DORA Digest March 2024

NIST 1.1 and NIST 2.0 

It is worth considering that NIST recently updated and amended its CSF. One of the things that stands out about the differences between v1.1 and v2.0 is that the new version highlights the use of communities in combatting cyber risks.  

NIST’s concept of “communities” builds on the foundation of the original intentions of the first CSF, in that it was created for use within critical national infrastructure (CNI) organisations. This was acknowledged in the original name of the framework (i.e. the NIST Framework for Improving Critical Infrastructure Cybersecurity) – however, organisations outside of CNI rapidly adopted the framework and used it to meet their own cyber security needs.  

For cyber security professionals like me, the introduction of NIST CSF 2.0 was a significant event. It was the result of input from the wider body of cyber security practitioners, academia, and government organisations.  

In many ways, the NIST CSF has become the de facto standard for organisations seeking to leverage a framework to ensure appropriate cyber security controls. The new version will likely carry on playing the same role that v1.1 has done, and its adoption is likely to increase its coverage and adoption rate across the globe. 

NIST CSF and DORA 

While DORA is mandatory for the EU’s financial services industry, the NIST CSF is widely accepted as “best practice.” There is no one-to-one mapping between DORA’s requirements and the standards set out in the NIST CSF. 

Even so, it is useful to explore how DORA and the NIST CSF can be used to complement each other – especially by organisations that must meet DORA’s requirements, and can use the NIST CSF for their own internal controls reporting and compliance efforts.  

Leveraging NIST CSF 2.0 to meet DORA’s requirements 

ICT risk management framework 

Within the NIST CSF there are two functions – govern (GV) and identify (ID) – that correlate to the Articles in DORA that address governance and organisation, ICT risk management frameworks, and identification of cyber risks.  

The NIST CSF 2.0 functions of protect (PR), detect (DE), respond (RS), and recover (RC) have their DORA equivalents in the Articles concerned with: 

• protection and prevention; 
• detection; 
• response and recovery; 
• backup policies and procedures; 
• restoration and recovery procedures and methods;  
• learning and evolving; and  
• communication. 

ICT-related incident management 

DORA has very prescriptive requirements around reporting ICT-related incidents in terms of classification and notification. These requirements are reflected in the NIST CSF 2.0 functions of detect (DE), respond (RS), and recover (RC). 

Digital operational resilience testing 

DORA sets out requirements for conducting regular technical testing and threat-led penetration testing (TLPT). While the NIST CSF does not explicitly address TLPT, it does describe testing in its categories of platform security and technology infrastructure resilience, both of which fall under its function of protect (PR). 

ICT third-party risk management 

In many sectors, organisations will use similar technologies and vendors. This exacerbates the supply chain risks that have recently been growing in number and visibility. DORA tackles these risks with prescriptive requirements on assessing concentration risk and performing due diligence and assessments, while the NIST CSF 2.0 covers them as part of the governance (GV) function, in the category of cybersecurity supply chain risk management. 

Summary 

The NIST CSF 2.0 and supporting documentation explicitly calls out the concept of communities, which is a significant advance on the ideas set out in v1.1. The principle of “communities” is that organisations within the same sector could seek to establish their own tailored version of the NIST CSF 2.0 to allow a focus on specific risk and threats.  

The NIST CSF provides a more holistic approach to cyber security than DORA does. DORA’s narrower focus is because the regulation emerged in direct response to the need to manage the risks associated with the financial services community, and the concentration risk that may be present in its underlying technical components.  

That said, DORA is holistic in its concept of digital operational resilience, though it provides far more prescriptive requirements than those captured at a generic level in the NIST CSF.  

Organisations that have adopted, or are in the process of adopting, the NIST 2.0 Cybersecurity Risk Management Framework, and are at maturity of level of three, should find it relatively easy to adapt the processes they have already implemented to ensure DORA compliance thresholds are met. In general, however, the reality is that most organisations that have not adopted the NIST CSF (or other relevant frameworks) remain woefully unprepared for DORA.