Monitoring preparedness and governance under EU cyber security legislation

In the past few years, the European Union has introduced new legislation to strengthen its cyber security framework, impacting organisations across various sectors. Each of these laws imposes multiple obligations on organisations, including relating to monitoring preparedness and cyber security governance. Among the most important pieces of legislation are the Cyber Resilience Act (CRA), the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the General Data Protection Regulation (GDPR). This article aims to provide some insights into governance and monitoring preparedness obligations under these laws and looks at how standards and frameworks can help organisations comply.

What is monitoring preparedness and why is it important?

Monitoring preparedness refers to an organisation’s ability to track, evaluate, and adapt its cyber security position in anticipation of potential cyber threats. It ensures that the organisation has the appropriate tools, processes, and capabilities to detect vulnerabilities and respond effectively to any cyber incidents in a timely manner. Important elements of monitoring preparedness are:

• Continuous monitoring: using tools and systems such as SIEM, IDS, and firewalls can serve to continuously monitor network traffic, systems, and applications for any suspicious activities. This is important to comply with DORA obligations to continuously monitor ICT systems to detect and mitigate risks. In addition, the CRA encourages continuous monitoring of the cyber security status of products to ensure they meet evolving threats. NIS2 emphasises continuous network and system monitoring for threats. Organisations must implement real-time monitoring solutions and maintain logs to detect cyber incidents.
• Incident detection: developing capabilities to detect security incidents. With effective monitoring, organisations are able to detect unusual behaviour or security breaches early. Under the CRA, for example, organisations must establish systems for monitoring vulnerabilities and threats, especially in the post-sale phase. This includes ensuring that vulnerability notifications and patch management are in place.
• Incident response plans: having a detailed, documented response plan for dealing with different types of incidents. The response plan includes procedures for isolating threats, investigating incidents, mitigating damage, and restoring operations, for which an incident response team should be in place.
• Alerting, logging and reporting: setting up automated alerts for certain events in order to notify the relevant teams straight away. Reporting mechanisms ensure that incidents are logged and communicated in line with legal and regulatory requirements. Under DORA, the GDPR and NIS2, for example, there are strict incident reporting timelines. Organisations must therefore have procedures in place for rapid detection, investigation, and response (see more here).
• Drills and tests: regularly testing the effectiveness of the monitoring systems and the incident response plan with cyber security drills and penetration tests to simulate potential attack scenarios and assess the responses of the relevant teams. Under DORA and NIS2, organisations must conduct regular vulnerability assessments and penetration testing to proactively identify and mitigate security gaps.
• Business continuity and recovery: having business continuity and disaster recovery plans in place to ensure that if an incident occurs, critical services can be restored without delay.

What is cyber security governance and why is it important?

Cyber security governance refers to the framework of policies, procedures, and controls organisations have in place to manage their cyber security efforts. Governance ensures that cyber security is integrated into the organisation's risk management and business strategy. This involves setting clear rules, roles, and responsibilities to protect the organisation's data, systems, and infrastructure. Important elements of cyber security governance are:

• Compliance: ensuring the organisation complies with relevant laws, regulations, and industry standards.
• Policies and procedures: developing formal policies and guidelines for cyber security practices covering areas such as data protection, access controls, incident response, and security protocols (see more here). This is important as under the CRA, for example, establishing clear responsibilities and policies for product security is a key part of governance, ensuring compliance with the CRA's requirements for accountability in the development and maintenance of ICT products. DORA also requires that organisations have systems and procedures in place, including clear procedures for identifying, responding to, and recovering from cyber incidents.
• Risk management: identifying potential cyber security risks, including risks deriving from ICT-services provided by third parties, and implementing measures to reduce those risks to an acceptable level (see more here).
• Leadership and accountability: clear ownership of cyber security at the board level, for example by assigning a CISO or similar role. NIS2, for example, requires a dedicated cyber security officer and clear reporting lines to ensure that executives and boards are kept informed of cyber security risks and incidents. The financial services sector places particular emphasis on internal governance and control frameworks, with DORA reiterating that the management body bears the ultimate responsibility for managing a firm's ICT risk.
• Audit and review: regularly auditing the organisation’s cyber security posture and governance processes to ensure they remain effective and adapt to new threats or regulatory changes.

How can standards and frameworks help?

Cyber security standards are important for cyber security governance and monitoring preparedness as they provide structured, well-defined frameworks, guidelines, and best practices. They can help organisations with:

• Establishing governance structures: frameworks such as ISO 27001 and the NIST Cyber security Framework (CSF) provide a structured approach to governance by defining roles, responsibilities, and processes within an organisation for managing cyber security risks.
• Continuous improvement: the NIST CSF encourages regular assessments, monitoring, and iterative improvements to cyber security practices. ISO 27005 provides guidelines for information security risk management in compliance with ISO 27001. Regular reviews and adjustments to the information security risk management approach ensure that organisations remain prepared for emerging threats.
• Third-party risk management: for example, ISO 27036 focusses on supplier relationships and offers guidance on the management of information risks involved in the acquisition of ICT products (goods and services) from third-party suppliers. The NIST SP 800-161 focusses on supply chain cyber security and helps organisations with identifying, assessing, and mitigating cyber supply chain risks at all levels of the organisation.
• Incident response: both NIST CSF and ISO 27001 have components dedicated to incident response. These frameworks include guidelines for detecting, responding to, and recovering from cyber security incidents, which are requirements under NIS2, DORA, GDPR and CRA.
• Efficiency in audits and inspections: standards are not only useful for compliance with cyber security regulations, they can also streamline audits and inspections. When regulators or auditors examine an organisation’s compliance efforts, they often refer to standards to assess whether the business is meeting industry best practices. If an organisation can demonstrate adherence to relevant standards, it provides auditors with a clear and transparent record of how compliance has been achieved.
• Improving stakeholder trust and confidence: adopting standards demonstrates a commitment to maintaining a high level of security and data protection. This is important for organisations dealing with customers, partners and regulations that need assurances that an organisation is meeting its compliance obligations.

Key takeaway for organisations

Cyber security governance and monitoring preparedness are two important aspects of managing cyber security risks which ensure that organisations are well prepared to prevent, detect, and respond to cyber threats. While cyber security governance provides the strategic oversight, policies, and resources needed to create a robust cyber security framework, monitoring preparedness focuses on the tactical and operational aspects of detecting and responding to threats in real time. By combining the two, organisations ensure that cyber security is integrated and proactive, involving people, processes, and technology working together to manage risk and protect assets, rather than just a series of technical measures. Standards and frameworks play an important role here, as they provide a structured approach to governance, (third-party) risk management, incident response, and continuous improvement, enabling organisations to meet their obligations under cyber security regulations, ensuring efficiency in audits and inspections and improving stakeholder trust and confidence.