The new NIS2 and DORA regulations have marked a transformation in cybersecurity in Europe. Adapting to this new standard is a complex challenge for thousands of companies, particularly those operating in Cloud Native environments. However, it's not just about meeting an obligation; it's about seizing the opportunity to strengthen operational resilience and gain a competitive advantage.

In this second deep dive of our series on NIS2 and DORA, we explore the concrete strategies and best practices we've identified for effective implementation, starting with a DevSecOps approach and a culture of security. If you haven't yet, you can start with our first article to discover the characteristics of the regulations and the specific challenges for the world of Cloud Native architectures.

DevSecOps: The Framework for Integrating Security

The DevSecOps approach represents a solid foundation for implementing the requirements of NIS2 and DORA in Cloud Native environments, thanks to its ability to integrate security into every phase of the software development lifecycle, including the initial stages of development.

How to Implement Security Shift-Left in Practice

Considering security aspects from the earliest stages of the development cycle is a significant change for organizations and a major improvement in the security score of any application.

This approach aligns perfectly with the proactive risk management requirements of the new European regulations. Furthermore, it allows for identifying and resolving vulnerabilities not only more promptly but also when the cost of remediation is still low, thus providing benefits in terms of both security and business.

Some best practices for effectively implementing security shift-left are:

• Threat Modeling: Adopt a structured internal process to identify potential threats and define appropriate countermeasures. Through dedicated sessions at the beginning of a project, security can be integrated directly into the application's design (“security by design”). Such sessions should be conducted not only in the initial phase but also before new functionalities or significant architectural changes. Furthermore, threat modeling becomes truly effective when it involves all relevant stakeholders (developers, architects, security specialists, and potentially other stakeholders). This way, not only are varied perspectives considered, but a shared understanding of security risks and consequent mitigation strategies is fostered.
• Security requirements as user stories: Integrate security requirements into the normal development workflow, treating them as user stories in the product backlog, with clear and measurable acceptance criteria. In other words, security aspects should be considered on par with other "business" functionalities and as integral parts of the product. This also helps to reflect and solidify a "security by design" culture, where security is a "normal" piece of the development process, not a later consideration.
• Security Champions: Identify developers with an interest in security and invest in their specific training. These champions will be the promoters of security best practices within the team and the entire organization, fostering their understanding and adoption. Identifying Security Champions is a particularly effective strategy for distributed teams or organizations with limited resources to dedicate to security topics.

Automating Security Controls in the Development Cycle

As in many other areas, automation in the world of cybersecurity is one of the most effective ways to streamline operations and processes. With increasingly complex applications and infrastructures, integrating automated security controls is now an essential best practice.

A mature security approach involves implementing different types of automated controls to reduce risks and errors, avoid delays in the development cycle, identify vulnerabilities in a timely manner, and intervene quickly. The main security tools that can be integrated into development pipelines are summarized in the following table.

Integrating these controls into CI/CD pipelines requires a balance between security and speed. While these tools act automatically, it is also important to configure them precisely to minimize false positives and prioritize vulnerabilities based on their severity and context. A gradual approach to implementation, starting with the most critical controls and then progressively extending coverage, can facilitate team adoption and integration into development processes.

Best practices also suggest defining clear policies on which vulnerabilities block the pipeline and which can be managed as non-blocking warnings, also formalizing the process for managing exceptions. This approach allows for maintaining the right balance between development agility and security, ensuring that critical vulnerabilities are addressed promptly.

The importance of these controls also extends to supply chain security, a crucial aspect for Cloud Native architectures. Supply chain security refers to the security of the software and hardware components that make up an application, including all dependencies, libraries, and container images that are not developed internally but come from external sources. Protecting the supply chain means ensuring that these components do not introduce vulnerabilities or malicious code into our systems, a fundamental requirement for compliance with regulations like NIS2 and DORA.

For a deeper understanding of this topic, we invite you to watch the talk by our CTO Paolo Mainardi (in Italian) who explains its importance and how to manage it effectively. For more insights on common vulnerabilities, mitigation strategies, case studies, and best practices, the recordings of our Talks On My Machine event dedicated to Supply Chain Security are also available (in Italian).

Monitoring and Threat Detection

NIS2 and DORA regulations place particular emphasis on the ability to identify, classify, and respond to security incidents in a timely manner. Cloud Native environments, being by their very nature distributed, ephemeral, and dynamic, require advanced approaches to monitoring and threat detection.

