Skip to content

End-of-life assets: managing risks in outdated technology

Make new friends, but keep the old: one is silver, the other gold.

Despite enormous advances within information technology, security practitioners are still plagued by common problems. Advances in cybersecurity defenses and overall security awareness are helpful, but organizations still struggle with end-of-life (EOL) assets scattered across the attack surface. This can be a surprisingly difficult problem to solve and, most importantly, from the attacker’s perspective, EOL assets still provide easy footholds into an environment.

End-of-life is not the end

All of the system hardening and security patches in the world cannot protect a system that is not updated to use those features. System vendors generally provide patches and updates for a limited timespan. After that point, end users must invest in an upgrade to a newer version of the system or fend for themselves and hope for the best with an EOL, outdated asset lurking on the attack surface.

EOLed systems often stick around for years, mostly forgotten but still part of an organization’s infrastructure and, therefore, its attack surface. New vulnerabilities are still discovered and exploited in these outdated systems as the April 2024 D-Link NAS issue illustrated. Despite the known exposure, being EOL means that fixes will not be forthcoming.

While this may seem like an academic exercise, EOLed systems are surprisingly common. Our findings show many still-active EOLed operating systems in various environments.

Operating system end-of-life

Operating systems typically have multiple phases of vendor support, referred to as a support lifecycle. The duration of the lifecycle and services provided in various stages vary from vendor to vendor, usually tapering off with fewer updates and patches in later stages.

The two phases we are most concerned with are:

  • Mainstream support during which vendors release patches that may add new features, fix bugs, or mitigate security vulnerabilities.

  • Extended support during which only critical bugs and vulnerabilities are addressed.

While some vendors’ terminology and phases may slightly differ, generally speaking, most support lifecycles can be broadly mapped to these two phases.

When a vendor stops providing upgrades for non-critical issues, the product is considered in an “End-of- Life” (EOL) status. There may be an additional period known as “Extended-End-of-Life” (EEOL) during which the vendor continues to provide updates for critical issues. EOL and EEOL can happen concurrently or separately depending on the system and the vendor. Most importantly, after EOL, systems no longer receive critical updates or security patches, and thus become much greater risks to keep around.

But around they are! Systems have a long tail: if they still work, replacing them with a supported alternative may be more trouble than it’s worth. In some cases, the responsible staff can’t or won’t; in others, the system may host critical functions that are not supported on newer systems. Uptime guarantees and financial considerations may also play a role.

When we look at our sample data for operating systems that are past their extended EOL dates, we see that chart toppers are a pretty even split between Windows and various Linux distributions:

FIGURE 1 – Top OS past extended EOL.

The presence of Ubuntu 18.04 isn’t surprising as it only reached Extended EOL just over a year ago in June of 2023. Ubuntu is often a go-to Linux distribution for businesses and home users alike as well as very popular in cloud environments. Windows Server 2012 R2 is also unsurprising; it reached extended EOL only very recently, in October of 2023. While running an OS a year past extended EOL is unfortunate, it’s not unusual for server migrations to drag on past EOL dates due to logistical and compatibility concerns.

The next major group is composed of various Windows 10 releases that, were they combined, would dominate the chart at 21.55%. Most of these are running the Windows 10 21H2 which reached extended EOL very recently in June 2024. Windows 10 was originally released in July of 2015. Microsoft has generally released two major updates for it every year since. Typically, updates released in the first half of the year are supported for 18 months and those released in the second half are supported for 30 months. There are some variations on this theme, with Long-Term Servicing Channel (LTSC) editions, for example, having longer lifespans. Windows 10 22H2 is the final version of Windows 10 and will reach extended EOL in October 2025.

FIGURE 2 – Windows 10 past extended EOL.

Exposed systems past extended EOL

While operating systems outside of their extended lifespans are always worth looking into, those with exposure to an external attack surface are particularly worrisome. Of all systems exposed to an external attack surface and for which EOL data was available, 15.99% were past their extended EOL dates. That means that roughly 16% of all devices exposed to external attackers are probably not receiving security updates.

For server operating systems specifically, when we group them by family, we see that the largest block are Windows hosts. The percentage may be higher than expected based on Figure 1 above. This is due the long tail of various Windows Server versions going back to Server 2008 R2.

FIGURE 3Server operating systems with external attack surface exposure, past extended EOL.

Case study: the Boa web server

The Boa webserver is an open source web server designed to have low resource requirements for users and to be compatible with embedded applications. The last official release of the Boa webserver, version 0.94.14rc21, was in February of 2005. For comparison, the Colts have won a Super Bowl more recently than the latest release of the Boa web server, and the Colts haven’t won a Super Bowl since 2007!

There are known vulnerabilities in Boa that have been exploited in critical infrastructure in the past. For example, in November 2022, Microsoft disclosed that Boa web servers in Internet-of-Things (IoT) devices were a common attack vector against power grids in India.

