In a context where the challenges of resilience are constantly increasing, the Council of the EU adopted NIS 2 on November 28th. From a sectoral point of view, in the financial sector, the European Parliament voted on November 10 for the promulgation of DORA while TIBER EU is already in application to test the resilience of key financial market entities. These regulatory requirements come in a world where the level of confidence on cybersecurity aspects expected by all the players in an ecosystem is ever greater. 

The awareness of working both on the protection level but also on its ability to respond to a cyber incident and limit the extent of the damage and the associated consequences is now becoming obvious but is still complex. Indeed, to ensure pragmatic compliance that allows an organization to really address its challenges, the adaptation of the security strategy and the associated roadmap must go through a holistic view of the different pillars defined in these regulations. 

The redesign of ICT risk management notably involves an ability to express cyber risk so that it is understood by management and can be used as a real decision-making tool. Thus, it has become essential to be able to link and interpret cyber risk with regard to the resulting business consequences, for example via cyber risk quantification approaches and financial losses study. 

For several years, the risks associated with outsourcing and the need for third-party oversight have been constantly increasing, as evidenced by the number of supply-chain attacks. The controls in place to assess service providers prior to contracting must be robust but also proportionate, with a level of assessment adapted to the risks incurred via, for example, a suppliers categorization model. In addition, it is essential to be able to monitor over time the proper consideration of the organization's security requirements by the providers and that a process of continuous improvement of the security maturity level can be actually proven. 

Demonstrating resilience capabilities requires assessments and the performance of security tests on the different lines of control existing within the organization. This evaluation program must be proportional to the risks inherent in the context of the organization and be sufficiently diversified to test different axes (cyber crisis management and communication strategy, incident response capacity, Red Team exercise, etc.). This requires in particular the pooling of expert skills in several areas: Cyber Threat Intelligence, in particular via a CERT and experts in cyber strategy, and Red Teaming via experts in intrusion and implementation of targeted attacks. 

As with any compliance process, it remains essential to carry it out by analyzing how these changes can bring a real added value for the organization and improve the security posture as well as cyber resilience capabilities and not for checking the box. 

By Johann Alessandroni, manager du service Information Security Governance, Excellium Services