<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Risk Letters Blog</title><description>EU cybersecurity, NIS2, DORA, and threat-intelligence guides for European CISOs and compliance leads.</description><link>https://www.riskletters.eu/</link><language>en</language><item><title>Hubbard&apos;s Approach to Cyber Risk Quantification: Calibration and Monte Carlo</title><link>https://www.riskletters.eu/blog/hubbard-cyber-risk-quantification/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/hubbard-cyber-risk-quantification/</guid><description>Doug Hubbard&apos;s calibrated estimation plus Monte Carlo simulation is the methodological core of modern cyber risk quantification. How calibration training works, how Monte Carlo turns ranges into distributions, and how this pairs with FAIR.</description><pubDate>Fri, 09 Oct 2026 00:00:00 GMT</pubDate><category>risk-quantification</category><category>hubbard</category><category>calibration</category><category>monte-carlo</category><category>guide</category></item><item><title>FAIR Methodology Explained: Factor Analysis of Information Risk</title><link>https://www.riskletters.eu/blog/fair-methodology-explained/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/fair-methodology-explained/</guid><description>FAIR (Factor Analysis of Information Risk) is the most widely adopted ontology for quantifying cyber risk. How its decomposition works, how it pairs with Monte Carlo simulation, and how to apply it without a statistician on staff.</description><pubDate>Fri, 02 Oct 2026 00:00:00 GMT</pubDate><category>risk-quantification</category><category>fair</category><category>open-fair</category><category>ontology</category><category>guide</category></item><item><title>From Heat Maps to Numbers: Why Qualitative Risk Scoring Fails</title><link>https://www.riskletters.eu/blog/qualitative-risk-assessment-problems/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/qualitative-risk-assessment-problems/</guid><description>Why the qualitative grid is losing ground to quantitative methods — and what to replace it with.</description><pubDate>Fri, 25 Sep 2026 00:00:00 GMT</pubDate><category>risk-quantification</category><category>heat-map</category><category>qualitative-risk</category><category>guide</category></item><item><title>Quantifying Cyber and Operational Risk: A Practitioner&apos;s Map of 2026</title><link>https://www.riskletters.eu/blog/cyber-risk-quantification/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/cyber-risk-quantification/</guid><description>A pillar guide to cyber and operational risk quantification in 2026 — FAIR, Hubbard, Monte Carlo, Bayesian methods, loss exceedance curves, and how regulators under DORA and NIS2 increasingly expect numbers, not heat maps.</description><pubDate>Fri, 18 Sep 2026 00:00:00 GMT</pubDate><category>risk-quantification</category><category>fair</category><category>hubbard</category><category>monte-carlo</category><category>guide</category><category>pillar-page</category></item><item><title>Data Processor Due Diligence: GDPR Article 28 Meets NIS2 Supply Chain</title><link>https://www.riskletters.eu/blog/gdpr-processor-due-diligence-nis2/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/gdpr-processor-due-diligence-nis2/</guid><description>GDPR Article 28 governs your data processors; NIS2 Article 21(2)(d) governs your suppliers; DORA Articles 28-30 govern your ICT third parties. They overlap heavily. How to run one supplier programme that satisfies all three.</description><pubDate>Fri, 11 Sep 2026 00:00:00 GMT</pubDate><category>gdpr</category><category>data-processor</category><category>due-diligence</category><category>nis2</category><category>supply-chain</category><category>guide</category></item><item><title>GDPR International Data Transfers: SCCs, Adequacy, and the EU-First Case</title><link>https://www.riskletters.eu/blog/gdpr-international-data-transfers/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/gdpr-international-data-transfers/</guid><description>Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.</description><pubDate>Fri, 04 Sep 2026 00:00:00 GMT</pubDate><category>gdpr</category><category>international-transfers</category><category>scc</category><category>data-residency</category><category>guide</category></item><item><title>GDPR International Data Transfers: SCCs, Adequacy, and the EU-First Case</title><link>https://www.riskletters.eu/blog/gdpr-international-transfers/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/gdpr-international-transfers/</guid><description>Moving personal data outside the EU under GDPR Chapter V — adequacy decisions, Standard Contractual Clauses, transfer impact assessments after Schrems II, and why EU-based data processing is becoming a commercial decision, not just a legal one.</description><pubDate>Fri, 04 Sep 2026 00:00:00 GMT</pubDate><category>gdpr</category><category>international-transfers</category><category>scc</category><category>data-residency</category><category>guide</category></item><item><title>DPIA Explained: When You Need One and How It Meets NIS2 Risk Assessment</title><link>https://www.riskletters.eu/blog/gdpr-dpia-explained/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/gdpr-dpia-explained/</guid><description>The Data Protection Impact Assessment under GDPR Article 35 — when it&apos;s mandatory, how to run one, and how it overlaps with NIS2 and DORA risk assessment so you build one process instead of three.