An effective monitoring system in a Cloud Native environment must certainly include:

• Log centralization: Collect logs from all components of the ecosystem (applications, containers, orchestrators, infrastructure) and aggregate them into a single central repository. This provides complete visibility and facilitates event correlation, allowing for the identification, mapping, and patching of vulnerabilities and security breaches. To manage the volume and complexity of logs generated in Cloud Native environments, dedicated log management tools are available, including Elasticsearch, Splunk, or Loki. These solutions allow for storing and indexing complex, large-scale logs, and are equipped with advanced search and automatic analysis functionalities that facilitate the identification of anomalies.
  
  
• Runtime security monitoring: Identify anomalous behaviors that could indicate an ongoing attack, such as privilege escalation attempts, abnormal access to sensitive resources, or unauthorized communications. Runtime monitoring through dedicated tools is particularly important in containerized environments, given that the ephemeral nature of the components makes it difficult to identify anomalous behaviors.
  
  
• Network security: Implementing a zero-trust approach, where no communication is considered secure by default, is particularly suitable for Cloud Native environments. Other best practices include network segmentation, in-transit encryption, and providing granular controls over communications between services.
  
  
• Compliance dashboards: It is a good practice to create specific visualizations that track relevant metrics such as open vulnerabilities by severity, remediation times, and the implementation status of security controls required by regulations. A shared dashboard also helps to hold the team accountable for security and compliance issues.

Operational Resilience and Business Continuity

Operational resilience, which is the ability to maintain operational services even in the presence of incidents or disruptions, is a fundamental pillar of both NIS2 and DORA. It is a genuine requirement of the two regulations to ensure the continuity of key services in the European economy, with a particular emphasis on the financial sector. Let's look at the main best practices for maximizing resilience.

Fault-Tolerant Architectures

Cloud Native architectures offer inherent advantages in terms of resilience: by nature, they have the ability to distribute workloads across different infrastructures and scale dynamically. However, conscious design is still necessary to fully exploit their features and functionalities. It is also essential to anticipate inevitable failure scenarios and the consequent mitigation strategies.

• Geographical distribution of workloads across multiple availability zones or regions
• Autoscaling mechanisms to adapt dynamically to load variations
• Resilience patterns like circuit breakers and bulkheads to prevent cascading failures
• Automatic failover systems to minimize downtime

Chaos Engineering for Testing Resilience

Chaos Engineering, initially adopted by advanced technology organizations, is becoming an increasingly mainstream practice as a tool to verify that systems respond as expected in case of problems. This methodology allows for proactively identifying weak points that might remain hidden until a real incident occurs.

• Controlled experiments of deliberate failure to test recovery capabilities
• Incremental approach starting with simple tests in non-production environments
• Monitoring results to identify weak points in the architecture
• Continuous improvement based on experiment results

Structured Backup and Recovery

A true constant since the dawn of IT, a solid backup and recovery strategy always remains a fundamental element of any cybersecurity strategy, even in Cloud Native architectures. Backups protect against human errors and technical malfunctions. Furthermore, they are also an important line of defense against ransomware attacks, which are an increasingly widespread and sophisticated threat.

• Clear and complete backup policies (frequency, retention, coverage)
• Periodic recovery tests to verify the effectiveness of procedures
• Security measures to protect backups from unauthorized access
• Automation of backup processes to reduce the risk of human error

Documented Incident Response Procedures

Documenting incident response procedures, in addition to being an explicit requirement of the regulations, is essential for ensuring a rapid and effective response in case of an incident. Periodic drills allow for verifying the effectiveness of procedures and help build practical experience, which is necessary to respond effectively in stressful and truly emergency situations.

• Detailed playbooks for different incident scenarios
• Clearly defined roles and responsibilities
• Communication templates for internal and external interactions
• Periodic drills to test the effectiveness of procedures

5 Best Practices for Implementing Compliance

The effective implementation of NIS2 and DORA requirements requires not only appropriate tools and technologies but also a cultural and organizational approach that integrates security as a fundamental value and a constant objective.

