Guest: Dejan Kosutic
Bio:
Dejan Kosutic is a leading expert on cybersecurity governance and the author of several books, articles, webinars, and courses. Dejan is the host of the Secure & Simple podcast, where he interviews industry leaders and consultants to share their exclusive insights into the cybersecurity landscape. As an ISO 27001, NIS2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Summary:
In this episode of the Virtual CISO Podcast, John Verry and Dejan Kosutic discuss the implications of the NIS2 and DORA regulations on cybersecurity, particularly focusing on their enforcement, impact on US companies, and the importance of operational resilience. They explore the differences between NIS1 and NIS2, the role of threat-led penetration testing, and the ripple effects of DORA on supply chains. The discussion also touches on the complexities of navigating multiple regulatory frameworks and the future of cybersecurity regulations in the EU and US.
Keywords:
NIS2, DORA, cybersecurity, compliance, operational resilience, ISO 27001, regulations, EU, US, financial institutions
Â
Takeaways:
- DORA is a comprehensive regulation that applies to financial entities in the EU.
- NIS2 focuses on critical infrastructure and sets a baseline for cybersecurity laws.
- US companies with EU subsidiaries must comply with DORA regulations.
- Operational resilience is about minimizing the impact of cyber incidents and ensuring quick recovery.
- Threat-led penetration testing will become a requirement for many financial organizations.
- DORA’s enforcement will extend to suppliers and third-party vendors.
- Regulatory technical standards provide specific guidance for compliance with DORA.
- A unified regulatory framework would benefit multinational companies.
- The complexity of multiple regulations poses challenges for compliance.
- The geopolitical landscape is driving the need for stricter cybersecurity measures.
John Verry (00:00.505)
And if anything goes wrong, just kind of, we can always roll something back, but little mistakes are actually good. They make it sound more genuine, yeah. Cool, do you want me to put a title on for you? name your company?
Dejan Kosutic (00:08.054)
more genuine, yeah.
Dejan Kosutic (00:14.614)
Yeah, can put, yeah, so CEO at Advisora. So yeah, at Advisora.
John Verry (00:19.833)
CEO.
John Verry (00:25.355)
A-D-V-I-S-E-R-A, right?
Dejan Kosutic (00:28.744)
yep. Correct, yeah.
John Verry (00:30.019)
Cool. All right. Very, very good. All right. Let’s go. Let’s get this thing going. Ready? Hey there and welcome to yet another episode of the virtual seesaw podcast with you as always, John Burrow, your host and with me today, Dejan Kvassudic. And I’ve always said that wrong. I always called you caustic. So I apologize for saying that for years.
Dejan Kosutic (00:50.862)
No problem. Thanks for having me, John.
John Verry (00:54.787)
Yeah, looking forward to the conversation, I always start simple. Tell us a little bit about who you are and what is it that you do every day.
Dejan Kosutic (00:56.984)
Mm-hmm.
Dejan Kosutic (01:04.078)
Sure, so I’m the CEO at Advisor, company, we basically help other companies comply with various frameworks and regulations. I’m also my main expertise is in ISO 27001, NIST 2, and DORA. So basically this cybersecurity laws and regulations and standards.
John Verry (01:26.209)
Excellent. Before we get that into business, always ask, what’s your drink of choice?
Dejan Kosutic (01:31.054)
I would say nothing too fancy, red wine and water, mainly water.
John Verry (01:35.929)
If you’re drinking a red wine, any particular varietal?
Dejan Kosutic (01:42.414)
Well Shiraz, my wife and I look forward to Shiraz. It’s a little bit one glass maybe per day, but not much more.
John Verry (01:44.236)
Raza?
John Verry (01:51.353)
Yeah, and the ongoing debate about whether or not one glass of red wine a day is healthy or not, but hell with it. I subscribe to the fact that it is and follow the same thing. All right, so you mentioned two things that I wanted to chat about today, specifically NIS2 and Dora. So let’s start high level. What is NIS2 and what is Dora and what prompted their release?
Dejan Kosutic (01:57.87)
Yeah. Sure.
Dejan Kosutic (02:09.816)
Mm-hmm.
