RISK LETTERS — BLOG

Practical guides for European CISOs and compliance leads.

NIS2, DORA, threat intelligence, and what to actually do this week. RSS

Latest

Dice mid-roll on a dark surface — the probabilistic foundation Hubbard's calibrated estimation and Monte Carlo simulation bring to cyber risk
RISK-QUANT 14 min

Hubbard's Approach to Cyber Risk Quantification: Calibration and Monte Carlo

Doug Hubbard's calibrated estimation plus Monte Carlo simulation is the methodological core of modern cyber risk quantification. How calibration training works, how Monte Carlo turns ranges into distributions, and how this pairs with FAIR.

Mathematical and statistical notation on a notebook page — the formal decomposition FAIR brings to cyber risk analysis
RISK-QUANT 13 min

FAIR Methodology Explained: Factor Analysis of Information Risk

FAIR (Factor Analysis of Information Risk) is the most widely adopted ontology for quantifying cyber risk. How its decomposition works, how it pairs with Monte Carlo simulation, and how to apply it without a statistician on staff.

An analytics dashboard with line charts and bar graphs on a laptop screen — the quantitative reporting that replaces qualitative risk heat maps
RISK-QUANT 10 min

From Heat Maps to Numbers: Why Qualitative Risk Scoring Fails

Why the qualitative grid is losing ground to quantitative methods — and what to replace it with.

Close-up of a trading screen showing market data and price movement — the financial vocabulary that cyber risk quantification translates security risk into
RISK-QUANT 12 min

Quantifying Cyber and Operational Risk: A Practitioner's Map of 2026

A pillar guide to cyber and operational risk quantification in 2026 — FAIR, Hubbard, Monte Carlo, Bayesian methods, loss exceedance curves, and how regulators under DORA and NIS2 increasingly expect numbers, not heat maps.

Two professionals shaking hands across a table strewn with contract documents — the moment a processor relationship gets formalised
GDPR 11 min

Data Processor Due Diligence: GDPR Article 28 Meets NIS2 Supply Chain

GDPR Article 28 governs your data processors; NIS2 Article 21(2)(d) governs your suppliers; DORA Articles 28-30 govern your ICT third parties. They overlap heavily. How to run one supplier programme that satisfies all three.

Earth photographed from space at night with city-light networks visible across continents — the cross-border data flows GDPR Chapter V governs
GDPR 10 min

GDPR International Data Transfers: SCCs, Adequacy, and the EU-First Case

Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.

Earth at night seen from orbit, lit by city grids and undersea-cable corridors — the literal map of where personal data flows
GDPR 11 min

GDPR International Data Transfers: SCCs, Adequacy, and the EU-First Case

Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.

Engineer at a transparent glass whiteboard sketching a system diagram — the methodology of a DPIA in one image
GDPR 11 min

DPIA Explained: When You Need One and How It Meets NIS2 Risk Assessment

The Data Protection Impact Assessment under GDPR Article 35 — when it's mandatory, how to run one, and how it overlaps with NIS2 and DORA risk assessment so you build one process instead of three.

Trading floor monitors showing live data streams — multiple clocks ticking on a single incident
GDPR 11 min

GDPR Breach Notification vs NIS2 and DORA: One Incident, Multiple Clocks

A personal data breach at a regulated entity can trigger GDPR, NIS2 and DORA reporting at once — three authorities, three templates, three clocks. How the obligations differ, where they overlap, and how to run them from one incident record.

Scales of justice on a desk beside a stack of legal volumes — three regulatory regimes converging on one entity
GDPR 14 min

GDPR, NIS2 and DORA: How the Three EU Regimes Intersect

European organisations face GDPR, NIS2 and DORA at once — and the regimes overlap in incident reporting, supply chain, governance and security measures. A guide to where they intersect, where they conflict, and how to build one programme that satisfies all three.