</description><pubDate>Fri, 28 Aug 2026 00:00:00 GMT</pubDate><category>gdpr</category><category>dpia</category><category>risk-assessment</category><category>nis2</category><category>guide</category></item><item><title>GDPR Breach Notification vs NIS2 and DORA: One Incident, Multiple Clocks</title><link>https://www.riskletters.eu/blog/gdpr-breach-notification-nis2-dora/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/gdpr-breach-notification-nis2-dora/</guid><description>A personal data breach at a regulated entity can trigger GDPR, NIS2 and DORA reporting at once — three authorities, three templates, three clocks. How the obligations differ, where they overlap, and how to run them from one incident record.</description><pubDate>Fri, 21 Aug 2026 00:00:00 GMT</pubDate><category>gdpr</category><category>breach-notification</category><category>nis2</category><category>dora</category><category>incident-reporting</category><category>guide</category></item><item><title>GDPR, NIS2 and DORA: How the Three EU Regimes Intersect</title><link>https://www.riskletters.eu/blog/gdpr-nis2-dora-intersection/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/gdpr-nis2-dora-intersection/</guid><description>European organisations face GDPR, NIS2 and DORA at once — and the regimes overlap in incident reporting, supply chain, governance and security measures. A guide to where they intersect, where they conflict, and how to build one programme that satisfies all three.</description><pubDate>Fri, 14 Aug 2026 00:00:00 GMT</pubDate><category>gdpr</category><category>nis2</category><category>dora</category><category>guide</category><category>pillar-page</category></item><item><title>DORA Register of Information: Template and Requirements</title><link>https://www.riskletters.eu/blog/dora-register-of-information-template/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/dora-register-of-information-template/</guid><description>The DORA Register of Information under Article 28(3) — what it is, the structure prescribed by Implementing Regulation 2024/2956, the templates and data fields, common errors, and how to build and maintain it.</description><pubDate>Fri, 07 Aug 2026 00:00:00 GMT</pubDate><category>dora</category><category>register-of-information</category><category>third-party</category><category>article-28</category><category>guide</category></item><item><title>DORA Third-Party Oversight: Managing ICT Vendors Under DORA</title><link>https://www.riskletters.eu/blog/dora-third-party-oversight/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/dora-third-party-oversight/</guid><description>DORA Pillar 4 — Articles 28 to 30 — is the operationally heaviest part of the regulation. Pre-contractual risk assessment, mandatory contractual provisions, concentration risk, and the critical ICT third-party provider oversight regime, explained.</description><pubDate>Fri, 31 Jul 2026 00:00:00 GMT</pubDate><category>dora</category><category>third-party</category><category>pillar-4</category><category>ict-vendors</category><category>guide</category></item><item><title>NIS2 Supply Chain Security: What Article 21(2)(d) Requires</title><link>https://www.riskletters.eu/blog/nis2-supply-chain-requirements/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-supply-chain-requirements/</guid><description>NIS2&apos;s supply chain obligation is one paragraph that creates a programme of work. What Article 21(2)(d) requires, how to build a supplier register and due-diligence process, the contractual clauses you need, and what suppliers themselves should expect.</description><pubDate>Fri, 24 Jul 2026 00:00:00 GMT</pubDate><category>nis2</category><category>supply-chain</category><category>article-21</category><category>third-party</category><category>guide</category></item><item><title>NIS2 Penalties by Country: A Complete 2026 Guide</title><link>https://www.riskletters.eu/blog/nis2-penalties-by-country/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-penalties-by-country/</guid><description>The NIS2 penalty framework under Article 34, plus how it actually varies across member states — fine ceilings, personal liability, registration deadlines, and early enforcement patterns in Germany, the Netherlands, France, Belgium, and beyond.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><category>nis2</category><category>penalties</category><category>enforcement</category><category>article-34</category><category>guide</category></item><item><title>NIS2 Essential vs Important Entities: Which Are You?</title><link>https://www.riskletters.eu/blog/nis2-essential-vs-important-entities/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-essential-vs-important-entities/</guid><description>The scope test that determines half of your NIS2 obligations. Annex I vs Annex II, the size threshold, the size-irrelevant categories, and how the two-tier supervision model actually works.