From Cybersecurity to Digital Operational Resilience: Navigating NIS2 and DORA

By Mark Alan Barlow, Chief Information Security Officer at SEFIN SpA

As digital transformation continues to reshape operating models, organizations are becoming increasingly dependent on complex ICT ecosystems. While this evolution enables efficiency and innovation, it also significantly expands exposure to cyber risk. In this context, the European Union has introduced two major regulatory frameworks - NIS2 and DORA - that mark a decisive shift from traditional cybersecurity to a broader concept: digital operational resilience.

The NIS2 Directive (Network and Information Security) aims to raise the overall level of cybersecurity across the European Union by expanding its scope to numerous essential and important sectors. The DORA Regulation (Digital Operational Resilience Act), on the other hand, focuses specifically on the financial sector and its ICT supply chain, introducing a harmonized regulatory framework that is directly applicable in all Member States.

Although they differ in nature, a directive versus a regulation, both share a common objective: ensuring that organizations are not only protected against cyberattacks, but are also able to maintain operational continuity and recover quickly in the event of disruptions. This reflects a broader trend: cybersecurity is no longer just a technical issue, but a core element of business resilience.

Beyond protection: the evolution toward cyber resilience

Traditionally, cybersecurity has focused on prevention, keeping attackers out of systems. However, NIS2 and DORA introduce a more advanced paradigm: cyber resilience. This means that organizations must be able to anticipate, withstand, respond to, and recover from incidents, while also demonstrating that these capabilities are continuously tested and improved.

This shift has profound implications. It requires a comprehensive view of risk across the entire value chain, including third-party suppliers. It demands that controls and procedures are not only implemented, but also validated through real-world scenarios. And it introduces a culture of continuous improvement, in which policies and processes are constantly updated.

In operational terms, this means moving from static compliance to dynamic risk management, supported by clear governance, well-defined roles, and measurable indicators.

Building a strong security posture

At the core of NIS2 and DORA is the concept of security posture, meaning the level of preparedness an organization has in managing cyber risk.

An effective approach starts with a structured analysis of regulatory requirements and their mapping against existing controls. This makes it possible to identify gaps

and define an implementation roadmap. However, this is not a one-off activity, but a continuous process integrated into governance mechanisms and day-to-day operations.

The main areas of intervention include:

• Risk management and governance

• Incident management

• Business continuity and disaster recovery

• Supply chain security

• Network and data protection

• Access control and identity management

• Cyber training and awareness

These elements form the foundation of a resilient organization, capable not only of defending itself, but also of ensuring service continuity under critical conditions.

Particular attention must be paid to supply chain security. The expansion of the digital ecosystem to ICT providers increases the attack surface, making the adoption of structured Third-Party Risk Management (TPRM) models essential.

The role of standards and continuous improvement

International standards such as ISO/IEC 27001 provide a solid foundation for information security management. However, on their own they are not sufficient to cover the broader operational resilience requirements introduced by DORA.

Organizations must therefore go beyond formal compliance by adopting an integrated approach that combines governance, risk management, and operational resilience. This includes activities such as periodic gap analyses, continuous monitoring, and systematic testing of controls, for example through vulnerability assessments, penetration testing, and scenario-based exercises.

Equally important is the ability to demonstrate compliance. NIS2 and DORA place strong emphasis on accountability, with strict reporting obligations and significant penalties in cases of non-compliance. This reinforces the role of management, which is called upon to ensure the effectiveness of the measures adopted.

A strategic opportunity for the financial sector

Although the path to compliance may be complex, it also represents an important strategic opportunity.

Aligning with NIS2 and DORA enables organizations to strengthen their security posture, increase the trust of customers and partners, and differentiate themselves in an increasingly competitive market. For financial institutions and ICT providers, resilience becomes a distinguishing factor and a business enabler.

In a context of growing regulatory attention, it is essential to adopt a proactive approach: assess current capabilities, define priorities for action, and integrate resilience into technological and organizational processes.

Moreover, the greater emphasis on transparency and collaboration encourages a more systemic approach to security, based on information sharing and the exchange of best practices.

Conclusions

NIS2 and DORA represent a significant evolution in the way cybersecurity is interpreted and managed. They shift the focus from isolated technical controls to a holistic model of resilience.

In this new paradigm, cybersecurity is no longer just a defensive function, but a true strategic enabler capable of supporting trust, stability, and long-term competitiveness in an increasingly digital economy.