Dejan Kosutic (02:17.772)
Yeah, so basically these are two EU, European Union regulations and to be more precise NIST 2 is a directive and DORA is a regulation. So directive means that NIST that European Union publishes some kind of a baseline and then each EU country publishes their own laws and regulations based on this baseline. So NIST 2 is rather short, it doesn’t give too much details and each EU country is now publishing their
cybersecurity laws based on NISTU. NISTU is focused primarily on these critical infrastructure companies. And the idea here is that the EU wants to raise the level of cybersecurity in these critical infrastructure companies like telecoms, medical device companies, digital companies as well, but also postal companies and so on and so forth. are 18 sectors that are covered by NISTU.
On the other hand, DORA is regulation. It’s similar in the, let’s say, concept like GDPR, where GDPR directly applies to each company in the EU. So DORA directly applies to any financial entity in the European Union, including banks, insurance companies, investment banks.
all kinds of financial organizations, including also these, let’s say intermediaries like, know, brokerages and let’s say the stock exchanges and so on. And there are no local laws and regulations when it comes to DORA, DORA directly applies to all of these institutions and it’s much, much more precise, it’s much more detailed.
So from what I’ve seen is, in Odor is by far the most detailed regulation around cybersecurity. Nothing compares to it really.
John Verry (04:20.633)
Gotcha. interestingly that NIS2 applies to the, what they refer to as critical infrastructure. They have 19 sectors. Have you ever looked at how that compares with the, you in the U.S. we have NIST and CISA guidance, right? Critical infrastructure systems agency. And they have also have, I think it’s what 16, 17, if I recall correctly. Do those critical sectors align across NIS2 and CISA largely?
Dejan Kosutic (04:36.898)
Yeah.
Dejan Kosutic (04:48.034)
Yeah, to be honest, I’m not very familiar with US laws and regulations, but considering the fact that actually most European countries and US are in NATO, and basically it’s a defense alliance, I would say that these things are or less aligned. So I would expect that most of these industries that are covered in NIS2 are also in any US regulations and laws.
John Verry (04:52.098)
Okay.
John Verry (05:16.951)
Gotcha. prior to NIS2 and prior, you know, we had NIS1 and prior to DORA, we had PSD2. How did NIS1, excuse me, how did NIS2 change, compare to NIS1 in the same question with regards to DORA and PSD2?
Dejan Kosutic (05:23.01)
Mm-hmm.
Dejan Kosutic (05:26.434)
Mm-hmm.
Dejan Kosutic (05:36.302)
Yeah. So NIST 1 was, I would say, not very enforceable, so to say. It was not very precise. It didn’t give too much details. It didn’t cover as many industries and as many sectors as NIST 2 does. So what NIST 2 improved there was really that it covers these 18 or 19 sectors.
And basically, it also defines how to enforce it. it precisely defines the roles of these government bodies that are in charge of enforcing these two. When it comes to DORA, DORA doesn’t really have a predecessor in this regard. So PSD regulation is more directed towards these…
payment institutions and payment security, but not overall security. So DORA is, would say the DORA is DORA is number one, right? It’s the first one in the row there. And really DORA is kind of has grown out of national legislations related to banking and financial security. And basically what what DORA is doing is it kind of unifies this security approach on the
European level. So it’s, would say the difference between DORA and national legislations is that basically DORA is the same in each European country versus what we had before.
John Verry (07:06.937)
Gotcha. So enforcement of DORA would be done at the EU level where enforcement of NIS 2 would be done at the country level.
Dejan Kosutic (07:14.358)
Exactly. So needs to basically specify that there are these local government bodies that need to oversee its enforcement and basically the companies that are not compliant have to pay fines. Whereas for Dora, there are these European level organizations which oversee everything that is happening in financial sectors.
John Verry (07:41.539)
Gotcha. So in the US, the financial systems are one of our critical infrastructures. And you mentioned that NIS 2 covers critical infrastructure. Is there a financial element covered by that, or does DORA take the place of an NIS 2 relating to the financial sector?
Dejan Kosutic (07:46.786)
Mm-hmm.
