The cybersecurity landscape in Europe is undergoing a profound change. The NIS2 and DORA regulations, recently approved by the European Union, raise the level of protection for companies and critical infrastructures. Thousands of companies must adapt to new security levels, never addressed before, and do so in a short time. But what really changes for those working with Cloud Native architectures?

At SparkFabrik, we deal with security applied to distributed, containerized, and dynamic contexts on a daily basis. That's why we want to share a clear, concrete, and action-oriented vision on how to face this new regulatory phase.

New standards for digital security and resilience

The European Union has embarked on an ambitious journey to strengthen the digital resilience of the continent and raise the bar for cybersecurity for everyone. The NIS2 (Network and Information Systems 2) directive and the DORA (Digital Operational Resilience Act) regulation are at the center of this strategy and introduce new and more rigorous requirements for organizations across all sectors.

For companies that have embraced modern Cloud Native approaches - characterized by microservices, containers, and distributed orchestration - these regulations represent a significant challenge, but also an important opportunity. It is evident how the intrinsic complexity of distributed cloud environments clashes with the need to ensure visibility, control, and continuous compliance, as required by the new regulations.

As frontline experts in the field of these architectures, in this article we analyze the main characteristics of NIS2 and DORA and their specific implications for Cloud Native technologies. It will thus become evident the importance of selecting technology partners like SparkFabrik, already aligned with the new regulatory requirements.

NIS2: the level-up of European cyber-security

From NIS to NIS2: more subjects involved, more responsibilities

The NIS2 directive (EU 2022/2555) is a truly substantial evolution compared to the first NIS, and has a clear objective: to strengthen security and resilience of European information networks and infrastructures (the acronym "NIS" stands for "Networks and Information Systems").

Adopted on December 14, 2022, it came fully into force in October 2024 with Member States transposing it into their respective national legislations. In Italy too, it was transposed within the deadline and the first implementation phase is now underway, with registration with the ACN (National Cybersecurity Agency) and the adoption of the first measures. In short: you can no longer procrastinate, it's time to adapt.

The main novelties?

• Greater breadth: many (but really many) more companies involved, in more sectors identified as essential or important. The coverage is really broad, including: energy, transport, banks and financial institutions, healthcare, drinking water, digital infrastructures (cloud providers, data centers, CDN), space, postal services, production of critical medical devices, electronic components, online marketplaces, search engines and social platforms. Last but not least, all public administrations are also concerned.
• More stringent requirements and obligations: security measures are strengthened, active risk management (including controls and tests) and staff training are necessary.
• Direct management responsibility: the heads of organizations are personally responsible for compliance.
• Notification obligation: all security incidents must be notified to the authorities within 24 hours, with a complete report within 30 days.
• Controls and sanctions: national competent authorities have strengthened supervisory powers and the sanctioning system is more rigid.

Moreover, the European Commission aims to make the application of the new regulation more uniform among all member states, among which there are marked differences, raising the level for everyone overall.

All this means that many organizations will have to adapt to cybersecurity requirements never faced before, creating a wave of demand for specialized skills in the sector, in Italy and throughout Europe.

Key requirements for compliance with NIS2

As we said, more stringent requirements, but what do they consist of? Concretely, NIS2 requires the implementation of various technical, operational, and organizational measures to manage security risks. These are specified in Article 21 of the directive and include:

• Risk analysis
• Security of the supply chain and IT suppliers
• Procedures for incident management and notification
• Business continuity and disaster recovery
• Protection of networks, systems, and data
• Vulnerability management
• Training and awareness of personnel
• Procedures for Cryptography, Encryption, and identity management
• Periodic security audits and tests, evaluation of adopted measures

We strongly recommend consulting the official resources from ENISA (which is the EU Agency for Cybersecurity) to delve deeper into the individual novelties and high-level requirements of the directive. We will see shortly how these general measures apply in Cloud Native environments.

DORA: digital resilience in the financial sector

Financial world, but also ICT suppliers

DORA (Digital Operational Resilience Act - EU Regulation 2022/2554) is a regulation complementary to the NIS2 directive, focused exclusively on the financial sector. It was adopted together with NIS2 in 2022 and came into application on January 17, 2025. Important: as an EU Regulation, it does not need transposition, it is directly applicable law in all Member States.

