We continue our coverage of the Cyberevolution event, diving into key regulatory challenges such as DORA, NIS2, and the EU’s AI Act, while exploring innovative solutions like Security 3.0, Cyberfantastic, and the Identity Fabric.
If you missed part 1, where we focused on the Top cyber threats in 2024: ransomware, social engineering, and information manipulation you can read it here.
Cybersecurity has become a top priority for C-level executives, driven not only by the need to protect businesses but also by growing regulatory demands. During a panel discussion, Martina Gruber, Member of the Executive Board at Clearstream Banking, and Hinrich Völcker, CISO at Deutsche Börse, revealed the significance of key regulations such as the Digital Operational Resilience Act (DORA), the NIS2 Directive, and the Cyber Resilience Act (CRA).
DORA is a binding EU regulation designed to establish a comprehensive ICT risk management framework for the financial sector. It requires financial entities and their critical third-party providers to meet specific technical standards by January 17, 2025.
NIS2, an updated version of the EU-wide cybersecurity directive introduced in 2016, came into effect in 2023, setting broader legal measures to enhance cybersecurity.
The Cyber Resilience Act (CRA), which came into force on December 10, 2024, is a landmark law requiring mandatory cybersecurity standards for products with digital components. It complements NIS2 and reflects the EU’s broader strategy to strengthen cybersecurity across a connected digital ecosystem.
Martina Gruber noted that Clearstream Banking, as a bank and a systemically important financial infrastructure, has been operating under strict regulatory regimes for years. However, she highlighted that DORA presents new challenges due to its highly detailed requirements, which differ from typical regulations that allow more flexibility in implementation. ‘With DORA, we’re not just given high-level guidance—we’re handed detailed, field-level instructions, which feels unusual’, she remarked, adding that while this approach ensures thoroughness, it also increases complexity.
Another challenge arises from maintaining 100% compliance across all security layers, given the dynamic nature of technology. ‘Regulators often focus deeply on individual controls during audits, which can sometimes overlook the broader, front-to-back view of overall protection’, she explained. Despite these difficulties, she joked that personal liability and stricter oversight have not disrupted her sleep.
The increasing use of AI, along with significant investments and research in these tools, has caught the attention of regulators. The EU's AI Act has become a focal point as a key regulation for managing artificial intelligence in Europe. However, Prof. Dr. Dennis-Kenji Kipker from cyberintelligence.institute argues that the EU AI Act alone is insufficient and will not become the global standard. It is up to industries, not just legislators, to decide how and with whom they engage in strategic AI collaborations.
The European AI Act, which came into effect on August 1, 2024, aims to regulate AI development and deployment within the EU. It establishes a framework that categorises AI systems by risk levels, imposing stricter requirements on high-risk applications to protect individuals while fostering innovation. The regulation addresses risks, especially in sectors like banking and financial services, where AI is widely used. Banks deploying AI must comply with governance arrangements under EU financial services law and conduct Fundamental Rights Impact Assessments when evaluating creditworthiness. The regulation helps mitigate risks but does not eliminate them entirely.
AI's role in cybersecurity has also been discussed extensively. AI technologies can enhance the defence against cybercrime through self-learning capabilities, anomaly detection, and evolving defence mechanisms. They can also enable proactive measures, such as isolating IT systems during security breaches, and shorten response times in cybersecurity incidents. As AI continues to evolve, it can significantly improve threat detection and response in cybersecurity, but it must be implemented responsibly. Experts like Martin Kuppinger from KuppingerCole urged CISOs to establish strong AI governance and ethical guidelines to ensure the secure use of AI in cybersecurity. He recommended that companies pilot generative AI for threat modelling, focusing on AI quality and ethical use.
In conclusion, Dr. Kipker warned that AI poses significant risks and must be countered with state-of-the-art technical and organisational countermeasures.
Modern boards now see cybersecurity as a crucial strategic component, rather than just a necessary evil. Cybersecurity awareness at the board level has grown, over the past decade, leading to more investments in security tools and response capabilities. Daily communication of incidents to the board ensures they remain aware and ready to respond effectively.
Martina Gruber from Clearstream Banking suggested that cybersecurity is not just a technological topic but fundamentally it is about a company’s culture. It must be embraced and understood at all levels, starting from leadership. Beyond managing technology, organisations face significant operational, financial, and reputational risks. For cybersecurity to thrive, boards must take ownership by establishing clear frameworks, allocating resources and budgets, and, most importantly, fostering a culture of trust. Employees should feel empowered to openly share where the risk and the threats are, without fear of negative consequences.
