The cybersecurity landscape in Europe is undergoing a profound change. The NIS2 and DORA regulations, recently approved by the European Union, raise the level of protection for companies and critical infrastructures. Thousands of companies must adapt to new security levels, never addressed before, and do so in a short time. But what really changes for those working with Cloud Native architectures?
At SparkFabrik, we deal with security applied to distributed, containerized, and dynamic contexts on a daily basis. That's why we want to share a clear, concrete, and action-oriented vision on how to face this new regulatory phase.
The European Union has embarked on an ambitious journey to strengthen the digital resilience of the continent and raise the bar for cybersecurity for everyone. The NIS2 (Network and Information Systems 2) directive and the DORA (Digital Operational Resilience Act) regulation are at the center of this strategy and introduce new and more rigorous requirements for organizations across all sectors.
For companies that have embraced modern Cloud Native approaches - characterized by microservices, containers, and distributed orchestration - these regulations represent a significant challenge, but also an important opportunity. It is evident how the intrinsic complexity of distributed cloud environments clashes with the need to ensure visibility, control, and continuous compliance, as required by the new regulations.
As frontline experts in the field of these architectures, in this article we analyze the main characteristics of NIS2 and DORA and their specific implications for Cloud Native technologies. It will thus become evident the importance of selecting technology partners like SparkFabrik, already aligned with the new regulatory requirements.
The NIS2 directive (EU 2022/2555) is a truly substantial evolution compared to the first NIS, and has a clear objective: to strengthen security and resilience of European information networks and infrastructures (the acronym "NIS" stands for "Networks and Information Systems").
Adopted on December 14, 2022, it came fully into force in October 2024 with Member States transposing it into their respective national legislations. In Italy too, it was transposed within the deadline and the first implementation phase is now underway, with registration with the ACN (National Cybersecurity Agency) and the adoption of the first measures. In short: you can no longer procrastinate, it's time to adapt.
The main novelties?
Moreover, the European Commission aims to make the application of the new regulation more uniform among all member states, among which there are marked differences, raising the level for everyone overall.
All this means that many organizations will have to adapt to cybersecurity requirements never faced before, creating a wave of demand for specialized skills in the sector, in Italy and throughout Europe.
As we said, more stringent requirements, but what do they consist of? Concretely, NIS2 requires the implementation of various technical, operational, and organizational measures to manage security risks. These are specified in Article 21 of the directive and include:
We strongly recommend consulting the official resources from ENISA (which is the EU Agency for Cybersecurity) to delve deeper into the individual novelties and high-level requirements of the directive. We will see shortly how these general measures apply in Cloud Native environments.
DORA (Digital Operational Resilience Act - EU Regulation 2022/2554) is a regulation complementary to the NIS2 directive, focused exclusively on the financial sector. It was adopted together with NIS2 in 2022 and came into application on January 17, 2025. Important: as an EU Regulation, it does not need transposition, it is directly applicable law in all Member States.
DORA applies to over 20 categories of financial entities, including banks, insurance companies, payment systems, pension entities, crypto-asset managers.
But not only that, also technology providers that support such financial entities (such as cloud providers and data analysis services) can be subject to supervision, in application of the supply-chain security requirement.
The regulation aims to create a harmonized framework for digital operational resilience in the financial sector across all member states, recognizing its crucial importance for the European economy and society.
More specifically, DORA is articulated in five "pillars" or main areas of intervention, as described by the European Commission:
Cloud Native architectures are now the new reference standard for modern applications. But if on one hand their dynamic and distributed nature offers agility and scalability, on the other side of the coin it makes compliance with NIS2 and DORA a complex and challenging exercise.
Let's examine the characteristics of Cloud Native, from the perspective of their implications for security.
A microservices architecture implies that each service is also a potential point of vulnerability. Not only that, data flows between microservices also need to be monitored, authenticated, and protected, with an evident increase in complexity in the inventory of resources.
The use of orchestrators for such services, such as Kubernetes, introduces both additional levels of control, but also new criticalities. A correct configuration is complex but essential for security, requiring, among other things, continuous monitoring, automated policy enforcement, API exposure, and RBAC or other privilege management best practices.
The adoption of containers implies that every image may contain flaws, as well as the individual base components. A CI/CD automated pipeline capable of performing is needed:
The very adoption of CI/CD practices has a dual consequence: while on one hand continuous development allows to quickly resolve detected vulnerabilities, each code change can open new ones, creating new flaws. Automated security tests help mitigate such risks.
Infrastructure as Code allows to manage infrastructure configuration through code and solve scalability problems of the past. However, as code, such configurations are open to vulnerabilities. Moreover, even a simple misconfiguration risks replicating on a large scale, an aspect even more critical in the case of a mutable (vs immutable) infrastructure, which makes it complex to track variations. At the same time, modern infrastructures are often characterized by multi-cloud or hybrid environments, with consequent heterogeneous security frameworks and complexity.
In this context, the need emerges for a unified and homogeneous vision of security, also analyzing infrastructure code and adopting "shift-left" security requirements, which include security tests from the early stages of an application's life.
As we have seen at a high level, the new European cybersecurity regulations provide for various technical, operational, and organizational measures. Based on these requirements, we have identified in the Cloud Native approach some main security gaps. We therefore want to highlight them as a reference for all Cloud Native organizations.