DORA applies to over 20 categories of financial entities, including banks, insurance companies, payment systems, pension entities, crypto-asset managers.

But not only that, also technology providers that support such financial entities (such as cloud providers and data analysis services) can be subject to supervision, in application of the supply-chain security requirement.

The five pillars of DORA

The regulation aims to create a harmonized framework for digital operational resilience in the financial sector across all member states, recognizing its crucial importance for the European economy and society.

More specifically, DORA is articulated in five "pillars" or main areas of intervention, as described by the European Commission:

1. ICT risk governance and management: not only identification, assessment, and active risk mitigation, but also requirements for the involvement of management bodies.
2. ICT incident management: obligation of standardized processes to detect, classify, document, and finally notify incidents.
3. Digital resilience testing: regular resilience checks, introduction of advanced testing programs, including threat-led penetration testing (TLPT).
4. Third-party risk management: DORA also involves ICT service providers, introducing the obligation to assess suppliers and include minimum content for contracts.
5. Information sharing: the sharing of information on threats and vulnerabilities between financial entities is promoted, in favor of "collective resilience".

The specific challenges for Cloud Native environments

Cloud Native architectures are now the new reference standard for modern applications. But if on one hand their dynamic and distributed nature offers agility and scalability, on the other side of the coin it makes compliance with NIS2 and DORA a complex and challenging exercise.

Let's examine the characteristics of Cloud Native, from the perspective of their implications for security.

Microservices and orchestration

A microservices architecture implies that each service is also a potential point of vulnerability. Not only that, data flows between microservices also need to be monitored, authenticated, and protected, with an evident increase in complexity in the inventory of resources.

The use of orchestrators for such services, such as Kubernetes, introduces both additional levels of control, but also new criticalities. A correct configuration is complex but essential for security, requiring, among other things, continuous monitoring, automated policy enforcement, API exposure, and RBAC or other privilege management best practices.

Containers and CI/CD

The adoption of containers implies that every image may contain flaws, as well as the individual base components. A CI/CD automated pipeline capable of performing is needed:

• Continuous image scanning (SAST, DAST)
• Validation of secrets and environment variables
• Analysis of open source components (SCA)
• Policy enforcement on images, deploy, and runtime

The very adoption of CI/CD practices has a dual consequence: while on one hand continuous development allows to quickly resolve detected vulnerabilities, each code change can open new ones, creating new flaws. Automated security tests help mitigate such risks.

IaC, Multi-cloud and hybrid environments

Infrastructure as Code allows to manage infrastructure configuration through code and solve scalability problems of the past. However, as code, such configurations are open to vulnerabilities. Moreover, even a simple misconfiguration risks replicating on a large scale, an aspect even more critical in the case of a mutable (vs immutable) infrastructure, which makes it complex to track variations. At the same time, modern infrastructures are often characterized by multi-cloud or hybrid environments, with consequent heterogeneous security frameworks and complexity.

In this context, the need emerges for a unified and homogeneous vision of security, also analyzing infrastructure code and adopting "shift-left" security requirements, which include security tests from the early stages of an application's life.

Main security gaps in Cloud Native compared to regulatory requirements

As we have seen at a high level, the new European cybersecurity regulations provide for various technical, operational, and organizational measures. Based on these requirements, we have identified in the Cloud Native approach some main security gaps. We therefore want to highlight them as a reference for all Cloud Native organizations.

1. Visibility and resource inventory

NIS2 and DORA require complete knowledge of all digital resources of the organization. This is a particularly challenging requirement in Cloud Native environments where components are ephemeral and dynamic. Organizations must work to implement:

• Automatic and continuous resource discovery
• Real-time asset inventory (including microservices and containers)
• Monitoring of dependencies between services
• Data cataloging and classification

2. Vulnerability management in distributed environments

In architectures composed of numerous containerized microservices, traditional vulnerability management is really insufficient. It is necessary to adopt:

• Continuous scanning of container images
• Checking vulnerabilities of base components
• Analysis of application dependencies (reducing them where possible)
• Intelligent prioritization of vulnerabilities
• Automated patch management

3. Software supply chain security

The presence and dependence on numerous components, whether they are open-source or commercial, increases the risks related to the supply chain. And, as we have seen, the security of these "digital supply chains" is a central aspect in both NIS2 and DORA.

