**Disclaimer: The content of this blog post is for general information purposes only and is not legal advice. We are very passionate about cybersecurity rules and ...

The post EU Regulating InfoSec: How Detectify helps achieving NIS 2 and DORA compliance appeared first on Blog Detectify.

**Disclaimer: The content of this blog post is for general information purposes only and is not legal advice. We are very passionate about cybersecurity rules and regulations and can provide insights into how Detectify’s tool can help fit legal requirements. However, Detectify is not a law firm and, as such, does not offer legal advice.**

Navigating the complex and ever-changing compliance landscape is difficult for many companies and organizations. With many regulations, selecting the appropriate security tooling that aligns with the compliance needs of your business becomes a significant challenge.

This article provides insights into how businesses across the EU can effectively navigate compliance hurdles and make informed decisions when choosing security tools, particularly emphasizing the role Detectify can play in these crucial processes.

The EU Directive on Security of Network and Information Systems (NIS 2 Directive), The EU Digital Operational Resilience Act (DORA), and the EU Critical Entities Resilience Directive (CER) are some of the latest requirements that may be causing concern for companies. DORA is in force since January 2025, while the deadline for EU Member States to implement the NIS 2 Directive passed in October 2024.

At Detectify, we aim to support our customers by offering insight into these specific requirements and, notably, how our offerings can support organizations in achieving DORA and NIS 2 compliance.

The NIS 2 Directive – (EU) 2022/2555

The NIS 2 Directive is an EU-wide cybersecurity legislation, intended to widen the number of organizations actively making cybersecurity efforts in the EU, and to increase the magnitude of those efforts, by putting requirements on the security of networks and information systems. As it is an EU Directive (and not a Regulation), it must be transposed through national legislation in order to apply in the Member States. The deadline for such transposition was October 18, 2024, however the majority of Member States are lagging behind.

On 7 May 2025 the EU Commission reminded 19 Member States to transpose the Directive into national legislation. This includes Sweden, where In Sweden, a report released on March 5, 2023 by an expert group convened by the Swedish government has proposed a new Cybersecurity law, but we haven’t seen a government bill put forward to the parliament yet.  NIS 2 replaces and modernizes the previous NIS 1 directive in an attempt to keep up with the evolving cybersecurity threat landscape, covering many new sectors and introducing stricter requirements. A quick comparison of the NIS 1 and NIS 2 directives shows that the latter covers 18 sectors, while the former covers 7. The NIS 1 directive is 30 pages long, while NIS 2 is 73 pages long, which is an indicator for the increased complexity of requirements. Many companies in Sweden and across the EU will need to acquaint themselves with NIS 2 and adopt a risk-based approach to their system’s security.

Who does it apply to? 

The requirements in the NIS 2 apply to entities in sectors which are vital for the economy, society, and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure, and certain digital service providers (“essential and important entities”). Both private and governmental entities in the above-mentioned sectors are covered by the NIS 2. Public administration entities are in scope as well.

At Detectify, we know we can make a difference

At Detectify, we’ve noticed significant parallels between specific industries, like the public sector, technology and digital services, which are the main focus of the NIS 2 Directive, and areas where Detectify’s DAST tool excels. Our DAST solution is specifically designed for sectors like these, which face issues like rapid digital innovation, leading to an increasingly large attack surface, and where there is need for secure cloud hosting while maintaining full visibility over the entire attack surface.

The Detectify AST platform comprises two products: Surface Monitoring and Application Scanning. Surface Monitoring is key in discovering and mapping the customer attack surface by giving them a comprehensive view through continuous discovery and monitoring of all hosted Internet-facing assets. At the same time, Application Scanning provides deeper insights into custom-built applications and actual business-critical vulnerabilities with advanced crawling and fuzzing, delivering customized intelligent recommendations on what discovered assets warrant deep testing.

With Detectify’s platform, customers can apply appropriate technical measures to manage external risks from both known and unknown vulnerabilities that threaten their systems and digital services by mapping, identifying, and proactively managing risks before they materialize. Mapping your attack surface is the first step to understanding what is there from a risk management perspective.

In addition, the detailed vulnerability information and attack surface context provided by Detectify can be invaluable for understanding the scope, nature, and potential root causes of a security incident. This facilitates more accurate and timely reporting to authorities, as mandated by NIS2’s stringent notification deadlines.

