The Emerging Security Objective in Modern Regulatory Frameworks
Resilience
In an era of increasing digital interdependencies, resilience has emerged as a critical objective for maintaining continuity and security, slowly replacing the old way of security or... well... resilience management.
In recent years, the term resilience has become increasingly important in the lexicon of information security, particularly within regulatory frameworks like DORA (Digital Operational Resilience Act) and NIS-2 (Network and Information Security Directive 2). While it might seem like just another buzzword, resilience is a critical security objective that is reshaping how organizations approach both risk management and continuity. This blog aims to delve into the concept of resilience—where it comes from, why it matters, and how it is echoed in new legislation.
Understanding Resilience in Information Security
At its core, resilience is about maintaining continuity in the face of disruptions. It's a proactive shift in focus from merely defending against known threats to preparing for unknown, potentially inevitable failures and ensuring that an organization can quickly recover when things go wrong. In the context of cybersecurity, resilience means being equipped not only to defend against breaches but also to absorb, adapt, and bounce back from disruptions — whether they arise from cyberattacks, technical failures, or even environmental events.
Traditionally, security objectives were anchored around concepts like confidentiality, integrity, and availability (CIA) (at times, authenticity also got into the loop). While these pillars are still crucial, resilience brings a broader perspective, emphasizing not just the immediate protection of assets but also the sustained ability of an organization to continue delivering services even when facing adverse circumstances.
The Historical Roots of Resilience
The concept of resilience is not new. It originated in fields like ecology and engineering, where it describes the capacity of a system to return to a stable state after disruption. In information security, resilience began gaining traction as organizations realized that no system is ever truly invulnerable. The increasing sophistication of cyber threats, coupled with the growing reliance on digital infrastructure, made it clear that absolute prevention is neither feasible nor realistic. Instead, the focus shifted to preparedness, adaptability, and rapid recovery.
Another significant milestone in the evolution of resilience as a security objective was the introduction of the General Data Protection Regulation (GDPR). GDPR, which came into effect in 2018, emphasized the importance of resilience by requiring organizations to implement measures that ensure the ongoing confidentiality, integrity, availability, and resilience (cp. Art. 32 1 (b) GDPR) of processing systems and services. Article 32 of GDPR specifically calls for measures that guarantee the ability to restore the availability and access to personal data in the event of a physical or technical incident. This regulatory push further solidified resilience as a key component of data protection and operational security.
The global COVID-19 pandemic was a significant wake-up call that exposed vulnerabilities in both organizational and national systems. As a result, resilience has transitioned from a theoretical concept to a practical necessity — driving the evolution of regulatory frameworks aimed at enhancing the robustness of critical services.
How Resilience Resonates in DORA and NIS-2
DORA (Digital Operational Resilience Act)
DORA, a regulation from the European Union, aims to ensure the operational resilience of financial entities - like its title indicates. It recognizes that financial systems are deeply interconnected, and a disruption affecting one entity can ripple through the ecosystem. DORA sets out requirements for institutions to strengthen their resilience, emphasizing the importance of incident response, business continuity, and third-party risk management (next to others).
In DORA, resilience is not just about cybersecurity; it's about holistic operational resilience. This includes ensuring that both the technological backbone and organizational processes are capable of withstanding and adapting to shocks. By mandating that financial entities develop and test contingency plans, DORA institutionalizes resilience as a proactive, ongoing process, rather than a reactive measure taken only after incidents occur.
NIS-2 (Network and Information Security Directive 2)
NIS-2 extends the scope of the original NIS Directive, expanding its application to cover more sectors and setting stricter requirements for cyber resilience across essential and important services. Where NIS-1 focused largely on cybersecurity measures, NIS-2 has evolved to include requirements that encompass the broader aspects of resilience, such as incident handling, crisis management, and capacity building.
Resilience within NIS-2 is largely about ensuring that critical infrastructure — ranging from healthcare to energy — can maintain essential services even when under attack or experiencing technical failures. NIS-2 promotes the idea that organizations must have in place not only robust prevention mechanisms but also the ability to adapt, recover, and minimize the impact of any disruptions. This involves creating a culture of resilience, where adaptability and preparedness become as important as protection.
Why Resilience Matters Now
With the increasing complexity and interdependency of digital infrastructures, resilience is now seen as a strategic objective, rather than a technical afterthought. Regulatory bodies like the European Commission have recognized that in a hyper-connected world, individual breaches or outages can have far-reaching implications, potentially cascading across sectors and borders.
Resilience is also critical from a business perspective. A resilient organization is one that can maintain trust, retain customers, and mitigate financial losses in the face of disruptions. Regulations like DORA and NIS-2 are essentially pushing companies to evolve — to not only comply with traditional cybersecurity measures but also to anticipate, prepare for, and effectively respond to crises.
The Shift from Isolated Security and Continuity to Integrated Resilience Management
A notable trend in the evolving landscape of organizational security is the gradual shift from isolated approaches — such as information security management and business continuity planning — to a more integrated resilience management model. Historically, information security and business continuity, including IT service continuity management (ITSCM), operated in silos. Information security focused primarily on protecting data and systems, while business continuity aimed to ensure the availability of critical processes during disruptions. Teams dealing with these domains tended to approach organizations in an isolated, non-coordinated manner.
However, this fragmented approach often led to gaps in response and inefficiencies in managing crises. Today, resilience management is emerging as a comprehensive framework that unifies these disciplines under a single umbrella. By adopting resilience management, organizations can synchronize their defenses, improve their ability to adapt to unexpected events, and ensure that both security measures and continuity plans are aligned toward the same goal—sustained service delivery.
This shift is also reflected in regulatory requirements, which increasingly demand an integrated approach to resilience, where security, continuity, and adaptability are interwoven. The focus is no longer just on preventing incidents or maintaining operations in isolation but on building an organization that can absorb shocks, learn from them, and emerge stronger. As a result, resilience management is replacing the traditional segmented strategies, providing a more holistic view of organizational robustness.
DORA also introduces the Digital Operational Resilience Strategy as a foundational element to integrate all corporate efforts around security and resilience management into one cohesive strategy (Article 6, Par. 8 DORA). This strategic approach aims to unify cybersecurity, business continuity, and third-party risk management under a single framework, ensuring a comprehensive and aligned resilience posture across the organization.
Conclusion
The emphasis on resilience in frameworks like DORA and NIS-2 marks a pivotal evolution in how we think about security and continuity. It's about building a robust capacity to withstand disruptions and recover quickly, recognizing that perfect prevention is impossible. As digital systems become more integral to our way of life, resilience is fast becoming the key to ensuring that these systems remain reliable, trusted, and capable of enduring whatever challenges come their way.
For organizations, this means going beyond the traditional CIA triad and adopting a mindset that prioritizes not just defense, but also recovery and adaptability. Whether you are in finance, healthcare, or energy, the call to action is clear: resilience is not just a regulatory requirement; it’s a strategic imperative for sustained success in an unpredictable world.