Author: info@edirama.org

Posted on by Leave a comment

How to determine the ‘significance’ of a NIS2 incident: a clear guide to the 9 ENISA criteria

The NIS2 Directive introduces a key concept: not all cyber incidents are the same. Some must be reported because they fall into the category of significant incidents.
According to ENISA (Reg. 2690/2024), the security manager’s ‘impression’ is not enough to determine this: nine regulatory criteria must be applied, each with precise thresholds.

The main criteria include:

significant economic damage (≥ £500,000 or 5% of turnover)

exfiltration of trade secrets

CIA compromise caused by malicious action

serious operational disruption

duration of unavailability beyond sector thresholds

degradation of response time

impact on health

percentage of users affected

recurrence in the last 6 months

Each criterion requires specific information, comprehensive data and an objective approach. Performing the assessment ‘by hand’ increases the risk of error, with potential consequences in an increasingly stringent regulatory environment.

👉 Would you like to see a practical example of applied assessment?
Watch the video demo of the NIS2 Incident Significance Manager software.

 

Posted on by Leave a comment

NIS 2 – T-SCRM is born – the innovative Software for IT Vendor Risk Management

IT Security of the supply chain is no longer a choice, but an obligation.
The NIS 2 Directive and the DORA Regulation require organisations to ensure operational resilience and control over IT and critical service providers.

This is why we have developed T-SCRM., the Windows PC software that simplifies IT risk management with a practical and documented approach:

✅ Assessment of suppliers according to compliance, cybersecurity and reliability criteria
✅ Incident log with severity index (1 = slight, 5 = critical)
✅ Monitoring of contracts and certifications, with alerts on deadlines
✅ Interactive dashboard with risk indicators and graphs
✅ Automatic reports for audits, Supervisory Board 231, NIS 2 and DORA

Who it is aimed at:

NIS 2 and DORA consultants
IT, Compliance and Procurement Managers
DPOs

With T-SCRM  you move from Excel sheets to a structured, reliable and compliant management.

Posted on by Leave a comment

New Release: Asset Manager NIS 2 – The Essential Software for Full ICT Asset Mapping and Compliance

Are you a company, public body, or consultant navigating the complexities of the NIS 2 Directive?
The Asset Manager NIS 2 software is built specifically to support your compliance journey.

With this intuitive tool, you can:

✅ Register and classify all ICT assets, distinguishing between critical and non-critical
✅ Link assets to business processes and managers for clear accountability
✅ Manage external ICT providers (e.g., cloud services) in one centralized system
✅ Automatically assess risks, known vulnerabilities, and security measures applied
✅ Generate detailed reports for audits and inspections
✅ Manage unlimited companies under one license

Runs on Windows 10 or later – no web connection required

Ideal for:
Companies subject to NIS 2
️ Privacy and cybersecurity consultants
️ Public institutions

Learn more & request a demo here:
 https://edirama.eu/prodotto/software-asset-manager-nis-2-annual-license/

#NIS2 #Cybersecurity #ICTAssets #RiskAssessment #ComplianceTools #DigitalSecurity #Edirama #CyberResilience #ConsultingTools

Posted on by Leave a comment

How to Develop Your NIS 2 Consulting Business with Edirama’s Professional Kits

The implementation of the NIS 2 Directive and the 2025 ACN Specifications has created a growing demand for consulting services—from essential and important entities to ICT providers working with regulated companies.

For privacy consultants, management systems experts (ISO 27001, ISO 9001, ISO 45001, etc.) and IT auditors, this is the perfect time to expand their services with a concrete and structured offering.

To support this goal, Edirama has developed the NIS 2 Consultant Kit, which includes:

How each consultant profile can use these tools

1. Privacy Consultant / DPO
Offer a “Privacy + Cyber Risk” package by integrating:

  • Impact assessment on critical data processes using the Audit Kit.

  • Incident and continuity plans from the Documentation Kit.

2. ISO Consultant
Offer a “NIS 2 Compliance Add-On” by integrating:

  • ISO/NIS 2 gap analysis (Audit Kit).

  • NIS 2-specific procedures (Documentation Kit).

  • Asset mapping and risk analysis (Asset Manager Software).

3. IT Consultant / Auditor
Provide a practical technical service, including:

  • Asset classification and service mapping.