Communication also plays a critical role. Everyone—from leadership to frontline staff—must understand the severity of cybersecurity and its potential to harm or even destroy an organisation. Hinrich further underscored that communicating cybersecurity issues to the board is an art. Translating complex technical vulnerabilities into meaningful insights that resonate with business leaders requires balance and clarity. While gaps between technical teams and business leaders may persist, Hinrich noted a growing willingness on the business side to bridge these divides. By fostering mutual understanding and aligning priorities, organisations can successfully integrate cybersecurity into their overall strategy.
To maintain security and safety in an evolving threat landscape, several advanced tools and approaches are being adopted. Zero Trust is gaining traction, particularly for securing distributed workforces and cloud environments, with a focus on continuous verification. Zero Trust Architecture is an IT system design and implementation strategy based on the principle of ‘never trust, always verify’. It assumes that users and devices should not be trusted by default, even if they are connected to a secure network like a corporate LAN or have been verified in the past. Key actions for Zero Trust include conducting a readiness assessment, implementing identity verification mechanisms, and using micro-segmentation for enhanced security.
Identity Fabric also plays a critical role in strengthening identity security by integrating diverse identity services into a cohesive system, which is key for achieving Zero Trust and ensuring compliance.
Additionally, Security 3.0 is emerging as a comprehensive strategy for cybersecurity. Max Imbiel, CISO at BitPanda, drew inspiration from modern medicine, particularly the concept of longevity, to propose a preventative, evidence-based approach to cybersecurity. This includes prioritising resilience, cyber hygiene, and prevention over detection and response. Security 3.0 focuses on early threat detection and uses big data, AI, and machine learning for predictive threat analysis. The strategy emphasises continuous improvement, adaptive responses to new challenges, and collaboration among tech experts, businesses, and users for stronger defences. Moreover, Security 3.0 addresses critical issues such as user privacy, data protection, and the ethical use of AI.
Finally, Cyber-Fantastic, a strategy suggested by Matthias Muhlert, CISO at Oetker, encourages leveraging threats for growth, transforming potential security challenges into opportunities for innovation and resilience.
These evolving strategies emphasise proactive, data-driven, and collaborative approaches, ensuring enduring security in an increasingly digital and interconnected world.
Preparing for the future of cybersecurity requires proactive strategies that align with business goals and focus on resilience, efficiency, and emerging technologies. As cyber threats evolve rapidly, CISOs must stay ahead by integrating security with broader business objectives. One key area of focus is also the preparation for Quantum Threats. Quantum computing poses a significant risk to current encryption methods, necessitating the adoption of Quantum-Safe Encryption (QSE) to ensure data protection.
Key actions for preparing for quantum threats include assessing cryptographic vulnerabilities, beginning phased adoption of QSE, and monitoring emerging quantum-safe standards.
Additionally, non-human identity management and decentralised identities are gaining attention as critical trends. These innovations offer new solutions for secure, user-centric identity management, further enhancing the overall security landscape as technology continues to evolve.
The cybersecurity landscape is constantly evolving, demanding ongoing engagement and readiness from organisations. CISOs play a crucial role in promoting resilience and influencing the development of regulations that shape the future of cybersecurity. While AI presents both risks and opportunities in the cybersecurity space, it requires careful management to maximise its potential. Collaboration and transparency remain key to strengthening overall defence systems. Furthermore, integrating mental health and holistic approaches can significantly enhance the effectiveness of security measures.
Thank you KuppingerCole for inviting The Paypers to attend Cyberevolution and huge congratulations on an exceptional edition! We look forward to the next one.
About Mirela Ciobanu
Mirela Ciobanu is Lead Editor at The Paypers, specialising in the Banking and Fintech domain. With a keen eye for industry trends, she is constantly on the lookout for the latest developments in digital assets, regtech, payment innovation, and fraud prevention. Mirela is particularly passionate about crypto, blockchain, DeFi, and fincrime investigations, and is a strong advocate for online data privacy and protection. As a skilled writer, Mirela strives to deliver accurate and informative insights to her readers, always in pursuit of the most compelling version of the truth. Connect with Mirela on LinkedIn or reach out via email at mirelac@thepaypers.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now