The Global Security Benefits of Recent European Legislation

The landscape of cyber threats has dramatically evolved in today’s world, extending beyond individual enterprises to challenge the very foundations of our society. As highlighted by Freddy Dezeure, Deputy CISO for Europe at Microsoft, the stakes are incredibly high. Hospitals providing emergency care, power grids that power our cities, and communication networks linking families and emergency services are all at risk. These threats are not mere IT issues; they fundamentally pertain to human welfare and societal continuity.

Microsoft’s Commitment to Security

Microsoft’s dedication to security is more than just compliance—it’s a fundamental promise. By deeply committing to security, Microsoft aims to protect the individuals, communities, and essential services that rely on its technology. In the context of new European legislation, this commitment becomes even more significant, not just in adherence but in creating robust defenses against emerging threats.

After a long and rewarding career in community cybersecurity, Freddy Dezeure found an opportunity with Microsoft that he could not turn down: the chance to shape and secure critical infrastructure across Europe. The urgency of defending against cyber threats has never been greater, and it calls for proactive engagement from experienced professionals.

The Cyber Threat Landscape

Modern society is increasingly reliant on information and communication technologies (ICT). A disruption in these technologies can swiftly showcase our dependence, with many organizations ill-equipped to maintain operations without them. The reality is stark: the current cyber threat landscape represents not just a material business risk, but a wide-ranging societal risk.

According to Microsoft’s 2025 Digital Defense Report, attackers have become increasingly sophisticated, leveraging access brokerage services to sell stolen credentials and tokens to other hackers. With the aid of artificial intelligence, even less-experienced cybercriminals can orchestrate significant attacks. The consequences are dire, as state-sponsored actors evolve beyond espionage to target operational logistics and critical public services, leading to significant disruptions in everyday life.

Transforming the Role of the CISO

In response to these mounting challenges, the European Union has enacted pivotal cybersecurity legislation—NIS2 (Network and Information Systems Directive 2) and DORA (Digital Operational Resilience Act). These pieces of legislation redefine the role of the Chief Information Security Officer (CISO), emphasizing a more strategic approach that spans across all organizational components—IT, operational technology (OT), the Internet of Things (IoT), artificial intelligence, and the supply chain.

NIS2 aims to establish a unified level of cybersecurity across the EU, enhancing requirements for risk management, incident reporting, and governance oversight, particularly in critical sectors. DORA, on the other hand, focuses specifically on strengthening the digital resilience of financial entities operating within the EU. This comprehensive framework not only mandates compliance but also empowers organizations to prioritize cyber resilience and governance.

The Importance of a Risk-Based Approach

Both NIS2 and DORA advocate for a risk-based approach to cybersecurity. This involves prioritizing protections based on the likelihood of threats and their potential impact, along with the validation of key mitigating controls. For instance, multifactor authentication can mitigate more than 99% of identity attacks, demonstrating the need for organizations to focus on high-impact defenses.

This shift necessitates a recalibration in how cybersecurity efforts are implemented. By concentrating on essential controls and measuring their effectiveness, CISOs can develop a strategic dashboard of Key Control Indicators (KCIs), which help in more informed decision-making. Among these, maintaining an inventory of ICT systems stands out as the first and foremost KCI; an organization cannot protect what it isn’t even aware exists.

Key Control Indicators (KCIs)

The following KCIs have been highlighted for their importance in cyber governance:

1. ICT Asset Inventory

   • % of ICT assets in inventory as per policy

2. Privileged Accounts

   • % of privileged accounts managed according to policy

3. Timely Patching

   • % of high-risk security updates within specified hours

4. Reliable Backups

   • Time to recover critical resources (% recoverable in specified hours)

5. Endpoint Protection

   • % of endpoints configured per security policy

6. Log Collection

   • % of critical systems onboarded for log collection

7. Network Security

   • % of compliant key network security configurations

8. Third-party Compliance

   • % of compliant key third-party connections

9. Identity Management

   • % of systems and users using phishing-resistant multifactor authentication

10. Major Incidents

    • % of major cyber incidents without business impact

11. Risk Acceptance

    • Number of policy deviations accepted as risk

12. Security of Internet-Exposed Systems

    • % of assets exposed to the Internet adequately protected

13. Safeguarding Platform Keys

    • % of platform keys covered by security monitoring

14. Origin of Cyber Incidents

    • % of incidents related to deficiencies of at least one key control

15. Resilience Testing

    • Results of resilience tests (red teaming)
16. Cryptography
    • % of crypto resources secured against quantum threats

This list, while not exhaustive, serves as a foundational starting point. Organizations should tailor KCIs to fit their specific environments and vulnerabilities.

From Regulation to Action

Practical guidance for CISOs and corporate directors is increasingly available, such as the Guide to Cybersecurity for Directors and Business Owners, co-authored by Freddy Dezeure. This resource provides actionable insights that are broadly applicable beyond just compliance with EU regulations.

Microsoft is also ramping up its digital commitments across Europe, focusing on enhanced security protocols and continued adaptation to the shifting landscape. The Digital Defense Report articulates not just the ongoing threat landscape but emphasizes that cybersecurity must be treated as a strategic priority, evolving from being merely an IT issue to being central to business continuity and trust.

To stay ahead of the curve, organizations are encouraged to explore Microsoft’s security solutions. Keeping informed through resources such as the Microsoft Security blog and following their updates on social media platforms ensures that professionals remain armed with the latest insights and practices in cybersecurity.