Modern cyber security is undergoing a fundamental transformation. The model where the company was like a fortress surrounded by a high wall is becoming a thing of the past.
Attackers have learnt that the weakest point of a defence is often not the fortress itself, but its extensive network. New EU regulations such as DORA and NIS2 brutally expose this truth, forcing boards to redefine the concept of resilience.
Today, true digital security does not stop at the border of one’s own network, but extends to the entire supply chain.
For years, corporations have invested huge resources in securing their own infrastructure, focusing on prevention and incident response within the organisation. This approach, while still fundamental, has become inadequate for the scale and complexity of today’s threats.
Cybercriminals are increasingly choosing to launch frontal attacks against well-protected targets. Instead, they are choosing the path of least resistance, using less secure suppliers, subcontractors and technology partners as an attack vector. Risks have become diffused, and their sources often lie outside of a company’s direct control.
In this new landscape, a strategy that relies solely on damage limitation after the fact is untenable. In an age when every hour of downtime can generate losses running into the millions and irreparably damage customer trust, proactive, intelligent prevention becomes key.
This paradigm shift has also been recognised by the European regulator, which is shifting the burden of responsibility from IT departments directly onto the shoulders of boards of directors and supervisory boards through new regulations.
Two key legislative initiatives are setting new standards across the continent. The first is the Digital Operational Resilience Ordinance (DORA), which imposes stringent digital risk management requirements on the financial sector and its key IT suppliers from the beginning of 2025.
DORA’s philosophy is clear: the resilience of a financial institution is inextricably linked to the resilience of its partners. It is no longer enough to respond to incidents; continuity of critical services must be ensured even when an external provider fails.
In practice, this means in-depth analysis and continuous monitoring of the entire technology ecosystem.
The second pillar of this revolution is the NIS2 Directive, which radically expands the catalogue of entities covered by similar high standards. Key economic sectors such as energy, transport, healthcare, water management or digital infrastructure are now within its scope.
For many companies operating in these industries, NIS2 means the need to build mature third-party risk management processes from scratch. Both regulations share a common denominator: they introduce clear reporting obligations and personal liability for managers.
Digital resilience is ceasing to be a technical issue and is becoming a key element of corporate governance and business strategy.
In this new legal and operational reality, traditional methods of assessing partners, such as audits or security surveys, are proving insufficient. A static picture obtained once a year is useless when confronted with threats that evolve in daily cycles.
Companies need a dynamic, almost live picture of the threat landscape to identify, prioritise and neutralise risks early, before they materialise.
The answer to this challenge is threat analytics, known as Threat Intelligence. It is a continuous process of collecting data about cyber attacks, malware and criminals’ tactics, then analysing it and turning it into actionable intelligence.
Effectively implemented analytics allows an organisation to understand what campaigns are targeting its industry, whether there has been an incident at any of its key suppliers, and whether employee credentials are circulating online after a leak from another service.
The effective use of this knowledge relies on a coherent defence process. It starts with analysis and prioritisation, i.e. understanding which threats are most viable for the specifics of the company and its supply chain.
The knowledge gained is then used for preventive measures, such as proactively strengthening security, implementing multi-component authentication or blocking communication with servers identified as malicious.
The third element is early detection, which involves continuous monitoring of the company’s own systems and partners’ networks for indicators of compromise (IoC) provided by Threat Intelligence platforms. This is rounded off by automated response, which allows rapid action to be taken in response to an incident, for example by automatically resetting hijacked accounts or isolating infected machines.
However, it is important to remember that regulations such as DORA and NIS2 only set a minimum level. The threat landscape is evolving much faster than any legislative process. Achieving compliance is only a starting point, not an end in itself.
True long-term resilience requires more than that: building a security culture in which third-party risk management is firmly integrated into the company’s business strategy, supplier selection process and day-to-day operations.
The time for preparation and theoretical considerations is irretrievably over. Organisations that understand today that their stability and security depend directly on the digital hygiene of their smallest partners will not only meet the requirements of the law but, above all, build a sustainable competitive advantage in an increasingly unpredictable digital world.