1. Adopt a security by design approach. By integrating security into the DNA of the development process, organizations can prevent many problems that would otherwise require costly and complex interventions. Security by design allows for identifying vulnerabilities and security flaws as early as possible, intervening promptly and reducing the cost and complexity of late remediations.
   Best practices:
   • Integrate security from the initial design phases
   • Define security principles that guide architectural decisions
   • Use already security-hardened patterns and reference architectures
   • Conduct threat modeling sessions regularly
2. Automate as much as possible. Automation plays a fundamental role in making compliance sustainable over time. Investing in automation may seem costly initially, but it offers significant returns in the medium to long term, reducing the manual workload and minimizing the risk of human error.
   Best practices:
   • Implement security controls in CI/CD pipelines
   • Automate the generation of compliance documentation
   • Use policy-as-code for automatic enforcement
   • Implement automated alerts and remediations where possible
3. Invest in training and culture. Training and organizational culture are often underestimated but crucial elements for success. By creating an environment where security is everyone's responsibility, not just that of the specialized team, a significantly higher level of protection is achieved. Security Champions are an effective way to promote a security culture.
   Best practices:
   • Train all teams on regulatory requirements
   • Create security champions in every team
   • Incentivize the reporting of security problems
   • Promote a culture of shared responsibility for security
4. Adopt a risk-based approach. This approach allows for allocating resources efficiently, concentrating efforts where they can have the greatest impact. Always relevant, it becomes fundamental in contexts with limited resources where it is necessary to maximize the return on security investments.
   Best practices:
   • Evaluate the criticality and sensitivity of systems and data
   • Allocate resources based on risk assessment
   • Define controls proportional to the value to be protected
   • Implement more robust protections for mission-critical systems
5. Document systematically. Documentation allows for having an always updated snapshot of assets and resources, as well as internal best practices that allow for quickly understanding how to act in an emergency.
   Best practices:
   • Maintain an updated inventory of assets and resources
   • Document architectural decisions and risk mitigations
   • Prepare audit-ready documentation
   • Implement an effective document management system

The Path to Compliance: Where to Start

Implementing compliance, especially for organizations approaching the security requirements introduced or strengthened by NIS2 and DORA for the first time, requires a structured and incremental approach that balances the urgency of meeting regulatory requirements with the need to maintain business operations. An effective implementation path typically consists of the following phases:

1. Awareness and initial training. The first step is to create awareness at all levels of the organization. It is important that training involves not only developers but also management and other functions. Only in this way is it possible to lay the foundations for a widespread security culture.
   Best practices:
   • Introductory workshops on regulatory requirements and their impact
   • Awareness programs for technical teams
   • Executive briefings for strategic management alignment
   • Industry benchmarks to understand how other organizations are addressing compliance
2. Assessment and gap analysis. In any methodology, a fundamental step is always a thorough evaluation that allows for understanding the current state and identifying priority areas for intervention.
   Best practices:
   • Security posture assessment to evaluate the current state
   • Analysis of all relevant aspects: architecture, processes, technologies
   • Identification of gaps against regulatory requirements
   • Definition of a baseline to measure progress
3. Roadmap definition. Planning is crucial for effective implementation. The implementation roadmap must be realistic and balanced, considering not only the regulatory urgency but also the operational impact of the interventions.
   Best practices:
   • Prioritize interventions based on risk and business impact
   • Identify "quick wins" that can be implemented quickly, which are invaluable for creating momentum and visibility for the entire compliance program
   • Plan more complex and long-term interventions, with clear and measurable objectives
   • Allocate resources and define realistic timelines
4. Fundamental controls. Even if the initial state and gaps vary for each organization, there are certainly some fundamental controls that every organization should implement with the highest priority.
   Best practices:
   • Access management: implementation of robust access controls and strict application of the Principle of Least Privilege (PoLP)
   • Vulnerability management: structured process of identification and remediation
   • Security monitoring: implementation of basic detection systems
   • Incident response: definition of initial incident response procedures, a requirement explicitly provided by NIS2, including the obligation to notify authorities (notification within 24 hours, full report within 30 days)
5. Incremental implementation. Cybersecurity is constantly evolving; after implementing the fundamental features, a process of continuous improvement is necessary. The incremental approach is particularly suitable in complex contexts like Cloud Native environments. This allows for testing the effectiveness of solutions on a small scale before extending them to the entire organization, with a significant minimization of risks. But it's not just about features; it's also about culture and experience in the face of real emergencies: a maturity that is built over time.
   Best practices:
   • Adopt an iterative approach with implementation-verification-adaptation cycles
   • Initial focus on fundamental and high-impact elements
   • Expansion of implemented controls
   • Involvement of key stakeholders in every phase
   • Adaptation of the roadmap based on feedback and results
6. Verification and continuous improvement. Security practices cannot be limited to the initial development phase of a project or to the moment the journey towards regulatory compliance begins. Instead, security must play a central role and be considered on par with "business" features, providing for continuous monitoring and improvement. From this perspective, security itself becomes a "business feature" in every respect.
   Best practices
   • Conduct regular internal audits
   • Periodic vulnerability assessments
   • Review and update procedures
   • Adapt to new threats and the evolution of regulatory requirements