NIS2 and DORA require complete knowledge of all digital resources of the organization. This is a particularly challenging requirement in Cloud Native environments where components are ephemeral and dynamic. Organizations must work to implement:
In architectures composed of numerous containerized microservices, traditional vulnerability management is really insufficient. It is necessary to adopt:
The presence and dependence on numerous components, whether they are open-source or commercial, increases the risks related to the supply chain. And, as we have seen, the security of these "digital supply chains" is a central aspect in both NIS2 and DORA.
Indeed, the new regulations extend the concept of risk management and vulnerability assessment also to suppliers, thus imposing minimum security requirements not only on the individual organization, but on the entire supply chain. For this objective, organizations must consider:
To deepen this topic, we recommend reading our article dedicated to Software Supply Chain.
Both regulations require incident detection and notification requirements. It is therefore important to equip oneself with systems and practices not only to detect, but also to document incidents. This also facilitates the mandatory post-incident reporting, including the extent of damages. In particular, the best practices to meet these requirements are:
The regulations require robust recovery and operational continuity capabilities (in jargon, "IT resilience"), which in the Cloud Native context take on particular characteristics:
To effectively address the challenges posed by NIS2 and DORA in Cloud Native contexts, the DevSecOps approach emerges as the most adequate solution (we invite you to read our in-depth analysis), integrating security and compliance at every stage of the software lifecycle, from the initial steps.
In particular, there are some fundamental principles of DevSecOps that perfectly match regulatory compliance (principles that are also at the center of practices and culture at SparkFabrik).
It consists of integrating security controls already in the early stages of the development cycle. This has the undoubted advantage of allowing to identify and correct problems when the cost of remediation is still low, aligning with the requirements of proactive risk management required by regulations. Attention that this absolutely does not exclude also the "shift-right" approach, which provides for tests and controls, rigorous and continuous, also in post-production. The union of the two approaches is always recommended for the best results.
Automation is now essential to maintain an adequate level of security in highly dynamic and ephemeral environments such as Cloud Native, in particular through:
Managing infrastructure as code (IaC), versioned and subjected to quality controls, directly supports the requirements set by regulations for testing and configuration management. An immutable type configuration, in particular, drastically decreases the risk of vulnerabilities at the infrastructure level.
A comprehensive monitoring system, and especially continuous thanks to automation, allows to quickly detect anomalous behaviors and demonstrate compliance during audits. Thanks to such systems, each anomalous detection leads to timely interventions and cyclical improvements. These are essential elements to satisfy the incident management requirements required by regulations.
To deepen the DevSecOps approach, we invite you to read our article on Cloud DevSecOps and on Container Security.
Tackling the requirements of NIS2 and DORA alone is undoubtedly complex. Compliance requires specialized skills that organizations often do not possess internally, also because many subjects have not had to deal with such requirements until now.
The choice of a technology partner with specific experience in Cloud Native and cybersecurity, and already aligned with the two new European regulations, therefore becomes a critical success factor. The choice of partner should be based on these criteria:
At SparkFabrik, we are aware of the importance of a solid security posture, so much so that we have undertaken the path to obtain the ISO/IEC 27001 certification, the international standard for information security management. This commitment is not just a formal requirement, but reflects our belief that security is a fundamental element of the value offering for our customers.
With pride, from the beginning our approach is based on enablement, not on enforcement. We want to make teams autonomous and aware, not dependent on black box solutions or knowledge lock-in. This applies not only to cybersecurity, but across all our services, and we like to tell about it!
Our approach to security and compliance is distinguished by some fundamental characteristics:
Last but not least, our CTO, Paolo Mainardi, is a Security Champion who personally leads the specialization path in supply chain security and DevSecOps (a continuous path, which never really ends).
These elements allow SparkFabrik clients to face the challenges posed by NIS2 and DORA with greater serenity, being able to count on a partner already aligned with regulatory requirements.
A small example in this regard: recently, a series of vulnerabilities were detected globally (affecting over 40% of environments) for Kubernetes clusters with ingress-nginx installed, one of which in particular was considered critical (9.8/10). After just a few minutes from the news, the SparkFabrik team activated and successfully mitigated the new vulnerabilities on all affected clusters. In short, an expert and timely partner makes the difference.
We are coming to the end, and to conclude we want to stimulate a reflection. As we have seen, the entry into force of NIS2 and DORA certainly marks a significant change in European cybersecurity. In general, the final effect will be a significant increase in the level of security in all sectors and all countries - even if a "catch-up" will always be necessary to resolve the vulnerabilities that continue to emerge in our systems.
It is evident how the new regulations have a significant impact on Cloud Native organizations. As Cloud Native experts, we like to see this impact not so much as an obligation to comply with, but as an opportunity to:
We believe that the key to success lies in adopting a strategic approach to cybersecurity. Those who start today, will tomorrow be able to demonstrate not only to be compliant, but to have built a lasting security culture.
A fundamental piece of this "security strategy" is the choice of technology partners who have already matured experience in this field. As a partner, SparkFabrik accompanies organizations on this journey, combining excellent Cloud Native technical expertise with a deep knowledge of regulatory requirements: a winning combination to transform compliance obligations into opportunities for growth and secure innovation.
If your organization is facing the challenges posed by NIS2 and DORA, we invite you to:
Explore our Cloud Native offering with a focus on security:
Or contact us directly for personalized advice on how to address the challenges of NIS2 and DORA in your specific context.
In the next article of the series, we will analyze practical strategies for implementing NIS2 and DORA regulations in Cloud Native environments, with a focus on real use cases and specific technical solutions.