</description><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><category>nis2</category><category>scope</category><category>essential-entity</category><category>important-entity</category><category>guide</category></item><item><title>DORA ICT Risk Management Framework Explained (Pillar 1)</title><link>https://www.riskletters.eu/blog/dora-ict-risk-management/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/dora-ict-risk-management/</guid><description>DORA&apos;s first and largest pillar — Articles 5 to 14 — sets the ICT risk management framework for every EU financial entity. Governance, lifecycle, BCM, learning. What&apos;s mandatory, what&apos;s prescriptive, and how it differs from NIS2 Article 21.</description><pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate><category>dora</category><category>ict-risk</category><category>pillar-1</category><category>guide</category></item><item><title>NIS2 Board-Level Accountability: Personal Liability Explained</title><link>https://www.riskletters.eu/blog/nis2-personal-liability-explained/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-personal-liability-explained/</guid><description>Article 20 NIS2 puts the management body on the hook for cybersecurity oversight. What that means in practice, where personal liability applies, and the country-by-country variations every European board needs to know.</description><pubDate>Fri, 26 Jun 2026 00:00:00 GMT</pubDate><category>nis2</category><category>governance</category><category>article-20</category><category>liability</category><category>guide</category></item><item><title>NIS2 Incident Reporting: The 24-72-30 Day Timeline Explained</title><link>https://www.riskletters.eu/blog/nis2-incident-reporting-timeline/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-incident-reporting-timeline/</guid><description>How NIS2 Article 23 works in practice — the 24-hour early warning, 72-hour notification, and 1-month final report. What each contains, who you report to, and where the clock actually starts.</description><pubDate>Fri, 19 Jun 2026 00:00:00 GMT</pubDate><category>nis2</category><category>incident-reporting</category><category>article-23</category><category>guide</category></item><item><title>Minimum Viable NIS2 Compliance for SMEs (Under 250 Employees)</title><link>https://www.riskletters.eu/blog/minimum-viable-nis2-sme/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/minimum-viable-nis2-sme/</guid><description>A pragmatic NIS2 compliance roadmap for 50–249 employee European SMEs — 5 priorities mapped to Article 21, a 90-day plan, realistic cost ranges, and the proportionality principle that makes minimum viable defensible.</description><pubDate>Fri, 12 Jun 2026 00:00:00 GMT</pubDate><category>nis2</category><category>guide</category><category>sme</category><category>implementation</category></item><item><title>NIS2 Compliance Denmark: The 2026 Guide to NIS-2-loven</title><link>https://www.riskletters.eu/blog/nis2-compliance-denmark/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-compliance-denmark/</guid><description>Everything Danish companies need to know about NIS2 implementation: NIS-2-loven (L 141), CFCS registration, the 6,000 in-scope entities, and how Denmark deviates from the directive.</description><pubDate>Fri, 05 Jun 2026 00:00:00 GMT</pubDate><category>nis2</category><category>country-tracker</category><category>denmark</category><category>guide</category></item><item><title>NIS2 Article 21: All 10 Risk Management Measures Explained</title><link>https://www.riskletters.eu/blog/nis2-article-21-explained/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-article-21-explained/</guid><description>A practitioner&apos;s guide to the 10 risk management measures required under NIS2 Article 21 — what each means, the minimum SME evidence pack, and the proportionality principle most articles miss.</description><pubDate>Fri, 29 May 2026 00:00:00 GMT</pubDate><category>nis2</category><category>guide</category><category>article-21</category><category>risk-management</category></item><item><title>The Trust Supply Chain: How One ICT Provider can become four risks at once</title><link>https://www.riskletters.eu/blog/trust-supply-chain-four-risks/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/trust-supply-chain-four-risks/</guid><description>How a single compromised ICT provider can be a cyber incident, a financial concentration risk, a geopolitical exposure, and a regulatory obligation simultaneously under NIS2 and DORA.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>cross-domain-risk</category><category>supply-chain</category><category>dora</category><category>nis2</category><category>geopolitical-risk</category></item><item><title>APT29 (Cozy Bear): Russia&apos;s Quiet Intelligence Service — A Threat Actor Profile</title><link>https://www.riskletters.eu/blog/apt29-cozy-bear-profile/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/apt29-cozy-bear-profile/</guid><description>A profile of APT29, the SVR-affiliated Russian threat group known as Cozy Bear and Midnight Blizzard. Long-term strategic intelligence collection, the SolarWinds and Microsoft intrusions, supply-chain tradecraft, and what European NIS2 and DORA entities should learn from a quieter adversary.