Rows of structured data on a computer screen — the Register of Information that DORA Art. 28(3) requires every financial entity to maintain
DORA 11 min

DORA Register of Information: Template and Requirements

The DORA Register of Information under Article 28(3) — what it is, the structure prescribed by Implementing Regulation 2024/2956, the templates and data fields, common errors, and how to build and maintain it.

An empty oval boardroom table — where vendor-oversight committees now sit to govern critical ICT third-party providers under DORA
DORA 11 min

DORA Third-Party Oversight: Managing ICT Vendors Under DORA

DORA Pillar 4 — Articles 28 to 30 — is the operationally heaviest part of the regulation. Pre-contractual risk assessment, mandatory contractual provisions, concentration risk, and the critical ICT third-party provider oversight regime, explained.

A loaded container ship at sea — the ICT supply chain Article 21(2)(d) now treats as in-scope for cybersecurity risk management
NIS2 11 min

NIS2 Supply Chain Security: What Article 21(2)(d) Requires

NIS2's supply chain obligation is one paragraph that creates a programme of work. What Article 21(2)(d) requires, how to build a supplier register and due-diligence process, the contractual clauses you need, and what suppliers themselves should expect.

A historic engraved map of Europe — the per-country enforcement landscape NIS2 fines now play out across
NIS2 11 min

NIS2 Penalties by Country: A Complete 2026 Guide

The NIS2 penalty framework under Article 34, plus how it actually varies across member states — fine ceilings, personal liability, registration deadlines, and early enforcement patterns in Germany, the Netherlands, France, Belgium, and beyond.

A colour-coded map of Europe — the categorisation question every entity has to answer: essential, important, or out of scope
NIS2 11 min

NIS2 Essential vs Important Entities: Which Are You?

The scope test that determines half of your NIS2 obligations. Annex I vs Annex II, the size threshold, the size-irrelevant categories, and how the two-tier supervision model actually works.

Low-angle view of financial-district skyscrapers — the regulated estate DORA's ICT risk-management framework now governs end to end
DORA 13 min

DORA ICT Risk Management Framework Explained (Pillar 1)

DORA's first and largest pillar — Articles 5 to 14 — sets the ICT risk management framework for every EU financial entity. Governance, lifecycle, BCM, learning. What's mandatory, what's prescriptive, and how it differs from NIS2 Article 21.

A boardroom meeting in progress — the management bodies who now carry personal liability for NIS2 risk-management approval
NIS2 11 min

NIS2 Board-Level Accountability: Personal Liability Explained

Article 20 NIS2 puts the management body on the hook for cybersecurity oversight. What that means in practice, where personal liability applies, and the country-by-country variations every European board needs to know.

Close-up of a silver chronograph watch face — the 24-hour, 72-hour, and 30-day reporting clocks that start the moment an incident is detected
NIS2 12 min

NIS2 Incident Reporting: The 24-72-30 Day Timeline Explained

How NIS2 Article 23 works in practice — the 24-hour early warning, 72-hour notification, and 1-month final report. What each contains, who you report to, and where the clock actually starts.

A small team working with laptops while a colleague maps a plan on a whiteboard — the practical reality of scoping a minimum-viable NIS2 baseline in an SME
NIS2 13 min

Minimum Viable NIS2 Compliance for SMEs (Under 250 Employees)

A pragmatic NIS2 compliance roadmap for 50–249 employee European SMEs — 5 priorities mapped to Article 21, a 90-day plan, realistic cost ranges, and the proportionality principle that makes minimum viable defensible.

Aerial view of boats moored between Copenhagen's pastel waterfront buildings
NIS2 10 min

NIS2 Compliance Denmark: The 2026 Guide to NIS-2-loven

Everything Danish companies need to know about NIS2 implementation: NIS-2-loven (L 141), CFCS registration, the 6,000 in-scope entities, and how Denmark deviates from the directive.