Indeed, the new regulations extend the concept of risk management and vulnerability assessment also to suppliers, thus imposing minimum security requirements not only on the individual organization, but on the entire supply chain. For this objective, organizations must consider:

• Implementation of Software Bill of Materials (SBOM) (find all the details in our dedicated article)
• Code integrity verification
• Automated dependency controls
• Security assessment of suppliers
• Introduction of new contractual clauses

To deepen this topic, we recommend reading our article dedicated to Software Supply Chain.

4. Distributed monitoring and incident management

Both regulations require incident detection and notification requirements. It is therefore important to equip oneself with systems and practices not only to detect, but also to document incidents. This also facilitates the mandatory post-incident reporting, including the extent of damages. In particular, the best practices to meet these requirements are:

• Centralized log aggregation
• Correlation of security events
• Anomaly detection systems
• Automated playbooks for incident response (incident response automation)
• Ability to rapidly isolate compromised components
• Last but not least, comply with the obligation of timely notification of incidents to authorities, as well as detailed final report

5. Resilience and operational continuity

The regulations require robust recovery and operational continuity capabilities (in jargon, "IT resilience"), which in the Cloud Native context take on particular characteristics:

• Design for failure (fault-tolerant systems)
• Decoupling strategies
• Regular testing, failover and recovery plans
• Documentation and automation of disaster recovery processes

DevSecOps and security culture: SparkFabrik's integrated approach to compliance

To effectively address the challenges posed by NIS2 and DORA in Cloud Native contexts, the DevSecOps approach emerges as the most adequate solution (we invite you to read our in-depth analysis), integrating security and compliance at every stage of the software lifecycle, from the initial steps.

In particular, there are some fundamental principles of DevSecOps that perfectly match regulatory compliance (principles that are also at the center of practices and culture at SparkFabrik).

1. "Shift-left" security

It consists of integrating security controls already in the early stages of the development cycle. This has the undoubted advantage of allowing to identify and correct problems when the cost of remediation is still low, aligning with the requirements of proactive risk management required by regulations. Attention that this absolutely does not exclude also the "shift-right" approach, which provides for tests and controls, rigorous and continuous, also in post-production. The union of the two approaches is always recommended for the best results.

2. Automation of security controls

Automation is now essential to maintain an adequate level of security in highly dynamic and ephemeral environments such as Cloud Native, in particular through:

• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• SCA (Software Composition Analysis)
• IaC scanning
• Policy-as-code

3. Immutable infrastructure and "security as code"

Managing infrastructure as code (IaC), versioned and subjected to quality controls, directly supports the requirements set by regulations for testing and configuration management. An immutable type configuration, in particular, drastically decreases the risk of vulnerabilities at the infrastructure level.

4. Continuous monitoring and feedback loop

A comprehensive monitoring system, and especially continuous thanks to automation, allows to quickly detect anomalous behaviors and demonstrate compliance during audits. Thanks to such systems, each anomalous detection leads to timely interventions and cyclical improvements. These are essential elements to satisfy the incident management requirements required by regulations.

To deepen the DevSecOps approach, we invite you to read our article on Cloud DevSecOps and on Container Security.

Choosing an expert partner makes the difference - now also for compliance

Tackling the requirements of NIS2 and DORA alone is undoubtedly complex. Compliance requires specialized skills that organizations often do not possess internally, also because many subjects have not had to deal with such requirements until now.