Dejan Kosutic (08:01.816)
Yeah, so out of these sectors in EES2, two are actually financial ones. So one are the banking sector and the other ones are these financial intermediaries. And both of these are actually covered with DORA. But what is written in EES2 is that if there is any sector specific regulation, then it takes over.
So basically when it comes to all of these financial entities, even though they are mentioned in NISTU, since there is a DORA which specifically covers these organizations, then basically DORA is the one to actually define more details. So if we want to simplify things, then NISTU is not really relevant to financial entities, DORA is.
John Verry (08:49.569)
Okay. So how will Dora impact US companies, right? So are US companies quote unquote subject to Dora?
Dejan Kosutic (09:00.654)
They would be subject to Dora only if a financial entity or financial organization actually has a subsidiary or has a daughter company within European Union country. So let’s say that, I don’t know, bank from New York City has its own subsidiary in, let’s say, Frankfurt in Germany, then this subsidiary would have to be compliant with Dora.
If there is no local business in the European Union, basically this would simply not be applicable to…
Dejan Kosutic (09:40.462)
When you have to work from home, this is very nice.
Okay, so anyway, so when if let’s say, a US financial organization does not have any subsidiary or daughter company in European Union, this was simply not, Dora would not be applicable to such a company.
John Verry (10:06.177)
Yeah, give me two seconds. And whoever is editing this, you can leave this in because this is real world. This is my dog’s archenemy. The Amazon driver happened to be dropping a package off on my porch. Hey, enough. All right. Hopefully he’ll be quiet. So while it may apply to a US bank because we have operations overseas, it also applies to the
Dejan Kosutic (10:08.066)
Sure, sure, no problem.
Dejan Kosutic (10:12.174)
Okay.
Dejan Kosutic (10:25.272)
Good.
John Verry (10:35.929)
a European financial institution, it has a responsibility to confirm operational resilience to what they refer to as ICT, Their information, what is it, information communication and technology vendors, right, supply chain. So that would also potentially have an impact on anyone that would be considered an ICT provider, correct?
Dejan Kosutic (10:55.384)
Correct. So if there is a US company providing, let’s say, IT services or communication services towards any European-based financial organization, then this supplier from the US would also have to be not directly compliant with Dota, but it actually comes under, I would say, scrutiny. It comes under very strict, let’s say, rules.
on they need to, that such an IT company needs to comply with. So for example, there is a requirement that IT suppliers of these financial organizations, that they have to be, let’s say, compliant with any security standard. So it could be ISO 27001. This could be, let’s say, NIST cybersecurity framework or similar. Also,
DORA requires that financial entities introduce certain security clauses in the agreements with such IT suppliers. So this is also one thing that’s where DORA is pretty strict. And so there is also, let’s say, a qualification that is called a critical IT supplier. And if
a company is classified as critical IT supplier, then it actually has to be directly under the supervision of a certain government entity. So for example, a critical, let’s say, IT supplier could be a company that produces, let’s say, develops core software for banking for a particular bank. If such a company is based in US,
then such a company would also be directly under the supervision of a government body from Europe.
John Verry (12:50.275)
this government body from Europe would be the NEU body or would it be, know, because I mean, obviously, I guess it couldn’t be individual country bodies because if they were providing it to 10 countries, all 10 country bodies in theory would be governing it, correct?
Dejan Kosutic (13:01.507)
Mm-hmm.
I’m not sure actually how this will turn out because Dora is actually, it came into effect in January this year. So it’s already pretty fresh, but these government bodies will be called lead overseers. And these lead overseers, there is a special section that actually describes, you know, what are kind of, let’s say the rules under which they have to work with. So I’m not sure if these are going to be EU based or US based, but you know, the big thing is that actually even non-EU…
companies will have to be under supervision if they’re considered as these critical IT suppliers.
John Verry (13:40.075)
Interesting. So I know you said you’re not super familiar with US stuff, but like in FedRAMP, right? If you’re familiar with FedRAMP, we have this concept of, you know, I’m providing a cloud service to the government and effectively I take on sort of a secondary information system security officer, someone who I, you know, is helping me make decisions, right? I’m no longer unilaterally making security decisions. I’ve got some third party input into that. That sounds effectively like what the EU is doing with Dora.
Dejan Kosutic (13:44.824)
Mm-hmm.
