{“lastseen”:”2025-11-05T19:15:04″,”description”:”__The Deputy CISO blog series is where Microsoft _ Deputy Chief Information Security Officers_ _ _(CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more._ In this article, Freddy Dezeure, Deputy CISO for Europe at Microsoft dives into the global security benefits of recent European legislation._\\n\\nToday’s cyberthreats are not just targeting individual enterprises\u2014they are undermining the very foundations of our society. Hospitals where emergency care is delivered. Power grids that keep our cities running. Communication networks that connect families and emergency services. Financial systems that enable commerce and livelihoods. These aren’t abstract IT problems; they’re questions of human welfare and societal continuity.\\n\\nMicrosoft’s security commitments are key to tackling these challenging cyberthreats. Security isn’t simply a product feature or compliance checkbox\u2014it’s a fundamental commitment to protecting the people, communities, and critical services that depend on Microsoft\u2019s technology and services. These commitments also include adherence to Europe’s groundbreaking new cybersecurity regulations into meaningful protection. \\n\\nAfter a decade leading community cybersecurity efforts across critical infrastructure, from energy to telecommunications to financial services, I had planned to enjoy a quieter chapter. But when Microsoft approached me about joining the company as Deputy CISO for Europe, I couldn\u2019t resist getting involved in defending one of the world\u2019s most critical infrastructures and having impact from within. Because, at this moment in history, those of us who understand critical infrastructure security have a responsibility to act.\\n\\n## **The landscape we face**\\n\\nHuman society, the global economy, and the national security of every country in the world rely heavily on information, communication, and the operational technologies that make them possible at the speed and scale required by the modern world. Whenever these technologies face disruption, it becomes immediately clear just how reliant upon them we all are. Many organizations are ill-prepared to operate without information and communication technology (ICT). However, the current cyberthreat landscape makes the risk of digital disruptions very real, reinforcing the importance of cybersecurity and technological resilience. In short, cyber risk has become not just a material business risk, but a societal risk as well.\\n\\nThe findings from Microsoft’s 2025 Digital Defense Report underscore this reality with striking clarity. Cybercriminals have become highly capable and organized, operating fast, at scale, and causing worldwide havoc. They’ve developed access brokerage services as a business model, selling stolen tokens and credentials to other hackers as an easy way into organizations. With AI commoditizing, even cybercriminals with limited technical expertise can expand their operations significantly.\\n\\nMeanwhile, state-sponsored threat actors have moved beyond their traditional realm of strategic espionage. They’re now hacking to gather operational information about their targets’ logistic operations\u00b9 and law enforcement\u00b2 organizations. These cyberattackers have also been observed deploying antagonistic cyber activities as a precursor or accompanying measure to physical war, such as the disruption of satellite communication networks.\u00b3 Recently, we’ve seen a massive increase in attacks on telecommunications companies\u2074 and the exploitation of vulnerable edge devices\u2014routers, firewalls, switches, VPNs, and mobile device management solutions. The report notes that malicious actors remain focused on attacking critical public services because when compromised, these targets have direct and immediate impact on people’s lives. Hospitals and local governments have faced real-world consequences: delayed emergency medical care, disrupted emergency services, canceled school classes, and halted transportation systems.\\n\\n## **How NIS2** **and DORA are transforming the CISO role**\\n\\nTo combat these trends, the European Union adopted two powerful new legislations: the Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). These new legislations, as well as the factors that led to their creation, have broadened the role of the CISO so that it ideally reaches across all of an organization’s infrastructural components\u2014IT, operational technology (OT), Internet of Things (IoT), AI, and the supply chain. The role has become more strategic in focus through increased reporting to the board of directors and supporting their informed oversight. In my mind, this makes the role of CISO a much more complete and fulfilling endeavor.\\n\\nNIS2 is sweeping cybersecurity legislation, establishing a common, high level of cybersecurity across the EU by strengthening requirements for risk management, incident reporting, and governance oversight for entities operating in critical sectors. DORA was similarly adopted to bolster the digital resilience of financial entities operating within the EU. The change required by these legal provisions is far-reaching, requiring organizations to take adequate measures to manage cybersecurity and resilience risks. There are stipulations making it the duty of directors to not only approve these measures but to oversee their implementation. Directors can also be held liable for adherence and must meet new requirements regarding training, knowledge, and expertise.\\n\\nBoth NIS2 and DORA are quite prescriptive, writing industry best practices regarding specific mitigating measures into law\u2014multifactor authentication, cryptography, supply chain security, red teaming, and more. They also highlight the need to implement a risk-based approach, with DORA furthermore emphasizing the need to preserve resilience. They require many organizations to review their existing risk management and control systems, including those of the supply chain, as well as clearly spelling out their cyber governance, including the defining of roles, responsibilities, authorities, and reporting structures.\\n\\nBut compliance in and of itself is not the end goal. What compliance with NIS2 and DORA really means is ensuring the success and continuity of governments and businesses, along with the security of citizen and customer data. Resilience becomes more robust. Compliance, really, is a guidepost by which we direct our security strategy.\\n\\n## **Less is more: Not all controls are created equal**\\n\\nThe EU legislation rightly emphasizes a risk-based approach to cybersecurity (prioritizing protections based on the likelihood of a threat and its capacity for damage) alongside the need to validate the real-world effectiveness of key mitigating controls. It underscores that resilience must be preserved as the final safeguard when other defenses fail, and places ultimate accountability for cyber risk governance on the board of directors. These guiding principles should be embraced not only by industry leaders, but also by auditors and regulators, and deployed with rigor and strategic intent.