Cybersecurity is an extremely vast and delicate subject that requires skills and expertise that must be built over time. In the initial phase of a security approach, it is particularly important to balance regulatory urgency with operational sustainability. Trying to implement all functionalities and controls at the same time can be counterproductive, leading to superficial implementations and a dangerous organizational resistance.

The incremental approach, instead, allows for obtaining tangible results in a reasonable time, while building the skills and culture necessary for an effective implementation of the most advanced controls. By identifying and starting with “quick wins,” it is possible to quickly achieve easy victories that create internal momentum. Each success obtained then contributes to creating momentum and gaining support for both the subsequent phases of the adaptation journey and the future commitment to continuous improvement.

Strategic Approach to Compliance

By adopting a modern and strategic perspective on compliance, it is possible to transform a regulatory obligation into a competitive advantage. It's a mental, cultural, and organizational shift that turns a simple mandatory fulfillment into an opportunity to improve our processes and architectures.

The security enablement approach, in contrast to traditional security enforcement, fits perfectly into this vision. Rather than imposing controls from above that could be perceived as obstacles, with security enablement, the focus shifts to empowering teams to implement security, providing them with tools, knowledge, resources, and support.

A methodology that is also effective in the security field is that of continuous improvement. Security is not only integrated into existing processes, but continuous controls and verification of adopted protection measures are also integrated, as well as the evaluation and integration of new measures. This cycle of continuous improvement allows for adapting to the constant evolution of cyber threats, also becoming more reactive to new regulatory requirements.

Within the organizational culture, there must be a shift aimed at considering security on the same level as all other functionalities. But not only that: for a true “security culture” to be established, transparency and collaboration must be fundamental values. Only in this way is it possible to create an environment of open communication about security problems, based on incident analysis and learning rather than blame, and on the creation of spaces for discussion and sharing.

Last but not least, a sustainable vision of security, while maintaining compliance requirements over time without sacrificing agility and innovation, cannot do without automation. Automation allows for reducing the manual workload, integrating security into daily workflows, implementing continuous monitoring, and intervening promptly—all of which are essential aspects of effective cybersecurity.

Conclusion and next steps

As we have seen, implementing the NIS2 and DORA requirements in Cloud Native environments represents a significant challenge, especially for organizations facing these aspects for the first time. However, with the right approach, it becomes an opportunity to improve security, operational resilience, skills, and organizational culture.

Organizations that adopt a structured approach, with an emphasis on automation, training, and continuous improvement, will be able not only to meet regulatory requirements but also to gain competitive advantages in terms of reliability, security, and innovation capability.

To start the compliance journey, we recommend:

1. Evaluate the current state through an initial assessment
2. Define a realistic roadmap with clear priorities
3. Implement fundamental controls and proceed incrementally, starting with “quick wins”
4. Measure progress and celebrate successes
5. Adopt a continuous improvement approach

At SparkFabrik, we follow the evolution of security regulations and their application in Cloud Native contexts with great attention and interest. Our CTO, Paolo Mainardi, personally leads the company's commitment to security, acting as a Security Champion and promoting internal specialization in supply chain security and DevSecOps. This focus is also reflected in our active participation in international communities, as we are members of key organizations such as CNCF, Linux Foundation Europe, and OpenSSF.

Our experience in the sector allows us to offer strategic consulting and support in the implementation of solutions that balance compliance, security, and innovation. To support organizations on their compliance journey, we have also created the NIS2 & DORA Compendium, a complete and free guide to help you navigate the regulatory requirements and challenges of Cloud Native environments.

To learn more about these topics or discuss the specific needs of your organization, we invite you to explore our service offerings or contact us directly:

• Supply Chain Security
• Cloud Native Journey
• DevOps & Automation
• Kubernetes Consultancy
• Managed Services
• Cloud Migration

Or contact us directly for a personalized consultation on your specific context.