  • Security measures implementation.

  • Incident simulation and recovery plans.

Example revenue potential:

Consultant Type Service Offered Avg. Price Clients/year Annual Revenue
DPO Privacy + NIS 2 Package €2,500 10 €25,000
ISO Consultant NIS 2 Add-On to ISO €3,500 8 €28,000
IT Consultant Technical Cyber Risk Package €5,000 6 €30,000

Now is the time to prepare. The NIS 2 Consultant Kit provides all the tools to start delivering compliant, professional, and high-value consulting services.

Posted on by Leave a comment

DORA: How to Organize Governance, Roles, and Operational Responsibilities

Practical Guide for Companies and Consultants in Managing Digital Resilience

The European Regulation DORA (Digital Operational Resilience Act, EU 2022/2554) clearly states: digital resilience is not just an IT issue. It is an organizational, strategic, and cross-functional duty.

To ensure the continuity of essential services in the event of adverse ICT events, it is necessary to establish solid governance, clearly define roles and responsibilities, and make digital resilience an integral part of the company’s operating model.

In this article, we explore how to structure DORA governance, what to do operationally, and how a consultant can support the process.

Governance: Who Leads Digital Resilience?

DORA establishes that the ultimate responsibility lies with the management body (Board of Directors).
This is not a technical compliance to be entirely delegated to the IT department, but a strategic asset under the direct control of the top management.

The Role of Top Management:

✅ Approve the ICT strategy and risk management plans
✅ Allocate resources, roles, and responsibilities
✅ Monitor incidents and testing activities
✅ Ensure that digital resilience is integrated into the company culture

Decisions cannot be merely formal: the Board must receive periodic reports, updates, and dashboards.
An expert consultant can help create clear and decision-oriented reporting models.

Key Roles to Define (Internally or Outsourced)

Effective DORA governance requires the explicit and documented assignment of roles. Here are the main ones:

ICT Risk Manager

Responsible for assessing, classifying, and monitoring risks related to information systems.

Information Security Officer (CISO / ISO)

Coordinates the implementation of security measures, participates in audits, and promotes a security culture.

Business Continuity Manager

Oversees business continuity and disaster recovery plans, including resilience testing.

Incident Reporting Officer

Manages the detection, recording, classification, and internal/external communication of ICT incidents.

Third-Party ICT Provider Manager

Evaluates critical suppliers, manages due diligence, coordinates contractual controls, and audits.

⚙️ Operational Responsibilities: What to Do and Who Does It

DORA requires companies not only to write procedures but also to demonstrate that roles are effectively operational.

Here are the activities that must be assigned and overseen:

Activity Involved Role Frequency
Mapping critical ICT assets ICT Risk Manager, IT Annually or upon changes
Assessing ICT risks ICT Risk Manager Annually or after significant events
Drafting and updating ICT policies ISO/CISO Annually
Simulating business continuity tests Business Continuity Manager Annually
Reporting significant ICT incidents Incident Reporting Officer Within 24h (internal), as per thresholds for external
Evaluating critical ICT suppliers Third-Party ICT Manager + Legal Pre-contract and periodically

How a DORA Consultant Can Act

An expert DORA consultant should:

  • Support in building governance (organizational chart, delegations, decision-making flows)

  • Draft or review policies and job descriptions related to DORA roles

  • Train responsible parties and the Board on minimum competencies required by the Regulation

  • Help create dashboards, reports, checklists for continuous monitoring

A common mistake? Limiting to updating the organizational chart. The real difference lies in making governance operational, active, and verifiable.

Conclusion

The DORA Regulation requires organizations to shift from an isolated ICT model to digital resilience integrated into corporate governance.

To achieve this, it is necessary to:

✅ Clearly define roles and responsibilities
✅ Involve the management body
✅ Assign operational tasks with traceable evidence
✅ Continuously monitor, test, and improve

Posted on by Leave a comment

FAQ: We are ISO 27001 certified, are we DORA compliant?

Not so fast.

ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you’re a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down:

1. Regulatory vs. Voluntary Framework

↳ ISO 27001 – A voluntary international standard for information security management.

↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance.

2. Scope and Focus

↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls.

↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity.

3. Key Compliance Gaps

 Incident Reporting

↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard.

↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis.

 Security Testing

↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk.

↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning.

 Third-Party Risk Management:

↳ ISO 27001 – Covers supplier risk but with general security controls.

↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions.

4. How financial institutions and ICT providers can address the delta?

 Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you’re not still at this stage now that DORA has been mandatory since January 17, 2025.)

 Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines.

 Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing.

 Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA.

 Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience.

Posted on by Leave a comment

ENISA NIS360 2024 report: A comprehensive look at cybersecurity maturity and criticality of NIS2 sectors

Posted on by Leave a comment

Managing artificial intelligence threats with ISO/IEC 27001

Managing artificial intelligence threats with ISO/IEC 27001

The increasing integration of artificial intelligence (AI) into business processes brings both opportunities and new challenges in terms of information security. To effectively address the threats associated with AI, the adoption of ISO/IEC 27001 provides a structured framework for information security management.

ISO/IEC 27001 and IA Security

ISO/IEC 27001 is an international standard that defines the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). This standard is designed to protect organisations’ information from threats, vulnerabilities and attacks, ensuring confidentiality, integrity and availability of data.

ISO 27001 Controls Relevant to IA

In the field of IA, some specific controls of ISO/IEC 27001 are particularly relevant:

  1. Risk Assessment (Clause 6.1.2): Identify and assess the risks associated with IA systems, considering potential vulnerabilities and specific threats.
  2. Data Security (Clause 8.2): Ensure that data used for training and operation of AI models is protected from unauthorised access and manipulation.
  3. Technical Vulnerability Management (Clause 12.6.1): Implement processes to identify, assess and mitigate vulnerabilities in AI systems, ensuring timely updates and patches.
  4. Access Management (Clause 9.1): Define and control access rights to AI systems, ensuring that only authorised personnel can interact with them.
  5. Security in Development (Clause 14.2.1): Integrate security measures during the development and implementation of AI systems, following secure coding practices and rigorous testing.

Enhancing IA Security with ISO 27001

Implementation of ISO/IEC 27001 helps organisations to:

  • Structure Risk Management: Through systematic risk assessment, organisations can identify and mitigate specific AI-related threats.
  • Establish Operational Controls: Establish operational procedures and policies that ensure the safe and responsible use of AI systems.
  • Ensure Regulatory Compliance: Align with applicable data protection and information security regulations, reducing the risk of penalties.
  • Promote a Culture of Security: Raise staff awareness of the importance of security in the use and development of IA, promoting an organisational culture geared towards information protection.

In addition, the recently published standard ISO/IEC 42001:2023 provides specific guidelines for the management of IA systems, complementing and extending the security measures provided by ISO/IEC 27001.

By adopting an ISO/IEC 27001-based approach, organisations can proactively address AI-related security challenges while ensuring innovation and operational efficiency.

Self-Assessment Checklist:

  1. Risk Assessment
    • Have we identified and assessed the specific risks associated with our AI systems?
    • Is there a documented process for managing AI-related risks?
  2. Data Security
    • Is the data used for training and operating AI models protected from unauthorised access?
    • Have we implemented measures to ensure the integrity and confidentiality of AI data?
  3. Technical Vulnerability Management
    • Is there a procedure for identifying and resolving vulnerabilities in AI systems?
    • Do we regularly monitor vulnerabilities and apply the necessary patches in a timely manner?
  4. Access Management
    • Do we have clearly defined access rights to AI systems?
    • Do we use authentication and authorisation mechanisms to control access to AI systems?
  5. Security in Development
    • Do we apply secure development practices when creating our AI systems?
    • Do we perform regular security tests on our AI models before their implementation?
  6. Regulatory Compliance
    • Are our AI processes aligned with current data protection and information security regulations?
    • Have we documented the measures taken to ensure compliance with applicable regulations?
  7. Security Culture
    • Are our staff trained and aware of AI-related security practices?
    • Do we promote a corporate culture that values information security in the use of AI?

This checklist helps assess the implementation of security controls relevant to IA according to ISO/IEC 27001. A proactive approach to managing these aspects strengthens the overall security of AI systems within the organisation.

Posted on by Leave a comment

The cost of consulting for NIS 2 Directive compliance: practical examples

The NIS 2 Directive, issued by the European Union, has established new cybersecurity standards for operators of essential services and digital service providers. Compliance with these regulations requires specialized expertise, and many organizations turn to expert consultants for support. But how much does NIS 2 consulting cost? In this article, we will explore the key factors that determine the fees and provide practical examples.