While it is relatively easy for an administrator to determine if a server is running Boa, it is much harder to detect in an embedded device. Boa is common in embedded devices like security cameras and IP phones that are widely deployed in enterprise networks. Therefore, curating an accurate inventory of an organization’s embedded devices, not just servers, that are running Boa is critical for protecting these networks.

FIGURE 4Boa web server version distribution in runZero data. 

Embedded devices running Boa 
Network-attached camera92.3%
Media & telephony devices5.5%
Environmental control devices0.9%
Network devices0.9%
Industrial control devices0.3%

FIGURE 5 – Device types still running Boa in sample runZero data.

New-Old Friends

We’d be remiss if we didn’t mention common operating systems that will reach extended EOL soon. If any of these operating systems are running in your environment, we strongly recommend that you start planning for replacement or mitigation sooner rather than later.

FIGURE 6 – Common OS approaching extended EOL.

Final Thought

The prevalence of EOL systems within organizational networks remains a significant security concern. Despite advancements in security technology and practices, these outdated assets continue to provide attackers with easy entry points. Addressing this issue requires a proactive approach to asset discovery, exposure mitigation, and vigilant attack surface management to ensure that all components of your network, regardless of age, are secure and up-to-date.

runZero customers can find assets that are past their extended EOL by using the Policy: Extended End-of-Life operating systems canned query. You may need to add the OS EOL Ext. column in the Asset inventory in order to view the value.

Don’t forget to download the runZero Research Report to learn more about the state of asset security.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Subnets. What is a subnet? How does it work?

Subnetting is the process of dividing a network into several smaller, independent subnets. Each subnet is a portion of the core network that follows a specific logic. We know the definition of the use of subnets in local networks that we could use in our company, y, since the benefits of using subnetting are several:

  • Increase of network performance: The amount of data traffic on a network with subnets is reduced, as traffic can be directed only to the necessary subnet. This also decreases broadcast traffic (packets that are sent to all devices on the network), being able to send them only to specific subnets.
  • Improved network security: Subnets may be isolated from each other, making it easier to establish boundaries between different network segments by means of a firewall.
  • Ease of network management: Having multiple subnets increases flexibility in network management compared to working with a single network.

Content:

Process for creating subnets

Before you start creating subnets, it is important to know three key concepts:

  • Original IP Address: This is the base IP address from which you will start to create the necessary subnets. IPv4 addresses are divided into classes (A, B, C, D and E). In LAN networks, Class A (10.0.0.0 – 10.255.255.255), Class B (172.16.0.0 – 172.31.255.255), or Class C (192.168.0.0 – 192.168.255.255) addresses are generally used.
  • Subnet Mask: It indicates which part of the IP address corresponds to the network and subnet number and which part corresponds to hosts. In addition, it also tells devices to identify whether a host is within a local subnet or comes from a remote network.
  • Broadcast address: It is the highest address of a subnet and allows simultaneous traffic between all nodes of a subnet. A packet sent to the broadcast address will be sent to all subnet devices.

Once these concepts are clear, you may begin to calculate the subnets.

  • Choosing the source IP address: The choice of this source IP for a local network will usually be class A, B or C and will depend on the number of hosts you need on your network. For the example, we will use the class C address 192.168.1.0/24.
  • Determining the number of subnets: You need to decide how many subnets you wish or need to create. The more subnets, the fewer IP addresses will be available to hosts. In our example we will create 4 subnets.
  • Subnet Mask Calculation: Starting from the IP 192.168.1.0/24, where /24 indicates that we use 24 bits for the subnet, which leaves 8 bits for the hosts. This translates to binary as:
    11111111.11111111.11111111.00000000
    subnet bits (24) host bits (8)
  • Borrowing bits for subnets: To create subnets, take bits from those available for hosts. The formula to calculate how many bits you need is:
    2^n >= N
    Where N is the number of subnets (4 in our example) and n is the number of bits needed. Here, n equals 2, since: 2^2 >= 4
  • New Subnet Mask: By taking 2 bits from hosts, the new subnet mask will be:
    11111111.11111111.11111111.11000000
    subnet bits (26) / host bits (6)
    This translates to /26 or 255.255.255.192.
  • Assigning source IP addresses for each subnet: Using the two borrowed bits, you get the following combinations:
    192.168.1.0/26
    192.168.1.64/26
    192.168.1.128/26
    192.168.1.192/26
  • Calculating IPs for each subnet: For each subnet, calculate the first and last usable IP address and broadcast address:
    • Subnet 192.168.1.0/26:
      • First IP: 192.168.1.1
      • Last IP: 192.168.1.62
      • Broadcast address: 192.168.1.63
    • Subnet 192.168.1.64/26:
      • First IP: 192.168.1.65
      • Last IP: 192.168.1.126
      • Broadcast address: 192.168.1.127
    • Subnet 192.168.1.128/26:
      • First IP: 192.168.1.129
      • Last IP: 192.168.1.190
      • Broadcast address: 192.168.1.191
    • Subnet 192.168.1.192/26:
      • First IP: 192.168.1.193
      • Last IP: 192.168.1.254
      • Broadcast address: 192.168.1.255

Summarizing in a table:

SubnetFirst IPLast IPMain IPBroadcast IP
192.168.1.0/26192.168.1.1192.168.1.62192.168.1.0192.168.1.63
192.168.1.64/26192.168.1.65192.168.1.126192.168.1.64192.168.1.127
192.168.1.128/26192.168.1.129192.168.1.190192.168.1.128192.168.1.191
192.168.1.192/26192.168.1.193192.168.1.254192.168.1.192192.168.1.255

To make the task of performing these calculations easier, there are online calculators such as this one.

