A Comprehensive Comparison of CIS, NIS2, and DORA

Introduction to Cybersecurity Frameworks

Acronyms here, framework definitions there, outputs and inputs, integrations and the rest. Even though it can be overwhelming, it is essential to consider the underlying theory and foundations of your cyber security needs. Understanding this allows you to make better and more informed decisions regarding your security and ensures you can compare solutions more quickly.

At Core to Cloud, we utilise the CIS (Centre for Internet Security Framework) for assessing our client's cybersecurity needs, but that is not the only framework or theory that will be used within cyber security rhetoric and information. There is also a need to understand the importance of these frameworks and why they need to be on your radar.

What is a cybersecurity framework?

Cybersecurity frameworks are like superheroes for organisations, equipped with structured methodologies and guidelines to protect them from the never-ending threats of the cyber world. Just as superheroes have unique powers, these frameworks provide a set of best practices, controls, and standards that empower organisations to identify, assess, and neutralise cybersecurity risks.

Imagine these frameworks as blueprints, guiding your IT team and employees through the labyrinthine challenges of the cyber world. They provide a roadmap with battle-tested best practices, formidable controls, and battle-hardened standards.

SOSAFE's recent report highlighted that cybercrime is the number 1 business risk. We must be more vigilant and aware of the ever-increasing threats within our IT landscapes. As these threats increase, a cybersecurity framework lets you be informed and understand your cybersecurity overview. It ensures you can remove any weaknesses or vulnerabilities before they can become exploited. 


What is NIS2?

The NIS2 Directive is a piece of EU legislation that imposes stricter cybersecurity obligations on entities operating in critical infrastructure and essential sectors.

The EU updated cybersecurity rules in 2023 with the NIS2 Directive to keep up with changing threats and digitisation. This expanded the scope to include more sectors and improved incident response and resilience against attacks.

What are the goals of NIS2?

  • Improve cyber resilience in an increasing number of OES sectors throughout the EU.
  • Reduce discrepancies in levels of resilience in sectors already covered by NIS.
  • Improve the sharing of information and new rules for incident response, which enhances trust between regulators.

The NIS 2 regulations now include organisations in sectors such as telecoms, social media, wastewater, and food. These regulations will apply to medium and large-sized organisations that provide “essential” or “important” services, and some public sector organisations may also be affected.

In serious non-compliance, regulators can impose fines of up to 2% of annual turnover or €10m (£8.6m), whichever is higher.

Will NIS2 apply to UK businesses?

NIS2 is coming; here’s what you need to know about the new directive and how it impacts your organisation in the UK.

Digital Operational Resilience Act (DORA) EU Regulation

The Digital Operational Resilience Act (DORA) is a crucial European framework that ensures Financial Markets deliver their digital capabilities with the highest level of robustness and resilience.

The framework aims to ensure that companies maintain financial stability and can withstand severe operational disruptions caused by cyber security and information and communication technology (ICT) issues. DORA is introducing a uniform supervisory approach across the relevant sectors to ensure that security and resilience practices are consistent and harmonised among firms operating within the European Union (EU).

For information on DORA, check this out:

CIS Framework: Center for Internet Security

The Center for Internet Security (CIS) Controls framework is a set of best practices and guidelines designed to help organisations protect their information systems and data from cyber threats. It lists 20 security controls organisations can implement to improve their overall cybersecurity posture. 

The controls cover various aspects of cybersecurity, including inventory and control of hardware and software assets, secure configurations for devices and systems, continuous vulnerability management, controlled access to systems, data protection, incident response, and more. Many organisations widely recognise and utilise The CIS Controls framework as a foundation for their cybersecurity programs.

This framework offers a comprehensive overview encompassing all aspects of your cyber security governance, allowing you to clearly understand how your cybersecurity plan's puzzle pieces work together to provide the most safety for you and your business. Best practices fuel it and give you a prioritised approach, ensuring you effectively tackle any vulnerabilities. 

A core focus of this framework is its focus on continuous improvement. The CIS framework is regularly updated and maintained to reflect emerging threats, technologies, and best practices. This ensures that organisations stay current with evolving cybersecurity challenges and enhance their defences accordingly. This is one of the core reasons we align ourselves with this framework at Core to Cloud, as we believe that cyber security is a continuous focus.

What Framework should you consider?

As mentioned, Core to Cloud focuses on the CIS Framework, but using and implementing any framework gives you a more precise overview of your Cybersecurity landscape and vulnerabilities.

The framework we align with, CIS, is simple and gives an easy way to benchmark. Cybersecurity can be incredibly complicated, allowing even the most non-techy person within your team to understand your cybersecurity landscape. It doesn't stop there; it can also create and become incredibly detailed to support your in-house IT team. 

In summary, CIS lists specific security controls, NIS2 offers a comprehensive framework for managing cybersecurity risks, and DORA provides metrics to measure and improve software delivery and operational performance. Each framework has its strengths and focuses on cybersecurity and organisational performance.

At Core to Cloud, we like to do things differently, and CIS supports us in our client-based approach/ within the HSI framework, we can work with you to go through the different areas to ensure that we understand your needs and cyber security objectives at Core to Cloud. This ensures that we can address your unique cybersecurity requirements. 

If you want to discover how we utilise CIS or are interested in understanding your cybersecurity landscape, you can get in touch with our team here:

The Core of IT V4

How to protect your organisation’s attack surface

Picture the scene. You’re about to go on holiday and you’re getting ready to set off. The bags have been packed, the house has been cleaned, and your valuables have been safely stored away. All that’s left to do is lock the front door, hop in the taxi, and head to the...

An immediate cybersecurity threat

What do you need to know? A recent report from the UK's Joint Committee on the National Security Strategy has sounded a clarion call about the nation's cybersecurity vulnerabilities. The alarming revelation is that the UK could be paralysed "at any moment" by a...

Trusted by over 150 organisations

Share This