The First CNAPP with Out-of-the-Box NIS2 and DORA Compliance

By Joseph Yostos - MARCH 19, 2024

SHARE:

Facebook logo LinkedIn logo X (formerly Twitter) logo

In an era where cloud attacks and threats are happening very fast and constantly evolving, the European Union (EU) has stepped up its cybersecurity game with two new regulations: the Digital Operational Resilience Act (DORA) and the revised Directive on Security of Network and Information Systems (NIS2). With more strict requirements on compliance controls and breach disclosures, these regulations are set to transform how businesses manage their cyber risks in Europe. If you’re feeling overwhelmed by these changes, you’re not alone. That’s where Sysdig comes in. As the first CNAPP to offer out-of-box policies for DORA and NIS2 compliance, we’re here to guide you through these new requirements, ensuring your business isn’t just compliant, but also more secure.

Overview of DORA and NIS2

In the past, most regulations were checked periodically for compliance – maybe monthly, quarterly, or up to annually. However, to address the ongoing surge of cyberattacks and the speed at which they move, these new regulations are looking to implement stricter controls and, more importantly, very aggressive requirements around time to disclosure to regulatory authorities in the case of a security event, privacy event, or breach. In the case of DORA, you only have four hours from the moment of classification of the incident as major to disclose. With NIS2, you have 24 hours.

Digital Operational Resilience Act (DORA) is an implementing act introduced by the European Union to address and enhance the security and resilience of digital operations within the financial sector. It aims to consolidate and standardize the digital operational resilience practices across financial entities, ensuring that they can withstand, respond to, and recover from all types of ICT (Information and Communication Technology) related disruptions and threats. The Regulation will apply from Jan. 17, 2025, which means financial companies have less than a year to become compliant with DORA.

DORA applies to the vast majority of the financial services sector. This includes, but is not limited to:

  • Banks and credit institutions
  • Investment firms
  • Insurance companies
  • Asset managers
  • Payment service providers
  • Crypto-asset service providers

Additionally, DORA extends its reach to third-party ICT service providers, including cloud services, which are integral to the operations of financial entities. This is significant as it marks the first time financial services supervisors are given authority to oversee these third-party vendors directly. As it pertains to cloud, DORA also specifies that financial entities should use multi-cloud approaches to improve resiliency. Multi-cloud strategies can indirectly create other security gaps due to varied technology. This approach necessitates that appropriate unified controls and monitoring are implemented to ensure those security gaps aren’t exploitable.

Network and Information Systems Directive (NIS2) 

Unlike regulations, which are directly applicable, NIS2 is an EU directive that sets general objectives for Member States’ national laws on cybersecurity and ICT systems and networks, with the aim of strengthening security across the EU. 

The main goal of NIS2 is to significantly raise the level of cybersecurity across the EU by expanding the scope of the original directive, introducing stricter security requirements, and increasing the accountability of entities within critical sectors. 

NIS2 broadens the scope of cybersecurity obligations to include a wide range of sectors critical to the EU’s economy and society. It encompasses entities in energy, transport, banking, financial markets, healthcare, water supply, digital infrastructure, public administration, and space.

POINT OF VIEW PAPER
Practical Cloud Security Guidance in the Era of Cybersecurity Regulation

Read Now

Sysdig’s Role in Facilitating NIS2 and DORA Compliance

Sysdig is the first Cloud-Native Application Protection Platform (CNAPP) to provide out-of-box compliance policies specifically designed to help organization’s satisfy the technical elements of the European Union’s new regulatory frameworks, DORA and NIS2, as they pertain to cloud resources.

Reading the specifications of DORA and NIS2 could be complex – a best practice would be to disassemble this complex stuff in the elementary building blocks. And that’s what we’re going to do in the following section.

DORA 

Sysdig facilitates this by providing comprehensive controls covering various aspects of Linux, Kubernetes, cloud environments, and identity management. 

Sysdig NIS2 and DORA compliance

These are some of the technical requirements that apply to cloud environments. We will explain these requirements and look at some examples of security controls from Sysdig that ensure cloud assets meet DORA compliance conditions. 

CHAPTER II, ICT risk management
Article 5, Governance and organization

Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 6(4), in order to achieve a high level of digital operational resilience.

The management body of the financial entity shall define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).


Sysdig provides around 300 controls to ensure availability, authenticity, integrity, and confidentiality of data under this article.

Here are some examples:

API Server:
– Defined tls-cert-file and tls-private-key-file

IAM
– Appropriate Service Accounts Access Key Rotation

Storage:
– S3 – Blocked Public Access (Account-wise)

Networking
– Disabled Endpoint Public Access in Existing Clusters 

Linux Security
– /etc/bashrc, or /etc/bash.bashrc contains appropriate `TMOUT` setting
CHAPTER II, ICT risk management
Article 6, ICT risk management framework, Art 6.2

The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols, and tools that are necessary to duly and adequately protect all information assets and ICT assets. This will include computer software, hardware, servers as well as to protect all relevant physical components and infrastructures, such as premises, data centers and sensitive designated areas. It will also ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorized access or usage.
The ICT risk management framework must encompass comprehensive strategies, policies, procedures, and tools designed to safeguard all information and ICT assets. This includes software, hardware, servers, physical components, and more.