In today’s landscape, where cyber threats and attacks are part of day-to-day business and where many malicious players exist (small-scale players, professional black hats, and governmental players), the cyber security requirements posed on critical businesses and providers are a must.

– Cecilia Wik, Head of Legal, Detectify

To the point: Which NIS 2 requirements can Detectify help to fulfil? 

In short, the NIS 2 directive poses requirements on the security of networks and information systems through incident reporting and risk management and, of course, a responsibility for member states to oversee and coordinate actions under the regulation.

Member states can adopt stricter cybersecurity requirements in their national legislations, as the NIS 2 Directive is a minimum harmonization directive. As the Directive is still not fully adopted on a member state level, we may see territorial differences within the EU. They will most likely, however, be minor, and most national implementations will be very similar to the Directive.

NIS 2 Article 21.1 outlines that essential and important entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.

Furthermore, Article 21.2 sets out 10 different minimum requirements of such measures. Detectify can play a key role in the compliance work concerning several of these requirements:

Art. 21.2.a) Policies on risk analysis and information system security

The Policies on risk analysis mentioned in NIS 2 are meant to be put in practice. Effective risk analysis begins with a complete understanding of the assets one needs to protect. Detectify Surface Monitoring provides comprehensive asset discovery, offering visibility into “what you’re exposing online,” including potentially unknown or forgotten assets (shadow IT) and the technologies they run.17 This continuous discovery and inventory process is the foundational first step for any robust risk analysis.

Article 21.2.d) Supply Chain Security

While Detectify primarily focuses on scanning the customer’s own external attack surface, our scanning capabilities are vital for managing the customer’s side of supply chain interactions. It can identify vulnerabilities or misconfigurations on externally facing assets that, while owned by the customer, may interact with or be managed by third-party suppliers (e.g., a misconfigured cloud service provided by a vendor but exposed under the customer’s domain).

Article 21.2 e) Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosures

Detectify’s Surface Monitoring can scan the entire external infrastructure for a wide range of vulnerabilities, including misconfigurations, exposed sensitive files, known CVEs, and, critically, risks like subdomain takeovers. Our Application Scanning conducts in-depth vulnerability assessments of web applications. It supports authenticated testing (to find vulnerabilities behind login screens) and employs advanced fuzzing techniques to identify vulnerabilities.

Non-compliance fines will be higher than previously, and similar to the levels in the GDPR, as they will be calculated based on global annual revenue.

The implementation in my Member State is lagging behind. What should I do in the meantime?

As many Member States are behind with the implementation, organizations may think it’s best to sit back and relax, and await the final implementation in their respective member states. Depending on the business and structure of the organization, this may however not be the best approach. The EU Commission can issue fines to Member States that are delayed with implementing Directives, which means the 19 governments of the Member States that have not yet implemented the NIS 2 directive, have incentives to make sure national legislation is in place fast. For organizations, this may mean that implementation can go faster than expected, and the time to get everything in place can be short. Especially if your organization is big and complex, with long lead times for important decisions and transformations, it’s better to get started now (if you haven’t already). As stated above, there can be some national deviations in the form of stricter requirements, but generally speaking, most national legislation will be very similar to the NIS 2 Directive. As such, most organisations can start their compliance work by looking at the requirements described in the Directive, while awaiting national legislation.

An additional aspect to keep in mind is that, while 19 member states do not have national legislation in place yet, there are Member States that made the deadline. If your business means that you supply products or services to organisations in those Member States, you may risk losing business if you can’t keep up with the NIS 2 requirements, which your customers to some part are required to push forward to their suppliers (explicitly through article 21.2.d – supply chain security), most likely including your company. On the other hand, if you already have robust information security efforts compliant with NIS 2 in place, even though you yet don’t have to, you may be able to gain new customers in member states that are finished with their implementation. The business advantages of making robust information security efforts are naturally not limited to this scenario, and go way beyond attracting NIS 2 customers in other member states.