Analyst at a multi-monitor workstation — the operational reality of running the ten risk-management measures Article 21 requires
NIS2 16 min

NIS2 Article 21: All 10 Risk Management Measures Explained

A practitioner's guide to the 10 risk management measures required under NIS2 Article 21 — what each means, the minimum SME evidence pack, and the proportionality principle most articles miss.

Empty server-room aisle with rows of blue-LED racks — the infrastructure the financial sector depends on without owning
12 min

The Trust Supply Chain: How One ICT Provider can become four risks at once

How a single compromised ICT provider can be a cyber incident, a financial concentration risk, a geopolitical exposure, and a regulatory obligation simultaneously under NIS2 and DORA.

Dark monitor with cascading green code — the quiet, long-dwell intrusion style associated with APT29's SVR tradecraft
THREAT-INTEL 12 min

APT29 (Cozy Bear): Russia's Quiet Intelligence Service — A Threat Actor Profile

A profile of APT29, the SVR-affiliated Russian threat group known as Cozy Bear and Midnight Blizzard. Long-term strategic intelligence collection, the SolarWinds and Microsoft intrusions, supply-chain tradecraft, and what European NIS2 and DORA entities should learn from a quieter adversary.

Dim, low-key image of a figure in shadow at a screen — evoking the covert military-intelligence tradecraft of GRU-aligned APT28
THREAT-INTEL 10 min

APT28 (Fancy Bear): The GRU's Cyber Arm in Europe — A Threat Actor Profile

A profile of APT28, the Russian GRU-affiliated threat group also known as Fancy Bear, Forest Blizzard, and UAC-0001. History, recent 2025-2026 campaigns including Operation MacroMaze and CVE-2026-21509 exploitation, sectors targeted, and what NIS2 and DORA entities should learn from its tradecraft.

A small padlock resting on a laptop keyboard — the encrypted-extortion model LockBit's ransomware-as-a-service operation has industrialised
THREAT-INTEL 11 min

LockBit: The Ransomware Brand That Survived Operation Cronos — A Threat Actor Profile

A profile of LockBit, the ransomware-as-a-service operation that survived the 2024 international law-enforcement takedown and continues to extort European NIS2 and DORA entities. Affiliate model, recent campaigns, and what defenders should learn from its persistence.

Illuminated skyscrapers of an East Asian financial district at night — the financial-sector target environment of the China-nexus actor MURKY PANDA
THREAT-INTEL 12 min

MURKY PANDA: The China-Nexus Actor Targeting Europe's Financial Sector — A Threat Actor Profile

A profile of MURKY PANDA, the China-nexus threat actor named in CrowdStrike's 2026 Financial Services Threat Landscape Report. Operating across 36 countries against 340 organisations in 30 sectors, with financial services among the most frequently hit. What European DORA entities should learn from its tradecraft.

Gold cryptocurrency coins on a dark surface — the target of choice for Lazarus Group's state-funded crypto-theft operations
THREAT-INTEL 11 min

Lazarus Group: How a Sanctioned State Built the World's Most Effective Crypto-Theft Operation

A profile of Lazarus Group, North Korea's state-sponsored cyber operation responsible for billions in cryptocurrency theft, financial-sector intrusions, and supply-chain attacks. Tradecraft, history, recent campaigns, and what European NIS2 and DORA entities should take from it.

Two forest roads diverging between tall trees — a visual metaphor for the two regulatory paths European companies face under NIS2 and DORA
NIS2 13 min

NIS2 vs DORA: Key Differences for European Companies in 2026

A side-by-side comparison of NIS2 and DORA: scope, legal mechanism, risk management, incident reporting, third-party rules, and penalties. Plus: when both apply to you and which one wins.

A row of European Union flags outside an EU institutional building in Brussels
NIS2 18 min

The Complete Guide to NIS2 and DORA Compliance for European SMEs

Everything European SMEs need to know about NIS2 and DORA in 2026: who's in scope, the 10 Article 21 measures, the 24-72-30 incident timeline, DORA's 5 pillars, penalties, and a 10-step path to compliance. Updated quarterly.