Sysdig supports these requirements through 190 controls and a multi-layered security approach that includes:

Identity security
– IAM – No Multiple Access Keys

Workload protection
– Workload mounting ServiceAccount Token
CHAPTER II, ICT risk management
Article 7, ICT systems, protocols, and tools

“In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:

(a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4;
(b) reliable;
(c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;(d) technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.”
This section of DORA is all about utilizing and keeping up-to-date ICT systems, protocols, and tools that are scalable, reliable, resilient, and high-performance.

Sysdig aids financial entities in meeting these requirements by providing:

Workload security:
– Container running as privileged

Kubernetes:
– Kubelet – Defined streaming-connection-idle-timeout
– Kubelet – Disabled hostname-override
– Kubelet – Disabled read-only-port
– Kubelet – Enabled make-iptables-util-chains
– Kubelet – Enabled protect-kernel-defaults

Audit Log:
– Audit Log Events – file system mounts
– Audit Log Events – kernel module loading and unloading
CHAPTER II, ICT risk management
Article 9, Protection and preventionArt 9.3
“In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall:

(a) ensure the security of the means of transfer of data;
(b) minimize the risk of corruption or loss of data, unauthorized access and technical flaws that may hinder business activity;
(c) prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data;
(d) ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error.”
This Article emphasizes that financial entities must employ ICT solutions and processes that ensure data transfer security, minimize risks such as data corruption, unauthorized access, and technical issues, and prevent data availability, authenticity, integrity, confidentiality breaches, and data loss. These measures must also protect data from management-related risks, including administrative errors, processing hazards, and human mistakes.

Sysdig achieves this by means of controls like:
API Server:

API Server
– Defined strong cryptographic ciphers

Compute
– Disabled connection to serial ports

Firewall Configuration:
– IPv4 – firewall rules
– Networking – disallowed default network

These are just some examples of the technical requirements of DORA. Our comprehensive policy extends beyond these examples.

NIS2

NIS2 requirements are very similar to DORA but with a different scope. NIS2 covers all critical infrastructure companies. The scope of critical infrastructure is massive, including the expected healthcare providers, utilities, and telecom providers, but also digital service providers. Entities fall within essential or important categories with different control requirements, monitoring provisions, and attestation levels. 

Sysdig covers the 14 technical requirements of NIS2, with 2,905 total number of controls. 

Most of the technical requirements are under Article 21, “Cybersecurity risk-management measures,” of Chapter IV, “Cybersecurity Risk-Management measures and reporting obligations.” Here are some of the technical requirements.  

Sysdig NIS2 and DORA compliance
“Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.

Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.”
NIS2 requires entities to adopt suitable measures across technical, operational, and organizational domains to manage security risks for their network and information systems, aiming to reduce the impact of incidents. These measures should align with the latest standards and be cost-effective, reflecting the entity’s risk exposure, size, and potential incident impacts.

Sysdig addresses this through over 200 controls, here are some examples:
– Compute – Installed latest OS patches
– Container permitting root
– Logging – Enabled Cluster Logging AKS/EKS
– SQL Server – Enabled periodic recurring scans
– SSH Server Configuration Permissions –  public host key files
Article 21.2(d)The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.key focus is on securing the supply chain, which involves addressing security aspects in the relationships between entities and their direct suppliers or service providers.

Sysdig can facilitate compliance with this requirement through over 200 controls, and here are some examples:

Secure SDLC:
– Registry – Enabled Vulnerability Scanning
– Registry – Read-only access

Logging:
– Logging – Enabled cclusterl logging 

Access control:
– Over-permissive access to resource types in group

Secret:
– Secrets Management

These are just some examples of the technical requirements of NIS2. Our comprehensive policy extends beyond these examples.

Conclusion

In conclusion, the NIS2 directive and DORA regulations mark significant milestones in the European Union’s journey towards stronger cybersecurity and operational resilience, particularly within critical sectors and the financial industry. Set to come into effect in January 2025, these comprehensive frameworks necessitate that affected entities — spanning a broad array of sectors — implement robust measures to protect their network and information systems against a wide range of cyber threats.

In this pivotal moment, Sysdig stands out as the first Cloud-Native Application Protection Platform (CNAPP) to offer out-of-the-box policies to assist in NIS2 and DORA compliance. This unparalleled readiness positions Sysdig not just as a tool, but as a strategic partner for businesses seeking to navigate the impending regulatory landscape confidently.

To learn more about compliance and regulations in cloud-native environments, watch our panel conversation: Delivering Secure, Compliant Financial Services in the Cloud.

Subscribe and get the latest updates