Factors influencing consulting fees

  1. Size of the organization
    • Larger organizations with complex IT infrastructures require more detailed consulting, resulting in higher costs.
  2. Type of services requested
    • Some companies need a comprehensive review of their security policies, while others may require specific interventions, such as drafting a Risk Assessment or conducting a Vulnerability Assessment.
  3. Consultant’s experience
    • Professionals with years of experience in cybersecurity and in-depth knowledge of the NIS 2 Directive typically charge higher rates than less experienced consultants.
  4. Duration and complexity of the project
    • A full compliance project may take months, with costs proportional to the hours or working days involved.
  5. Consultant certifications

Practical examples of consulting fees

1. Basic consulting for an SME

  • Scenario: An SME in the manufacturing sector requires an initial assessment of its compliance with the NIS 2 Directive.
  • Tasks performed:
    • Initial analysis of processes and IT infrastructures.
    • Drafting an action plan for compliance.
  • Duration: 5 working days.
  • Average cost: €5,000 – €7,500.

2. Full compliance for a large organization

  • Scenario: An energy company needs to implement all the security measures required by the regulation.
  • Tasks performed:
    • Comprehensive IT infrastructure audit.
    • Drafting security procedures and policies.
    • Internal staff training.
    • Penetration Testing.
  • Duration: 6 months.
  • Average cost: €100,000 – €200,000.

3. Staff training and awareness

  • Scenario: A transportation company wants to train its employees on cybersecurity best practices.
  • Tasks performed:
    • Creating a customized training program.
    • Delivering training sessions in person or online.
  • Duration: 3 training days.
  • Average cost: €3,000 – €5,000.

4. Ongoing consulting services

  • Scenario: A digital service provider requires continuous support to ensure ongoing compliance with the NIS 2 Directive.
  • Tasks performed:
    • Periodic vulnerability monitoring.
    • Regulatory updates.
    • Incident management support.
  • Duration: Annual contract.
  • Average cost: €20,000 – €50,000 per year.

Conclusion

The cost of NIS 2 consulting varies significantly depending on the specific needs of the organization, the complexity of the tasks, and the consultant’s experience. Investing in professional support not only ensures regulatory compliance but also strengthens the organization’s resilience against cybersecurity threats. Therefore, it is essential to carefully evaluate the cost-benefit ratio and choose a qualified consultant capable of providing tailored solutions.

Posted on by Leave a comment

Unlocking Professional Opportunities with the DORA Act for Legal, IT, and Privacy Consultants

The Digital Operational Resilience Act (DORA), recently enacted by the European Union, is not just a regulatory requirement; it is a golden opportunity for professionals in legal, IT, and data privacy fields. By ensuring operational resilience in the financial sector, DORA opens doors for consultants to expand their expertise, enhance their services, and meet the growing demand for compliance solutions.

Opportunities for Legal Consultants

Legal professionals are critical to interpreting the complex provisions of DORA, drafting policies, and ensuring organizations align with the regulatory framework. They play a key role in:

  • Drafting contracts and service agreements compliant with DORA requirements.
  • Advising on liability and risk-sharing agreements in outsourcing and ICT third-party relationships.
  • Representing clients in compliance audits and addressing regulatory disputes.

Opportunities for IT Consultants

IT specialists are indispensable in implementing the technical requirements of DORA. Their contributions include:

  • Developing robust cybersecurity measures to meet DORA’s stringent standards.
  • Conducting risk assessments and testing IT systems for resilience.
  • Implementing secure and monitored ICT systems to prevent disruptions.

Opportunities for Privacy Consultants and DPOs

With the increased focus on data integrity and confidentiality, privacy consultants and Data Protection Officers (DPOs) are integral to DORA compliance:

  • Ensuring data protection policies align with both DORA and GDPR requirements.
  • Assisting in secure data processing, storage, and sharing protocols.
  • Providing guidance during regulatory reporting of ICT-related incidents involving personal data.

The DORA Act thus provides a fertile ground for growth and specialization. Professionals who seize this opportunity can position themselves as indispensable partners in helping organizations achieve compliance and operational excellence.