\\n\\nThe Microsoft Digital Defense Report reinforces why this prioritization matters. With more than 97% of identity attacks being password attacks\u2014and identity-based attacks surging by 32% in the first half of 2025 alone\u2014we know where to focus at this point in time. Phishing-resistant multifactor authentication can stop more than 99% of these attacks. This is the kind of high-impact control that a risk-based approach demands we prioritize.\\n\\nConducting risk-based cybersecurity means prioritizing efforts to reach maximum effectiveness. Experience shows that a very limited subset of key mitigating controls can manage the most important security risks. Aiming for a complete implementation of all possible controls, as if they were all equal, is not ideal. In many ways, this represents a recalibration from the traditional framework-based deployment and audit approach.\\n\\nFocusing on the implementation of key controls, assuring that they\u2019re functioning properly, and then measuring their effectiveness helps enable CISOs to create a strategic dashboard of key control indicators (KCIs) to support informed oversight. This will be an increasingly important tool moving forward, so let\u2019s look at what one might include. The following is a list of KCIs compiled by the CISO Metrics Working Group, comprised of CISOs from large multinational corporations. It should serve us well as a starting point for determining KCIs. The first KCI in this list, which involves establishing an \\”inventory of ICT systems,\\” is by far the most important. After all, an organization cannot protect something it doesn\u2019t know exists.\\n\\n| Description| Measurement \\n—|—|— \\nKCI 1| ICT asset inventory| % ICT assets in inventory according to policy \\nKCI 2| Privileged accounts| % privileged accounts managed within policy \\nKCI 3| Timely patching| % high risk security updates within N hours \\nKCI 4| Reliable backups of data and applications| Maximum time to recover critical resources (% of critical resources recoverable in N hours) \\nKCI 5| Endpoint protection| % endpoints configured in line with policy \\nKCI 6| Collecting logs | % critical systems onboarded for log collection \\nKCI 7| Network security| % compliant key network security configurations \\nKCI 8| Third-party compliance| % compliant key third-party connections \\nKCI 9| Identity management| % coverage of systems and users with phising-resistant multifactor authentication \\nKCI 10| Major incidents| % major cyber incidents without business impact \\nKCI 11| Risk acceptance| Number of risk accepted policy deviations \\nKCI 12| Security of systems exposed to the internet| % of company assets exposed to the Internet adequately protected and monitored \\nKCI 13| Safeguarding platform keys| % of platform keys covered by security monitoring \\nKCI 14| Origin of cyber incidents| % security incidents related to deficiencies of at least one key control \\nKCI 15| Resilience testing| Results of resilience testing (red teaming) \\nKCI 16| Cryptography| % crypto resources post-quantum secured \\n% resources with compliant key management \\n| | \\n \\nThis list is not exhaustive, and the above KCIs may need to be finetuned to every organization. For example, a production enterprise may need to focus specifically on OT security and resilience while being mindful that patching vulnerabilities may not be very simple. Other mitigating measures like network segmentation would naturally also become key controls to highlight.\\n\\nThe EU legislation deliberately demands a risk-based approach. The bottom line here is that we should focus our cybersecurity and resilience efforts on mitigation measures that bring the highest possible benefit to our specific cyberthreat environment. Less is more, but do it well!\\n\\n## Microsoft \\nDeputy CISOs\\n\\n**To hear more from Microsoft Deputy CISOs, check out the OCISO blog series**:\\n\\nTo stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization\u2019s security posture, join the Microsoft CISO Digest distribution list.\\n\\n\\n\\n## **From regulation to action**\\n\\nComprehensive and actionable guidance for CISOs and directors can be found in the recent publication of the Dutch Cyber Security Council Guide to Cybersecurity for Directors and Business Owners, which I co-authored. While the annexes of the document refer to EU legislation, I believe the core of the text to be broadly applicable.\\n\\nMicrosoft has already shared its new digital commitments in Europe, including a digital resilience commitment and additional security and encryption options. To learn more, check out Microsoft announces new European digital commitments.\\n\\nThe release of the Microsoft Digital Defense Report provides the latest intelligence on the cyberthreat landscape and actionable recommendations for organizations worldwide. The report makes clear that in this environment, organizational leaders must treat cybersecurity as a core strategic priority\u2014not just an IT issue\u2014and build resilience into their technology and operations from the ground up. Legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat.\\n\\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.\\n\\n* * *\\n\\n**\u00b9**https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-141a\\n\\n**\u00b2**https:\/\/www.microsoft.com\/security\/blog\/2025\/05\/27\/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage\/\\n\\n**\u00b3**https:\/\/cyberconflicts.cyberpeaceinstitute.org\/law-and-policy\/cases\/viasat\\n\\n**\u2074**https:\/\/www.wired.com\/story\/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers\/\\n\\nThe post \u200b\u200bSecuring critical infrastructure: Why Europe\u2019s risk-based regulations matter appeared first on Microsoft Security Blog.”,”published”:”2025-11-05T17:00:00″,”modified”:”2025-11-05T17:00:00″,”type”:”mssecure”,”title”:”\u200b\u200bSecuring critical infrastructure: Why Europe\u2019s risk-based regulations matter”,”source”:””,”references”:””,”id”:”MSSECURE:589AE14687904F58454C69B744C33D24″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/11\/05\/securing-critical-infrastructure-why-europes-risk-based-regulations-matter\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-05T19:15:04″,”description”:”__The Deputy CISO blog series is where Microsoft _ Deputy Chief Information Security Officers_ _ _(CISOs) share their thoughts on what is most important in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-24906","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n