Patrick and Carolin, for, your valuable insights on compliance by design and the best practices on addressing all of the regulatory as holistically. Throughout the chat, we've had a few questions that have come in. And just as a gentle reminder, if we're unable to get to your question, on in this session, we will be coming back to you, afterwards as well. Okay. So the first question that I'm going to pose, I think this will be really good one for, Carolin. From your consulting experience, are there any topics where companies are considering themselves or, as being compliant when in reality, there is a gap? Mhmm. Entirely. Yeah. So I would like to answer this one. So, often we see that certain aspects that are covered by individuals as part of their regular task. But there are no policies or procedures, outlining the requirements from a securities perspective, and the processes, they are not documented. So the individuals, you could say, they are kind of doing doing it compliant for the company, but not holistically. So, in consequence, this means that if the responsible team member, if, if they take on another role in the company or if they leave the company at all, and the task will either be done differently or not at all. Meaning that you can only consider an aspect as being compliant if there's documentation. So what are the requirements, who is doing what, when, and how, and also if the task is done as required. So, this is also regular check by the auditor. They, first ask what is what where is it documented? And then they want to see also evidence that it's done as documented, and only then they will evaluate whether it's really compliant or not. So you always need the documentation, and that's, that's something that we that we often see that, companies, they're they're missing the documentation of the requirement and the processes itself. Great. Thank you for that. Patrick, any thoughts on that question? I know it was to, Carolin, but based on that response, do you have any points to share? No. Let's say what what we also see from our end is that, let's say, because a lot of companies are confronted with, rules and regulations, and it must be part of their daily task, which they didn't do before. And I think it it's it's important to, to emphasize that they should not see it as a burden. So I have to do it, and it will cost me additional things there. But it is part of their daily business to be compliant, to get that certification or that accreditation, and and make it more or less beneficial for them. Great. Okay. Thank you. Okay. The next question's lined up here. So with the demands and pressures for continuous innovation and to the question here is how can organizations how can organizations align balance the need for agility and innovation while ensuring strict compliance with regulations like NIST two and Dora. So, Patrick, do you wanna start with the response to that? Yeah. That's I I certainly think and we spoke also during the session about the holistic approach or unified approach. I'm convinced that if you are compliant, it will be beneficial for your company. I see also, for example, in in European tenders or in RFPs that people are asking for certification and also in the in the compliance way. So, but it is a a mind shift in my view that people need to think as slightly different than only, oh, this is the product or the solution that I need to provide to the market, but also make sure that that it is part of the whole ecosystem and that we more or less, if we don't comply or if we don't work on this part of the, solution as well, that we, let's say, that we are I won't I won't say out of business, but at least we are not beneficial there. Right. Okay. Thank you. So, on that note, what, solutions, tools are enabling them to compete have the agility that they need, to to comply? Let's say what we what we spoke about before, if you have that holistic or unified approach, then also your tools should be have a similar view on it. As Carolin already said, if you are buying point solutions or if you're buying a one time tool just to fix this little thingy there, you will not be prepared for the things that are going to change or new regulations that will pop up in the next couple of years. So the whole thing about compliance should be part of your DNA within an organization. Okay. Great. Thank you. I think we've got time for one more question. And, I think this one, probably both of you, be great to get your perspective on it. What upcoming regulations beyond DORA and NIST two should organizations already start preparing for as part of a future proof compliance strategy? So, Carolin Römmer, do you wanna go first? I would like to leave Patrick to first, first say on this. Okay. No no worries. I I think there are two, two important ones. One of one of them is, of course, already applicable or in effect. That is the ei dash two dot zero, because that would bring a huge change in how people work together in this ecosystem. For example, the introduction of the, of the wallet, the introduction of, at the stage attributes, for example. Secondly is the, of course, the Cyber Resilience Act that is, as far as I know, now on schedule on 2027 to become in effect because those are all, let's say, impacting, let's say, the ecosystem for both customers and companies. Great. Thank you. Any additional thoughts there? Yeah. I would say, we mentioned that we shouldn't just focus on regulations, but also best best practices. So, what what we see from from our experience is this this or project is that, even with existing regulations, regulators, they have a certain understanding, what's what's part of the requirement, which is not directly written in the requirement. So they have, like like, a certain interpretation, what's what's really meant here. And, so you can even find with existing regulation, gaps even if the company has already kind of analyzed what's in there just because, yeah, the regulator, interpret interpret. I can't speak it. And, I doubt interpretation. It has has different interpretation. And so you could even say view the current, regulations and, also, maybe align with your peers, what what gaps audits, audits identified to check whether you have those already considered. Brilliant. Thank you very much. I think that concludes our q and a session. We're at time. So thank you for all the great questions that came in. Any questions that we weren't able to get round to, we will be responding to, you individually. I'll hand back over to Patrick to summarize and close. So thank you very much. Thank you, Rina. What what you see here is that, let's say, there are still a lot of things to do by companies. At least that's my impression. It is not a onetime activity. And I think what we need to do, of course, is to look at not only what is happening today, but also what is happening tomorrow, and prepare ourselves as a company to be compliant, let's say, for a future state in in there. And I think it's very important, also business wise to do so, But maybe, Carolin can give her a few as well. Yeah. So for me, it's important to consider that you have to be prepared not only for existing relations, also for upcoming ones, but also, you need to consider best practices. And as I mentioned, also consider that regulators have the protections of regulations. It's important to make cybersecurity a top priority in your company, and I would also suggest to align with your peers on current cyber threats on, yeah, on ongoing activities, that's, that's noticed. And, yeah, as mentioned, we have this information sharing, chapter. So Dara explicitly encourage, the information sharing. Yeah. And I think, that that is if you look at all the regulations, it is, very important that you adopt a integrated and proactive compliance strategy within your company, which also aligns, as, Carolin already said, with the security within your business objects, to be successful. Great. Thank you. That concludes today. Bye, everyone. Thank you. Bye bye. Bye bye.