Advanced assessment of the NIS2 compliance gap

Challenge

A national financial supervisor needed to know precisely their degree of compliance with DORA.

The agency was to:

Assessing the corporate DORA compliance status, together with other main application frameworks for financial environment throughout the organisation.
Identify non-compliances, shortcomings and overlaps in its security policies, procedures and controls.
Prioritise adequacy measures with a risk visiondistinguishing non-compliance with the greatest potential impact.

The main challenge was the volume and dispersion of information: hundreds of internal documents (internal regulations, procedures, security policies, incident management, business continuity, supplier relations, etc.) drawn up over the years by different areas.

A purely manual approach would have been assumed:

Months of intensive work by legal, security and compliance teams.
Risk of inconsistencies in the evaluation criteria.
Difficulty in obtaining a comprehensive, structured and prioritised picture of DORA compliance.

Approach

ECIX Tech deployed a service Legal Operations evaluation of DORA supported by the capacities of MIA Enterprise to automate documentary analysis and normative interpretation. The approach was structured in three steps:

DORA reference model together with other main application frameworks for financial environment
- Definition of a DORA requirements map adapted to the agency's role as an essential entity in the financial sphere.
- Construction of a evaluation matrix which related each obligation to expected evidence in policies, procedures and internal controls.
Mass documentation analysis with MIA Enterprise
- Use of the algorithms of MINE to analyse hundreds of internal documentsidentifying relevant references to security governance, incident management, continuity, supplier management and other application domains.
- Automatic classification of the contents according to the requirements of the standard and detection of gaps, inconsistencies or lack of evidence.
Gap assessment and risk-based prioritisation
- Development of a structured compliance assessmentindicating for each DORA requirement the level of adequacy achieved.
- Identification of non-compliance and deviations with a vision of risks: highlighting those with highest potential impact on the continuity of essential services or exposure to supervisors.
- Proposal for mitigation and adaptation measures The DORA roadmap is based on the prioritised priorities, facilitating the elaboration of a realistic roadmap for alignment with DORA.

Results

The combination of the Legal Operations service and the technology of MIA Enterprise allowed the body:

Obtain in a short period of time a complete and structured overview of your situation vis-à-vis DORAwithout the need to manually review each document.
Clearly identify which requirements were met, which ones had weaknesses and which ones posed a relevant risk from an operational and regulatory point of view.
To have a gap report DORA prioritised by riskwhich became the basis for the design of its adequacy and security investment plan.
Improve your responsiveness to future supervisory demands and auditsby having an analysis that is traceable, explainable and supported by objective criteria.

Overall, the project demonstrated how MIA Enterprise can accelerate and strengthen the assessment of compliance in complex frameworks such as DORA, providing a national financial supervisor with a clear, prioritised and actionable view of its level of cybersecurity maturity.