Dejan Kosutic (13:51.128)
Uh-huh.
Dejan Kosutic (14:03.084)
Yeah.
Dejan Kosutic (14:11.47)
Could be. Yeah, so with the lead overseers, they will be actually looking at the details of how a company operates and how it implements all the cybersecurity measures. And if they think that there is a heightened risk, they could actually
John Verry (14:13.049)
Still figuring it out.
Dejan Kosutic (14:35.98)
not only force you to pay fines, but they can actually force you to, let’s say, replace the management or basically to go even further. there is also one thing related to these suppliers is that the banks have to prepare themselves to make an exit from a certain supplier. this exit strategy became one of the mandatory parts of DORA.
John Verry (14:42.167)
Wow.
Dejan Kosutic (15:05.966)
So basically each bank or each financial entity in European Union has to make a plan on how to cut a certain supplier off if there is, let’s say, a problem with the supplier.
John Verry (15:20.249)
So if you were chatting with a US-based company that provides ICT type services and they include European banks in their portfolio, what operational changes might they need to make to be DORA compliant? What should they be prepared to demonstrate to both their EU banking clients as well as a potential EU regulator?
Dejan Kosutic (15:26.798)
Mm-hmm.
Dejan Kosutic (15:33.902)
Mm-hmm.
Dejan Kosutic (15:46.402)
Well, I would say in first place that they would have to demonstrate a real cybersecurity governance so that they’re really, I would say, controlling everything related to, I would say, their IT systems from security point of view. From the planning perspective, from, I don’t know, risk management, all the way to all the security, I would say, implementation of all the controls, so policies, procedures, but also monitoring, improving all of these things.
Of course, on a technical end, this also includes, I would say, top level technology, security technology that needs to be implemented. So from my experience in working with lots of companies, in most cases, these companies already have the technology in place. What they do not have is very often they’re not using this technology in the most secure way.
Dejan Kosutic (17:10.114)
But the point is that they need to have, they need to control and govern their cybersecurity.
John Verry (17:16.633)
Yeah, it’s interesting. So unsurprisingly, perhaps Dora will drive additional formal cybersecurity program adoption with, you know, especially considering that it’s the EU and the EU tends to favor ISO 27001 over other frameworks like SOC 2 and FedRAMP and CMMC and those types of things. So it’s not unlikely to drive a little bit more ISO 27001 uptake.
Dejan Kosutic (17:32.078)
Mm-hmm.
Dejan Kosutic (17:38.798)
Mm-hmm.
Dejan Kosutic (17:45.422)
Yes, so mean, in Europe, we’re seeing certainly an optic with ISO 27001. I mean, as expected, it’s not really something, mean, European companies typically do not go towards NIST cybersecurity framework. Some do go for towards SOC 2 because they’re also present in the US market. Well, in US, I mean, we do have clients, lots of clients that go for 27001. But I would say that
from the EU perspective, from the supervision perspective, again, it doesn’t really matter whether this is a 27001 or SOC 2 or NIST CSF. Much more important is that you do have some kind of, let’s say, recognized framework where you do govern, where you do control your cybersecurity program. So I would say there will be no formal preference for 27001.
In reality, from the market perspective, European companies will typically go for 27. But I mean, any general framework is good as long as you do this, would say, properly.
John Verry (18:54.905)
So Dora places a strong emphasis in a specific phrase, right, operational resilience. What exactly is operational resilience and how do you think that differs from our standard disaster recovery and business continuity planning that we see?
Dejan Kosutic (19:01.176)
Mm-hmm.
Dejan Kosutic (19:11.736)
Yeah, so actually it’s a digital operation resilience, right? And before this meeting, actually tried to read again the definition. It’s very hard to understand. But I mean, ultimately it comes…
John Verry (19:15.321)
Hmm?
John Verry (19:26.637)
That’s why I asked the question. I assumed you were the expert. came on podcast, tell me you were a guru. And now you don’t know the basic explanation. I apologize to the audience. I thought Deja was a little bit smarter on this stuff.
