RISK LETTERS — BLOG
NIS2, DORA, threat intelligence, and what to actually do this week. RSS
A single compromised ICT provider is simultaneously a cyber incident, a financial concentration risk, a geopolitical exposure, and a regulatory obligation under DORA and NIS2. A cross-domain analysis of why modern financial risk refuses to stay in its lane.
Read article →Doug Hubbard's calibrated estimation plus Monte Carlo simulation is the methodological core of modern cyber risk quantification. How calibration training works, how Monte Carlo turns ranges into distributions, and how this pairs with FAIR.
FAIR (Factor Analysis of Information Risk) is the most widely adopted ontology for quantifying cyber risk. How its decomposition works, how it pairs with Monte Carlo simulation, and how to apply it without a statistician on staff.
Why the qualitative grid is losing ground to quantitative methods — and what to replace it with.
A pillar guide to cyber and operational risk quantification in 2026 — FAIR, Hubbard, Monte Carlo, Bayesian methods, loss exceedance curves, and how regulators under DORA and NIS2 increasingly expect numbers, not heat maps.
GDPR Article 28 governs your data processors; NIS2 Article 21(2)(d) governs your suppliers; DORA Articles 28-30 govern your ICT third parties. They overlap heavily. How to run one supplier programme that satisfies all three.
Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.
Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.
The Data Protection Impact Assessment under GDPR Article 35 — when it's mandatory, how to run one, and how it overlaps with NIS2 and DORA risk assessment so you build one process instead of three.
A personal data breach at a regulated entity can trigger GDPR, NIS2 and DORA reporting at once — three authorities, three templates, three clocks. How the obligations differ, where they overlap, and how to run them from one incident record.
European organisations face GDPR, NIS2 and DORA at once — and the regimes overlap in incident reporting, supply chain, governance and security measures. A guide to where they intersect, where they conflict, and how to build one programme that satisfies all three.
The DORA Register of Information under Article 28(3) — what it is, the structure prescribed by Implementing Regulation 2024/2956, the templates and data fields, common errors, and how to build and maintain it.
DORA Pillar 4 — Articles 28 to 30 — is the operationally heaviest part of the regulation. Pre-contractual risk assessment, mandatory contractual provisions, concentration risk, and the critical ICT third-party provider oversight regime, explained.
NIS2's supply chain obligation is one paragraph that creates a programme of work. What Article 21(2)(d) requires, how to build a supplier register and due-diligence process, the contractual clauses you need, and what suppliers themselves should expect.
The NIS2 penalty framework under Article 34, plus how it actually varies across member states — fine ceilings, personal liability, registration deadlines, and early enforcement patterns in Germany, the Netherlands, France, Belgium, and beyond.
The scope test that determines half of your NIS2 obligations. Annex I vs Annex II, the size threshold, the size-irrelevant categories, and how the two-tier supervision model actually works.
DORA's first and largest pillar — Articles 5 to 14 — sets the ICT risk management framework for every EU financial entity. Governance, lifecycle, BCM, learning. What's mandatory, what's prescriptive, and how it differs from NIS2 Article 21.
Article 20 NIS2 puts the management body on the hook for cybersecurity oversight. What that means in practice, where personal liability applies, and the country-by-country variations every European board needs to know.
How NIS2 Article 23 works in practice — the 24-hour early warning, 72-hour notification, and 1-month final report. What each contains, who you report to, and where the clock actually starts.
A pragmatic NIS2 compliance roadmap for 50–249 employee European SMEs — 5 priorities mapped to Article 21, a 90-day plan, realistic cost ranges, and the proportionality principle that makes minimum viable defensible.
Everything Danish companies need to know about NIS2 implementation: NIS-2-loven (L 141), CFCS registration, the 6,000 in-scope entities, and how Denmark deviates from the directive.
A practitioner's guide to the 10 risk management measures required under NIS2 Article 21 — what each means, the minimum SME evidence pack, and the proportionality principle most articles miss.
How a single compromised ICT provider can be a cyber incident, a financial concentration risk, a geopolitical exposure, and a regulatory obligation simultaneously under NIS2 and DORA.
A profile of APT29, the SVR-affiliated Russian threat group known as Cozy Bear and Midnight Blizzard. Long-term strategic intelligence collection, the SolarWinds and Microsoft intrusions, supply-chain tradecraft, and what European NIS2 and DORA entities should learn from a quieter adversary.
A profile of APT28, the Russian GRU-affiliated threat group also known as Fancy Bear, Forest Blizzard, and UAC-0001. History, recent 2025-2026 campaigns including Operation MacroMaze and CVE-2026-21509 exploitation, sectors targeted, and what NIS2 and DORA entities should learn from its tradecraft.
A profile of LockBit, the ransomware-as-a-service operation that survived the 2024 international law-enforcement takedown and continues to extort European NIS2 and DORA entities. Affiliate model, recent campaigns, and what defenders should learn from its persistence.
A profile of MURKY PANDA, the China-nexus threat actor named in CrowdStrike's 2026 Financial Services Threat Landscape Report. Operating across 36 countries against 340 organisations in 30 sectors, with financial services among the most frequently hit. What European DORA entities should learn from its tradecraft.
A profile of Lazarus Group, North Korea's state-sponsored cyber operation responsible for billions in cryptocurrency theft, financial-sector intrusions, and supply-chain attacks. Tradecraft, history, recent campaigns, and what European NIS2 and DORA entities should take from it.
A side-by-side comparison of NIS2 and DORA: scope, legal mechanism, risk management, incident reporting, third-party rules, and penalties. Plus: when both apply to you and which one wins.
Everything European SMEs need to know about NIS2 and DORA in 2026: who's in scope, the 10 Article 21 measures, the 24-72-30 incident timeline, DORA's 5 pillars, penalties, and a 10-step path to compliance. Updated quarterly.