DDoS Detection, Mitigation, Orchestration, and Threat Intelligence
Consolidated Security & CGNAT
TLS/SSL Inspection
Web Application Firewall
Application Security & Load Balancing
Analytics & Management
CGNAT & IPv6 Migration
The second Network and Information Systems Directive (NIS2) will come into effect on 17 October 2024. This is the date by which all EU member states must implement the directive into national law. Not far behind is the Digital Operational Resilience Act (DORA), an EU regulation which came into force on 16 January 2023 but is effective 17 January 2025. As an era of cybersecurity regulation descends upon us, which gained momentum with the General Data Protection Regulation (GDPR), organizations are now more accountable for tackling systemic risk in critical digital systems. These regulations seek to raise cyber risk management standards across critical and important EU entities and build greater operational resilience.
It’s been six years since the GDPR took effect. This law has transformed how organizations handle personal data and has had a lasting impact on businesses around the world, and many other countries have followed suit with privacy acts and regulation. In the same way, both NIS2 and DORA will have a profound influence as their impact extends beyond European borders. This is especially true if overseas businesses want to do business with EU financial institutions or offer services in the EU.
For those less familiar, NIS2 requires in-scope entities across 18 sectors, including banking and financial market infrastructure providers, to implement minimum cybersecurity risk management measures to protect their networks and systems. Crucially, under the regulation, entities are also responsible for managing cybersecurity risk in their supply chains – whether those suppliers are based in the EU or not. The regulation demands a high level of visibility, control, monitoring, and reporting.
DORA seeks to drive and harmonize operational resilience improvements across the EU’s 22,000 financial entities. It aims to increase the sector’s resilience to disruption originating in information technology systems. Financial sector organizations are in the scope of both NIS2 and DORA. However, DORA invokes a higher level of risk management and technology-related incident reporting than NIS2.
NIS2 and DORA implementation is not happening in a vacuum. It is taking place against a backdrop of the shift to modern cloud-native application development, which dramatically accelerates the pace at which new applications and services are delivered, but it also increases the need for agile, adaptive application security. In addition, the persistence of legacy applications, complex hybrid cloud deployments, expanding attack surfaces, and the evolution of more sophisticated attacks all contribute to a highly complex governance, risk, and compliance environment.
To meet NIS2 and DORA requirements, financial services organizations must address a range of issues. For example, organizations must examine and refine their encryption strategies. NIS2 mandates that encryption is used where appropriate to ensure security and resilience, while both regulations prescribe the adoption of tools that deliver a strong defensive posture against malicious attacks. This means that organizations need a powerful solution that enables SSL/TLS visibility so they can analyze network traffic and eliminate blind spots to mitigate risk from encrypted attacks.
Likewise, effective business continuity, incident handling and response are explicitly required by both regulations. Organizations must implement robust tools and procedures to detect, manage and notify authorities of technology-related incidents. This must include early warning indicators, incident tracking and logging that enable response and reporting at the required level of detail and frequency.
DORA requires financial entities to design, procure and implement technology-related security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of IT systems. Such compliance will require organizations to guarantee that applications are securely and consistently available, wherever they are located. Web application firewalls (WAF) are central to achieving this goal, but historically they have proved difficult to manage and maintain.
Individual departments cannot tackle these regulations unilaterally. Compliance requires a coordinated effort among all stakeholders, from developers, network operations, and security teams, to risk and compliance teams. They all need complete and accurate visibility of application and network security performance to accomplish their allotted tasks and collaborate with other stakeholders. However, when every team uses different tools, monitoring and reporting systems, achieving a unified view of application security, management, and availability is difficult. The challenge is intensified when organizations have to account for both legacy and cloud-native apps deployed across multiple environments.
The advent of these new regulations, with their focus on visibility and reporting, offers organizations an opportunity to review current security tooling and management to identify opportunities to consolidate and simplify their approach without compromising innovation. This is where a platform approach across all applications delivers better visibility, management and reporting in a single pane of glass. It supports consistency and enhanced governance – both of which are important for effective compliance.
A10 Networks has a long history of working in the financial sector with a strong portfolio of products and solutions designed to smooth the path to regulatory compliance. Building resilience, managing risk and simplifying accurate, real-time reporting are in our DNA and our portfolio of products and services are designed to help financial sector businesses meet growing regulatory requirements while simplifying and consolidating their security stack, and achieving the necessary level of visibility. What’s more, it does this without compromising innovation, speed, or efficiency.
Our fully integrated platform approach delivers centralized security resilience with common tools using the same operating system across every application, whether it’s hosted on traditional hardware, bare metal, or in the cloud. This provides insights and context for every project for streamlined development and reporting.
As financial services businesses grapple with the growing challenge of regulatory compliance with requirements to adhere to these new regulations now imminent, they need to look to providers who can help them deliver secure and compliant applications. If you are interested in understanding how A10 Networks can help, why not download our latest eBook on delivering centralized application security, resilience and insight.