Dejan Kosutic (19:33.989)
Ha
Dejan Kosutic (19:37.506)
No, no. No, no, it’s funny. But basically, it comes down to this. It’s a digital operational resilience means that your financial entity has a much lower likelihood of getting hacked. And if it does get hacked, that you’ll recover much more quickly. So it does come down to this, would say, two main points, right?
And when you read the DORA, then you see it’s much more than let’s say disaster recovery. It’s primarily about risk management. So it has these four main areas, risk management, this digital operational resilience testing. So basically where you actually test everything, including this threat-like penetration testing, also handling third-party suppliers and incident management. So these four.
These are the four key areas where Dora places emphasis on.
John Verry (20:34.873)
So I think those last two probably are a little bit different in terms of when we think of historically resilience, We think of disaster recovery business continuity, even the fact that you talked about recovering from an incident, right? So that incident response component comes in and there’s definitely a supply chain risk management component to this as well. So I think that’s well said. Probably also in the next question I was gonna ask, and I think you’re…
Dejan Kosutic (20:45.358)
Mm-hmm.
Dejan Kosutic (20:52.622)
Mm-hmm.
John Verry (21:02.175)
absolutely that instant response and threat understanding comes in because there’s this big emphasis on, you know, what they call threat led penetration testing, which was a phrase that I had never seen before, despite the fact we’ve done pen testing for 20 plus years. So what are your thoughts on some of the specific guidance that come out of that threat level pen testing? You know, they talk about red teaming. They talk about testing, testing, third party dependencies, right? Which also kind of links into that supply chain you just talked
Dejan Kosutic (21:10.968)
Mm-hmm.
Dejan Kosutic (21:16.398)
Mm-hmm.
Dejan Kosutic (21:29.88)
Yeah.
Yeah, yeah. So to be honest, I’m not really in depth with penetration testing, but first of all, this threat-led penetration testing will be mandatory for all financial entities, excluding some smaller ones. But if you are, let’s say, any midsize or larger financial organization, you will have to go through this penetration testing, threat-led penetration testing, and it will have to be done every three years.
So it’s a huge market for, I would say, penetration testing companies. And it’s going to be certainly one of the key areas for doing this. And I see this also as a very good opportunity for US companies. So this is one thing. Second thing is that the European Union, or to be precise, these European supervisory authorities, are actually publishing a special rub
regulation which will cover threat-led penetration testing. So it’s still in the draft, but I would expect in a couple of months it will be published. There you will see much more detailed rules on how this penetration testing will need to be done. In any case, there will be a special license for penetration testers, so they will have to be licensed for doing these tests.
Yeah, it’s going to be certainly a big business there.
John Verry (23:02.393)
That’s interesting about the licensing. Do you know if they’re coordinating that with Crest, the certified registry of ethical security testers? I heard something about that. Okay, something to look into for sure. So one of things was interesting, I was chatting the other day with a law firm and they mentioned Dora, which was of course right away, was like, wait a second, they’re not ICT technically.
Dejan Kosutic (23:09.772)
Yeah, I’m not sure. I’m not sure.
Dejan Kosutic (23:14.766)
Mm-hmm.
Dejan Kosutic (23:20.91)
Uh-huh.
John Verry (23:28.121)
But they were told that, well, as we’re going through this, they were dealing with an overseas bank and they were starting to leak Dora-like stuff into all of their contracts and all of it. Do you expect, I’ll call it ripple effect like that? Do we expect that as the EU banks implement Dora, address ICT, that those principles will leak into areas where it’s not a direct ICT relationship?
Dejan Kosutic (23:28.28)
Yeah.
Dejan Kosutic (24:00.062)
Well, of course, mean, first of all, these stricter cybersecurity rules will apply to their direct suppliers, right? And since these suppliers also depend on some, let’s say, further suppliers in the supply chain, so I do expect that this…
A ripple effect will come and it will happen because this security will be, I would say, enforced from banks or financial entities all the way down. It will not necessarily be in the form of DORA, right? Because only these financial organizations have to be compliant with DORA. All the suppliers have to be compliant with basically only the certain clauses in the contracts that they have with their buyers. But I would say, yes.
there will be ripple effect down this supply chain because everyone further down will have to be much more, I would say, resilient, so to say, when it comes to cyber. This is also related to because this financial entities will have a much stricter rules on how they have to control their suppliers.