The choice of a technology partner with specific experience in Cloud Native and cybersecurity, and already aligned with the two new European regulations, therefore becomes a critical success factor. The choice of partner should be based on these criteria:

1. Demonstrable technical competence.
   As they say, experience is the mother of science. An adequate partner must possess documented experience in Cloud Native security projects, specific in-depth competencies of Kubernetes environments, containers, CI/CD, microservices, demonstrated ability to implement security automation solutions.
2. Internal regulatory alignment.
   The partner itself must be aligned with regulatory requirements, with certifications (such as ISO 27001), documented internal processes and verifiable secure development practices. This is fundamental for the security of the entire supply chain.
3. Holistic approach to compliance.
   Compliance requires an approach that goes beyond technology, including support for organizational aspects, policy definition and methodologies for documentation management. Security must be part of the organizational culture, and not a secondary consideration.

The SparkFabrik approach: security enablement more than security enforcement

At SparkFabrik, we are aware of the importance of a solid security posture, so much so that we have undertaken the path to obtain the ISO/IEC 27001 certification, the international standard for information security management. This commitment is not just a formal requirement, but reflects our belief that security is a fundamental element of the value offering for our customers.

With pride, from the beginning our approach is based on enablement, not on enforcement. We want to make teams autonomous and aware, not dependent on black box solutions or knowledge lock-in. This applies not only to cybersecurity, but across all our services, and we like to tell about it!

Our approach to security and compliance is distinguished by some fundamental characteristics:

• DevSecOps culture as a foundation, with awareness workshops, pair programming and creation of internal champions
• Enabling technology and "secure by design" that enhances productivity through automation and immediate feedback
• Continuous collaboration with periodic assessments and support during audits
• Certifications and guarantees, including the path towards ISO/IEC 27001 and implementation of rigorous controls on the supply chain

Last but not least, our CTO, Paolo Mainardi, is a Security Champion who personally leads the specialization path in supply chain security and DevSecOps (a continuous path, which never really ends).

These elements allow SparkFabrik clients to face the challenges posed by NIS2 and DORA with greater serenity, being able to count on a partner already aligned with regulatory requirements.

A small example in this regard: recently, a series of vulnerabilities were detected globally (affecting over 40% of environments) for Kubernetes clusters with ingress-nginx installed, one of which in particular was considered critical (9.8/10). After just a few minutes from the news, the SparkFabrik team activated and successfully mitigated the new vulnerabilities on all affected clusters. In short, an expert and timely partner makes the difference.

Transforming a regulatory obligation into a competitive advantage

We are coming to the end, and to conclude we want to stimulate a reflection. As we have seen, the entry into force of NIS2 and DORA certainly marks a significant change in European cybersecurity. In general, the final effect will be a significant increase in the level of security in all sectors and all countries - even if a "catch-up" will always be necessary to resolve the vulnerabilities that continue to emerge in our systems.

It is evident how the new regulations have a significant impact on Cloud Native organizations. As Cloud Native experts, we like to see this impact not so much as an obligation to comply with, but as an opportunity to:

• Improve the overall security posture
• Increase the trust of customers and partners
• Reduce the costs of security incidents
• Accelerate "secure by design" innovation
• Create a competitive differential

We believe that the key to success lies in adopting a strategic approach to cybersecurity. Those who start today, will tomorrow be able to demonstrate not only to be compliant, but to have built a lasting security culture.

A fundamental piece of this "security strategy" is the choice of technology partners who have already matured experience in this field. As a partner, SparkFabrik accompanies organizations on this journey, combining excellent Cloud Native technical expertise with a deep knowledge of regulatory requirements: a winning combination to transform compliance obligations into opportunities for growth and secure innovation.

Next steps

If your organization is facing the challenges posed by NIS2 and DORA, we invite you to:

1. Evaluate your current position through a maturity assessment
2. Define a roadmap with clear priorities
3. Implement incremental solutions
4. Train your teams on security awareness
5. Select expert partners who can accelerate your journey

Explore our Cloud Native offering with a focus on security:

• Cloud Native Journey
• DevOps & Automation
• Kubernetes Consultancy
• Managed Services
• Cloud Migration

Or contact us directly for personalized advice on how to address the challenges of NIS2 and DORA in your specific context.

In the next article of the series, we will analyze practical strategies for implementing NIS2 and DORA regulations in Cloud Native environments, with a focus on real use cases and specific technical solutions.