NIST 2.0 and DORA: Complementary or contradictory?
The NIST Cybersecurity Framework 2.0 and the EU’s Digital Operational Resilience Act (DORA) have been created to meet the needs of two different requirements in the cyber security space.
At a high level, one is a framework produced by the National Institute of Standards and Technologies (the NIST CSF), while DORA is a piece of EU legislation intended to manage technology and cyber security risks within the European banking sector.
Are you ready for DORA?
Use our free, easy-to-follow Readiness Toolkit to determine how close your organisation is to meeting all the Digital Operational Resilience Act (DORA) requirements. Once completed, we’ll send you a free report outlining how prepared you are for DORA. You can use our output to create an action plan to achieve compliance by 17 January 2025.
NIST 1.1 and NIST 2.0
It is worth considering that NIST recently updated and amended its CSF. One of the things that stands out about the differences between v1.1 and v2.0 is that the new version highlights the use of communities in combatting cyber risks.
NIST’s concept of “communities” builds on the foundation of the original intentions of the first CSF, in that it was created for use within critical national infrastructure (CNI) organisations. This was acknowledged in the original name of the framework (i.e. the NIST Framework for Improving Critical Infrastructure Cybersecurity) – however, organisations outside of CNI rapidly adopted the framework and used it to meet their own cyber security needs.
For cyber security professionals like me, the introduction of NIST CSF 2.0 was a significant event. It was the result of input from the wider body of cyber security practitioners, academia, and government organisations.
In many ways, the NIST CSF has become the de facto standard for organisations seeking to leverage a framework to ensure appropriate cyber security controls. The new version will likely carry on playing the same role that v1.1 has done, and its adoption is likely to increase its coverage and adoption rate across the globe.
NIST CSF and DORA
While DORA is mandatory for the EU’s financial services industry, the NIST CSF is widely accepted as “best practice.” There is no one-to-one mapping between DORA’s requirements and the standards set out in the NIST CSF.
Even so, it is useful to explore how DORA and the NIST CSF can be used to complement each other – especially by organisations that must meet DORA’s requirements, and can use the NIST CSF for their own internal controls reporting and compliance efforts.
Leveraging NIST CSF 2.0 to meet DORA’s requirements
ICT risk management framework
Within the NIST CSF there are two functions – govern (GV) and identify (ID) – that correlate to the Articles in DORA that address governance and organisation, ICT risk management frameworks, and identification of cyber risks.
The NIST CSF 2.0 functions of protect (PR), detect (DE), respond (RS), and recover (RC) have their DORA equivalents in the Articles concerned with:
- protection and prevention;
- detection;
- response and recovery;
- backup policies and procedures;
- restoration and recovery procedures and methods;
- learning and evolving; and
- communication.
ICT-related incident management
DORA has very prescriptive requirements around reporting ICT-related incidents in terms of classification and notification. These requirements are reflected in the NIST CSF 2.0 functions of detect (DE), respond (RS), and recover (RC).
Digital operational resilience testing
DORA sets out requirements for conducting regular technical testing and threat-led penetration testing (TLPT). While the NIST CSF does not explicitly address TLPT, it does describe testing in its categories of platform security and technology infrastructure resilience, both of which fall under its function of protect (PR).
ICT third-party risk management
In many sectors, organisations will use similar technologies and vendors. This exacerbates the supply chain risks that have recently been growing in number and visibility. DORA tackles these risks with prescriptive requirements on assessing concentration risk and performing due diligence and assessments, while the NIST CSF 2.0 covers them as part of the governance (GV) function, in the category of cybersecurity supply chain risk management.
Summary
The NIST CSF 2.0 and supporting documentation explicitly calls out the concept of communities, which is a significant advance on the ideas set out in v1.1. The principle of “communities” is that organisations within the same sector could seek to establish their own tailored version of the NIST CSF 2.0 to allow a focus on specific risk and threats.
The NIST CSF provides a more holistic approach to cyber security than DORA does. DORA’s narrower focus is because the regulation emerged in direct response to the need to manage the risks associated with the financial services community, and the concentration risk that may be present in its underlying technical components.
That said, DORA is holistic in its concept of digital operational resilience, though it provides far more prescriptive requirements than those captured at a generic level in the NIST CSF.
Organisations that have adopted, or are in the process of adopting, the NIST 2.0 Cybersecurity Risk Management Framework, and are at maturity of level of three, should find it relatively easy to adapt the processes they have already implemented to ensure DORA compliance thresholds are met. In general, however, the reality is that most organisations that have not adopted the NIST CSF (or other relevant frameworks) remain woefully unprepared for DORA.
DORA regulation applies in:
Subscribe to DORA Digest and stay up to date with the key issues
and developments unfolding as the countdown to DORA begins.
We safeguard clients and their communities
Petroleum Development Oman Pension Fund
“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”
ATHEX
"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."
Northern Trust
“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”