An expert panel at the Data Insights x Shoosmiths conference discussed what organizations should be doing now and also examined the risks that may lie ahead.

And given the fact that the new cybersecurity laws are upon us, with the Digital Operational Resilience Act (DORA) having gone live on January 17, and Network and Information Security Directive 2 (NIS2) in effect since October 18, 2024 – it became quickly apparent that there is much for organizations to do.

Panel – From regulation to resilience: Preparing for the next wave of cybersecurity laws: Nick Holland, partner at Shoosmiths; Christian Cockcroft, principal associate at Shoosmiths; Katarina Vetrakova, head of privacy and security at GoCardless; Mike Garside, third party risk director – corporate security at Oracle; and Gareth Davies, head of legal at Jamf.

Who is a critical provider?

Katarina Vetrakova, head of privacy and security at GoCardless, talked about the importance of moving ahead and completing all preparations in order to ensure being able to comply with these new regulations.

She explained that it’s important not to underestimate the relatively onerous nature of the new requirements as well as the challenges in their operational implementation and suggested running weekly spot checks to firms to uncover areas where work is either incomplete or where issues persist.

Mike Garside, third party risk director – corporate security as Oracle, pointed out the need, first and foremost, to identify what the critical functions are and who supports these. Could it be you, your provider or both? From a practical perspective he also warned the audience that being compliant with the directives does not guarantee safety, suggesting that “you can be compliant but not secure!”

“Practice, practice, practice.”

Katarina Vetrakova, head of privacy and security at GoCardless

Even if the new regulatory regimes will not affect your firm at the present time, it is still important to learn about and have a good understanding of both DORA and NIS2. This is because, for example, there may be situations in the future where a client, business partner, supplier or third-party provider that you have a relationship with may need to be compliant and this could have an impact on the working or contractual relationship with your firm.

Understanding the risks of being non-compliant was also another big imperative for getting to grips with the new rules, Gareth Davies, head of legal at Jamf, observed. By focusing on the risks, companies can more quickly grasp what is needed of them, and what approach might be best taken to ensure compliance.

Handling risks and incidents

When it comes to navigating both cyber risks and supply-chain risks, preparation and practice are vital, the participants said. In a continuously changing and interconnected world, events like wars, pandemics, and cyberattacks will happen – the key is to know what to do when an event or incident actually occurs.

Vetrakova highlighted the importance of creating documentation on ways to handle incidents as well as trying to calculate the likelihood of risks actually arising.

She then suggested that firms “practice, practice, practice” in order to be prepared to tackle an incident or event in an efficient and timely manner when it materializes. She also suggested that it is vital to know who is responsible for communicating with parties (both internal and external) when an incident occurs.

Another way to stay ahead is to prepare FAQs for employees in advance that they can, in turn, explain to clients why certain actions are being taken or why some rules may or may not apply. Vetrakova joked that she loved incidents because they invariably lead to lessons being learned!

“You can be compliant but not secure!”

Mike Garside, Third Party Risk Director – Corporate Security as Oracle

In addition to ensuring preparedness and complying with the regulatory requirements, another essential tip from the panel was to build a relationship with the regulator(s).

Finally the experts made a key point that reporting an incident to the authorities is not tantamount to an admission of guilt. In many cases such a report will not mean that you or your firm have done something wrong, it may even demonstrate the fact that you are compliant, the panel suggested.

You can read our first report from the event: From guardians to architects: Reimagining the DPO in the AI era here.

We also recently published a podcast on all things DORA including discussions on implementation, scope, next steps for financial entities and ICT third-party providers, and the consequences of non-compliance. Listen here.