And they will actually have to go and check if these suppliers really implemented all these cybersecurity rules. So I would expect all these together will certainly bring a much stricter cybersecurity rules for everyone involved.
John Verry (25:36.183)
Yeah, I’ve had a couple of clients, you know, I’m sure you’re familiar with the EU AI Act, which is a bear. And, and one of the complaints we see there is, you know, it’s hard to interpret it it’s hard to have a definitive, you know, Hey, you give me an absolute definitive list of things that need to be done and exactly make it as prescriptive as possible. Starting to hear the same thing about Dora from some people. Have you seen like, you know, would you point someone if I, if a client said to you, Hey, is there a definitive list with
Dejan Kosutic (25:53.282)
No.
John Verry (26:03.897)
prescriptive guidance so that I know what I need to do. Is there someplace you would point them?
Dejan Kosutic (26:09.121)
Yeah, basically DORA is top level regulation for cybersecurity. There are also these regulatory technical standards. So far something like 12 or so are published and each of these RTSs, regulatory technical standards, focus on a particular area. So for example, there is one RTS which focuses specifically on these measures for risk management.
There is an RTS which focuses specifically on incident management. And then there is an RTS which specifically focuses on controlling these third party suppliers, critical suppliers, and so on. So basically, when you take a look at these RTSs, then you see much, much more detailed guidance and requirements on how specific aspects need to be implemented.
John Verry (27:04.798)
Excellent. And you know, do those same RTS exist to support the EU AI Act?
Dejan Kosutic (27:13.23)
So far, as far as I know, not. it’s, it’s, you act is really, I mean, it’s still not completely in, in, in effect. and basically, parts of it actually will, will become effective in the next, I think year or so. but I expect yes, that, there will be many more of these, implementing regulations that will, you know, define certain, certain areas.
John Verry (27:43.353)
Can we expect any more presence from the EU? Well, mean, EU AI Act, NIS 2, DORA, you got any other crap coming our way, Dijon? I mean, as if we didn’t have enough crap to deal with here in the United States with NIST guidance, right? We need your stuff too, really?
Dejan Kosutic (27:48.502)
What do mean?
Dejan Kosutic (27:54.284)
Yeah.
Dejan Kosutic (28:03.982)
We’ll see, yeah, we’ll see. Well, you know, it depends actually.
John Verry (28:07.735)
I mean, look, you’re an important man. Can you just tell him that that enough’s enough? I mean, or can I just tell him like Dejan said enough’s enough, right? Will that work?
Dejan Kosutic (28:16.334)
Well, know, consultants are really happy with all these regulations and so, you know, all the… So it’s, you know, honestly, you know, most of these, especially these companies that are now part of this needs to determine scope of needs to these critical infrastructure companies, know, most of these companies really, were really low on cyber and…
John Verry (28:17.913)
Yeah, it does keep us in business. I guess maybe I shouldn’t be complaining.
Dejan Kosutic (28:44.77)
This really needed, I would say, to be brought into order because with this, I would say, geopolitical situation, it’s really important that some of these services, essential services, are really kept going no matter what. And yeah, this is one way to go.
John Verry (29:02.285)
Yeah, and it’s funny, it’s funny, both sides of the pond mirror each other a bit, You know, so you’ve got like, and I asked you, we have like the critical infrastructure guidance, you know, we’ve got HHS, which is coming out with the healthcare cybersecurity performance goals and things of that nature. you know, I think, you know, like you said, the unfortunate reality of the geopolitical and
Dejan Kosutic (29:12.398)
Mm-hmm.
John Verry (29:25.753)
crime oriented entities that are using cyber and nation state adversaries and know the theater of war moving into the cyber domain to some extent. I think you know I was joking around but I’m positive it’s not the last of the regulations we’ll see from your side of the pond and we’re going to be sending more your way as well as a return gift so.
Dejan Kosutic (29:34.638)
Yeah.
Dejan Kosutic (29:49.678)
Yeah.
John Verry (29:53.753)
Start boning up on CMMC because we’re doing some CMMC work in the EU and stop boning up on some of our other rigs because they’re coming your way too, unfortunately.
