Samuel Gomes | IT Security Manager na Link Consulting by Linkroad
Original Article PT: IT SECURITY
The increasing sophistication of digital threats is no longer a topic reserved for technical teams — it has become a strategic priority for organizations. We live in a digital paradox: we have never been so dependent on technology to operate and innovate, and at the same time, we have never been so exposed to the fragility of these infrastructures.
In this context, the entry into force of the NIS2 Directive and the DORA Regulation represents much more than a new legal obligation. It marks a fundamental shift in the rules of the game.
NIS2 expands the scope of the previous directive, imposing more demanding requirements related to risk management, incident reporting, and executive accountability. DORA, meanwhile, focuses on the financial sector, establishing a rigorous framework for digital operational resilience, including advanced penetration testing, third‑party monitoring, and robust continuity plans. In both cases, the message is clear: security responsibility cannot be limited to the IT department — it must be embedded at the core of governance.
In practice, these European initiatives formalize what reality has already demonstrated. Value chains are interconnected, digital ecosystems are complex, and dependence on technology providers is growing. An incident affecting one partner can rapidly propagate and compromise critical services. This is why both NIS2 and DORA place particular emphasis on third‑party risk management and on the need for clear processes for assessment, monitoring, and response.
Throughout my experience, I have seen many organizations still treat compliance as a one‑off exercise. A checklist is completed, documentation is produced, and the matter is considered closed. In my view, this is the biggest mistake. Effective compliance requires cultural transformation and demands that the board understands digital risks with the same depth as it analyses financial indicators. It also requires clear metrics, tested action plans, and genuine incident‑response capability.
Another important aspect is reputational impact. Mandatory incident notification increases transparency but also exposes vulnerabilities. Organizations that are not prepared to communicate in a structured and responsible way may see their credibility affected. Trust is built over years and can be lost in days. Digital resilience is, therefore, inseparable from reputation.
There is also a talent challenge associated with the technical demands of implementing these regulatory frameworks. It requires combining legal expertise, technical capability, and business understanding. It is not just about installing tools — it involves redesigning processes, reviewing supplier contracts, defining internal responsibilities, and regularly testing the effectiveness of implemented controls.
I see NIS2 and DORA as opportunities to elevate organizational maturity, strengthen collaboration across areas, and fully integrate cybersecurity into internal strategy. Companies that adopt a proactive approach, going beyond minimum requirements, will be better positioned to face an increasingly complex threat landscape.
These European initiatives send a clear signal: digital resilience is a pillar of economic sovereignty and social stability. Ignoring them, or treating them as a mere regulatory formality, is a risk no organization can afford. The real question is not whether we should invest in cybersecurity, but whether we are prepared to assume — at the highest level — the responsibility that this new framework requires.