The Swedish Protective Security Act (2018:585)

While networks and information systems for a wide range of organizations are within the scope of NIS 2, EU Member States have their own national legislation concerning measures needed to protect national security. In Sweden, the Protective Security Act (Swedish: Säkerhetsskyddslagen) aims to protect the operations of entities of significance for Sweden’s national security. Such entities may hold sensitive information or carry out security-sensitive activities needing specific protection against terrorism, espionage, and sabotage

The Protective Security Act specifically requires entities to adopt preventive measures to protect the confidentiality, integrity, and accessibility of classified information, and to protect systems used to carry out security-sensitive activities from harmful impact.

NIS 2 and the Protective Security Act may overlap and be applied simultaneously, but the Protective Security Act has precedence based on the lex specialis principle.

Where Detectify comes in

Just as is the case with NIS 2 entities, entities covered by the Protective Security Act need to take action to make sure they can withstand threats, including cyber attacks. Continuous monitoring of attack surfaces can help entities covered by the Protective Security Act in those efforts.

DORA – The Digital Operational Resilience Act (DORA) – EU Regulation 2022/2554

The aim of the DORA regulation is to create a regulatory framework whereby financial firms, and –  importantly – also certain ICT providers, such as cloud service providers, will have to make sure they can withstand, respond to, mitigate and recover from all types of ICT-related disruptions and cyber threats. The focus for financial firms is, in other words, shifting from not only traditional financial resilience, to resilience in a wider sense, including digital resilience.

DORA is a Regulation, which, as opposed to NIS 2 which is a Directive, came into direct effect in EU Member States on January 17, 2025. Member States may adopt additional legislation on the same matter, but national implementation is not required for DORA. This means that financial sector entities has had to be compliant with the DORA regulation for almost half a year.  The rules have been further elaborated by the EU Commission, in the form of Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS) and guidelines.

Who does it apply to? 

The DORA Regulation has a significant impact across the EU.  It covers over 22 000 companies within the Union, harmonizing the financial sector’s operational resilience. It does not only affect financial institutions but also third-party service providers providing critical services to such institutions, such as cloud service providers.

What are the requirements? 

The DORA regulates 5 central areas:

1) Governance and Risk Management

2) Incident Reporting

3) Testing of Digital Operational Resilience

4) Management of ICT Third-Party Risks

5) Information Sharing

Where Detectify comes in 

Detectify can help strengthen the resilience of financial institutions and ICT service providers by:

1. Setting up protection and prevention measures within risk and governance by:

• Firstly, mapping an organization’s external attack surface, where even unknown assets can be identified;


• Secondly, setting up Surface Monitoring, which will keep such assets under continuous surveillance;


• Lastly, applying Application Scanning, whereby customers can identify risks (vulnerabilities) and the actual scope of the threat landscape.

2. Users of Detectify can promptly detect anomalous activities by using Application Scanning and by setting up specific monitoring rules under Detectify’s Attack Surface Custom Policies.


3. Getting insights into identified vulnerabilities, their severity, and actional remediation tips to help teams prioritize and remediate threats more effectively.


4. Enabling responsible disclosure of major vulnerabilitiesto authorities when needed, through the help of the vulnerability information provided by Detectify.

Closing remarks

We will continue to add updates to this post as we receive more information about regulations and their implications. As in the regulations above, Detectify emphasizes proactive cyber security and is passionate about helping its customers become more secure. In this article, we have covered only a handful of topical regulations that apply in the EU, and we know there are many more specific standards and regulations that may apply.

With Detectify’s Attack Surface Custom Policies, users can monitor for policy breaches as they occur in production. If a policy breach is detected, an alert is produced with helpful insights to help accelerate remediation.

Attack Surface Custom Policies leverage the complete coverage capabilities of Surface Monitoring to continuously monitor your external attack surface, ensuring your clearly-defined security policies are enforced, no matter the size of your attack surface. Many of our customers have built their own personalized compliance rules on their exposed web assets.

Are you interested in learning more about Detectify? Start a 2-week free trial or talk to our experts.

This article was originally published in March 2024 and updated in June 2025

The post EU Regulating InfoSec: How Detectify helps achieving NIS 2 and DORA compliance appeared first on Blog Detectify.

Source: detectify
Source Link: https://blog.detectify.com/best-practices/navigating-the-eu-compliance-landscape-how-detectify-helps-support-customers-in-their-nis2-directive-cer-and-dora-compliance-challenges/