Dejan Kosutic (29:53.955)
Yeah, yeah.
Dejan Kosutic (29:57.966)
Mm-hmm.
Dejan Kosutic (30:02.584)
Yeah, yeah, it’s the way it goes. I’ve seen, let’s say, UK is also introducing now this cybersecurity and resilience bill, and basically it’s very similar to NIST too. So it’s something to be expected.
Dejan Kosutic (30:22.499)
Yeah.
Dejan Kosutic (30:30.712)
No, I would say this is it. It’s really, mean, both NISTU and DORA, especially DORA, they really introduce, you know, a new level of cybersecurity. not as, it was nearly as strict as it is now. And yeah, maybe with NISTU, the biggest challenge that we didn’t mention is really that each country has to publish their own laws and regulations. Now the problem there,
is that each country will publish slightly different laws and regulations. And now you can imagine 27 countries publishing their own laws and regulations, which are slightly different. And this creates bigger problems for multinational companies, which basically come in and want to operate in the whole Europe. And then they have to comply with 27 different set of rules. This is a big challenge. And this is what I personally don’t like.
Right? Here, Dora is much better because it equally applies to everyone, whereas NIST 2 and these local laws will create quite a big, I would say,
John Verry (31:39.609)
Headache. It’s a headache. Yeah. We see the same thing in the U S I mean, like we’re screwing stuff up too. Right. Cause we don’t have a central U S privacy framework. Right. So now every state is developing a privacy framework and you know, it’s kind of funny because the tech companies are lobbying for a single framework. And you would think, wait, tech companies against the framework, but they’re, they’re against any framework, but they’d rather have one framework than 50 framework.
Dejan Kosutic (31:39.648)
I wouldn’t say mess, but effort,
Dejan Kosutic (31:50.584)
So.
Dejan Kosutic (31:59.15)
Mm-hmm.
John Verry (32:07.575)
Right. And then if you go a little bit step further, you know, if you’re if you’re a U.S. multinational right now, you’ve got, know, how many other countries, hundreds of other countries each with their own. It does become just just an absolute nightmare. I mean, I wonder if we will eventually see, you know, some sort of consolidation where a forum of countries will turn around and say, hey, let’s just consolidate this and let’s make it easier because.
Dejan Kosutic (32:20.022)
Yep.
John Verry (32:34.719)
If they did, even if they gave up a little bit, the likelihood that an entity would be able to comply with it would be much better. And I think the net overall cybersecurity or privacy posture would be higher.
Dejan Kosutic (32:40.238)
Mm-hmm.
Dejan Kosutic (32:46.306)
Yeah, Yeah, you’re right. mean, this situation with privacy in the US, it’s very similar here for NIST too. And yeah, if these things could get kind of unified, this would be great even across Atlantic. If we had one single framework across the Atlantic, this would be even easier for companies to comply with.
John Verry (33:07.383)
Yeah, well, from your lips to God’s ears. Cool. Well, I appreciate you coming on. Thank you. I think you did a really good job at simplifying NIST 2 and Dora, what those differences are, who they apply to. At least I feel a lot better about it today.
Dejan Kosutic (33:25.134)
Thanks for reminding me, it was really a pleasure to talk to you today.
John Verry (33:28.739)
Yeah, it was nice to finally meet you. Like I said, you and I have been swimming in the same fishbowl for 20 plus years, especially the ISO 27001 fishbowl. So very nice to finally get a chance to chat with you. Thank you.
Dejan Kosutic (33:33.901)
Yeah.
Dejan Kosutic (33:40.044)
Yeah. Great. Thank you again. And it was a pleasure.
John Verry (33:45.133)
Wait, wait, wait, one last question. If somebody wanted to get in touch with you, what’s the best way for them to reach out to you?
Dejan Kosutic (33:50.862)
Sure, the best is to reach out through a LinkedIn profile. I’m on LinkedIn, I’m very active on LinkedIn, also on YouTube, but probably best to actually reach out through a message on LinkedIn.
John Verry (34:04.067)
Sounds great. Thank you, Dejohn.
Dejan Kosutic (34:05.858)
Yeah, thanks again, John.
