Everbridge Chief Security Officer discusses EU regulations

Tracy Reinhold, Chief Security Officer, Everbridge discusses EU regulations and the power of the Everbridge platform.

What are Everbridge’s perspectives on the Cyber Resilience Act (CRA), Digital Operational Resilience Act (DORA) and NIS2 Directive (NIS2)?

The CRA, DORA and NIS2 are critical in the EU going forward.

We talk about DORA and CRA a lot, but what I want to really focus on is NIS2, because that is critical currently.

For those reading from the US who are not present in the EU, they may confuse NIS2 with NIST, the voluntary program that provides guidelines for cyber-resiliency.

For clarity, NIS2 is a regulatory requirement in the EU which ensures member nations have a codified process or law.

This regulation was initiated in January 2023, but the deadline for Member States to transpose the NIS2 Directive into national law is 17 October 2024.

Though countries have had almost two years to get ready, one of the biggest challenges is: ‘How do you manage something like this?’ This is where Everbridge can help.

Our platform provides a single hub that enables instant preparedness, risk monitoring, management and service reliability.

All of these things are important when you’re putting together codified law. You can think about it through the lens of Preparedness, Communication, Response and Recovery.

What the Everbridge platform does is provides you, a single entity, with a platform to communicate an actual incident, respond to the issue and then take corrective action.

What does this mean in practical terms? How does the Everbridge platform creates a repository for you to learn from?

You have to be able to articulate what you’ve done in the past and part of that requirement is to not only put it into law, but also to be able to articulate your response capability and how you have actually addressed an issue.

Our platform is risk and threat agnostic. Not only does it allow you to be compliant with CRA, DORA and NIS2 regulations, but it allows you to multitask and create an environment that ensures you establish and maintain resilience going forward.

Can you tell us more about the Preparedness, Communication, Response and Recovery elements?

‘Preparedness’ refers to the ability to get ahead of threats through the aggregation and deconfliction of intelligence.

The best disruption to recover from is the one you are aware of and mitigate before manifestation. The next part is ‘Communication’.

This is focused on the mass notification of employees or citizens pursuant to the requirements of the regulation.

The Everbridge platform allows you to communicate effectively. If you have a cyber-breach, it is independent of that network, so you can still maintain communication with your employees and key stakeholders.

‘Response’ focuses on being able to task individuals within that platform to actually take action pursuant to the requirements of the law.

You can then track responses and task out multiple entities to create a solution for the problem.

You can then track the progress inside of the system to determine whether or not people are responsive and assess what worked and what didn’t.

The last part is the ‘Recovery’ piece. Recovery focuses on actually using the tool to deploy resources that allow you to mitigate the potential impact of an issue.

The platform has an after-action capability, where you can review all of the actions that you took pursuant to this activity and then determine where you need to focus for improvement.

It’s a continuous cycle.

Our platform provides capabilities that allow you to report back to the regulatory authority that you have complied with the law and that you are in compliance with this regulation.