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>threat-actor-profile</category><category>apt29</category><category>cozy-bear</category><category>russia</category><category>svr</category><category>nis2</category><category>espionage</category></item><item><title>APT28 (Fancy Bear): The GRU&apos;s Cyber Arm in Europe — A Threat Actor Profile</title><link>https://www.riskletters.eu/blog/apt28-fancy-bear-profile/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/apt28-fancy-bear-profile/</guid><description>A profile of APT28, the Russian GRU-affiliated threat group also known as Fancy Bear, Forest Blizzard, and UAC-0001. History, recent 2025-2026 campaigns including Operation MacroMaze and CVE-2026-21509 exploitation, sectors targeted, and what NIS2 and DORA entities should learn from its tradecraft.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>threat-actor-profile</category><category>apt28</category><category>fancy-bear</category><category>russia</category><category>gru</category><category>nis2</category><category>espionage</category></item><item><title>LockBit: The Ransomware Brand That Survived Operation Cronos — A Threat Actor Profile</title><link>https://www.riskletters.eu/blog/lockbit-ransomware-profile/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/lockbit-ransomware-profile/</guid><description>A profile of LockBit, the ransomware-as-a-service operation that survived the 2024 international law-enforcement takedown and continues to extort European NIS2 and DORA entities. Affiliate model, recent campaigns, and what defenders should learn from its persistence.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>threat-actor-profile</category><category>lockbit</category><category>ransomware</category><category>raas</category><category>nis2</category><category>dora</category></item><item><title>MURKY PANDA: The China-Nexus Actor Targeting Europe&apos;s Financial Sector — A Threat Actor Profile</title><link>https://www.riskletters.eu/blog/murky-panda-china-profile/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/murky-panda-china-profile/</guid><description>A profile of MURKY PANDA, the China-nexus threat actor named in CrowdStrike&apos;s 2026 Financial Services Threat Landscape Report. Operating across 36 countries against 340 organisations in 30 sectors, with financial services among the most frequently hit. What European DORA entities should learn from its tradecraft.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>threat-actor-profile</category><category>murky-panda</category><category>china</category><category>financial-sector</category><category>dora</category><category>espionage</category></item><item><title>The Trust Supply Chain: How One ICT Provider Becomes Four Risks at Once</title><link>https://www.riskletters.eu/blog/ict-supply-chain-trust-risk/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/ict-supply-chain-trust-risk/</guid><description>A single compromised ICT provider is simultaneously a cyber incident, a financial concentration risk, a geopolitical exposure, and a regulatory obligation under DORA and NIS2. A cross-domain analysis of why modern financial risk refuses to stay in its lane.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>cross-domain-risk</category><category>supply-chain</category><category>dora</category><category>nis2</category><category>geopolitical-risk</category></item><item><title>Lazarus Group: How a Sanctioned State Built the World&apos;s Most Effective Crypto-Theft Operation</title><link>https://www.riskletters.eu/blog/lazarus-group-north-korea-profile/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/lazarus-group-north-korea-profile/</guid><description>A profile of Lazarus Group, North Korea&apos;s state-sponsored cyber operation responsible for billions in cryptocurrency theft, financial-sector intrusions, and supply-chain attacks. Tradecraft, history, recent campaigns, and what European NIS2 and DORA entities should take from it.</description><pubDate>Tue, 26 May 2026 00:00:00 GMT</pubDate><category>threat-intel</category><category>threat-actor-profile</category><category>lazarus</category><category>north-korea</category><category>dprk</category><category>cryptocurrency</category><category>dora</category><category>financial</category></item><item><title>NIS2 vs DORA: Key Differences for European Companies in 2026</title><link>https://www.riskletters.eu/blog/nis2-vs-dora-key-differences/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-vs-dora-key-differences/</guid><description>A side-by-side comparison of NIS2 and DORA: scope, legal mechanism, risk management, incident reporting, third-party rules, and penalties. Plus: when both apply to you and which one wins.</description><pubDate>Fri, 22 May 2026 00:00:00 GMT</pubDate><category>nis2</category><category>dora</category><category>comparison</category><category>guide</category></item><item><title>The Complete Guide to NIS2 and DORA Compliance for European SMEs</title><link>https://www.riskletters.eu/blog/nis2-dora-compliance/</link><guid isPermaLink="true">https://www.riskletters.eu/blog/nis2-dora-compliance/</guid><description>Everything European SMEs need to know about NIS2 and DORA in 2026: who&apos;s in scope, the 10 Article 21 measures, the 24-72-30 incident timeline, DORA&apos;s 5 pillars, penalties, and a 10-step path to compliance. Updated quarterly.</description><pubDate>Fri, 15 May 2026 00:00:00 GMT</pubDate><category>nis2</category><category>dora</category><category>guide</category><category>pillar-page</category><category>sme</category></item></channel></rss>