Subnet-to-subnet communication

Although subnets may be part of the same local network, let us not forget that now each subnet is a different network. A router is required for devices on different subnets to communicate. The router will determine whether the traffic is local or remote using the subnet mask.
Each subnet connects to a router interface, which is assigned an IP from those available for hosts. This address will be the default gateway that we will set on the computers in that subnet. All computers must have the same subnet mask (255.255.255.192 in our example).

IPv6 Subnets

Creating IPv6 subnets is different and often less complex than IPv4 ones. In IPv6 there is no need to set aside addresses for a network or broadcast address. Considering that IPv4 sets aside addresses for the main network and the broadcast address in each subnet, these two concepts do not exist in IPv6.

Creating an IPv6 Subnet

An IPv6 Unicast address has 128 bits in hexadecimal format. These 128 bits are divided into the following elements:

  • Global Routing Prefix: The first 48 bits indicate the portion of the network assigned by the service provider to a client.
  • Subnet ID: The next 16 bits after the global routing prefix are used to identify the different subnets.
  • Interface ID: The last 64 bits are the equivalent of the host bits of an IPv4 address. This allows each subnet to support up to 18 quintillion host addresses per subnet.

To create IPv6 subnets, just incrementally increase the subnet ID:
Example:

  • Global routing prefix: 2001:0db8:000b::/48
  • Subnets:
    • 2001:0db8:000b:0001::/64
    • 2001:0db8:000b:0002::/64
    • 2001:0db8:000b:0003::/64
    • 2001:0db8:000b:0004::/64
    • 2001:0db8:000b:0005::/64
    • 2001:0db8:000b:0006::/64
    • 2001:0db8:000b:0007::/64

Point-to-point networks

A point-to-point network is a particular type of network that directly communicates between two nodes, making communication between them easier, since each data channel is used to communicate only between those two devices.

Point-to-point subnets

A point-to-point subnet is a type of subnet with a /31 mask, which leaves only two addresses available to hosts. A broadcast IP is not needed in this type of configuration, as there is only communication between two computers.
These types of networks are usually used more in WAN than in LAN, and have the particularities that they are very easy to configure and at low cost, but they are not scalable nor their performance is the best, since all devices may work as client and server in a single link.

Subnet disadvantages and limitations

Although subnets provide several advantages, they also have limitations:

  • Network design complexity: The initial design and configuration may be challenging, and it is necessary to maintain a clear outline of the whole network for proper maintenance.
  • Waste of IP addresses: Each subnet needs to set aside two IPs (primary address and broadcast address) that cannot be assigned to devices. In addition, if subnets are isolated and all have the same size, unused addresses in one subnet cannot be used in another.
  • Appropriate router required: A router capable of handling the infrastructure is required, increasing complexity in routing tables.

Despite these limitations, the benefits of subnetting often outweigh the disadvantages, making it a common practice for many companies to improve the performance and security of their networks.

What do the different parts of an IP address mean?

This section focuses on IPv4 addresses, which are presented as four decimal numbers separated by periods, such as 203.0.113.112. (IPv6 addresses are longer and use letters and numbers.)
Each IP address has two parts. The first part indicates to which network the address belongs. The second part specifies the device on that network. However, the length of the “first part” changes depending on the network class.
Networks are classified into different classes, labeled A through E. Class A networks can connect millions of devices. Class B and class C networks are progressively smaller. (Class D and Class E networks are not commonly used).

Network Class Breakdown

  • Class A Network: Everything that goes before the first point indicates the network, and everything that goes after specifies the device on that network. If you use 203.0.113.112 as an example, the network is indicated with “203” and the device with “0.113.112.”
  • Class B Network: Everything that goes before the second point indicates the network. If you use 203.0.113.112 again as an example, the network is indicated with “203.0” and the device within that network with “113.112.”
  • Class C Network: In class C networks, everything that goes before the third point indicates the network. If you use the same example, “203.0.113” indicates the class C network, and “112” indicates the device.

Importance of subnets

Building IP addresses makes it relatively easy for Internet routers to find the right network to direct data to. However, on a Class A network, for example, there may be millions of devices connected, and the data may take time to find the right device. That is why subnets are useful: subnets limit the IP address for use within a range of devices.
Since an IP address is limited to indicating the network and address of the device, IP addresses cannot be used to indicate which subnet an IP packet should go to. Routers on a network use something known as a subnet mask to classify data into subnets.

What is a subnet mask?

A subnet mask is like an IP address, but only for internal use within a network. Routers use subnet masks to direct data packets to the right place. Subnet masks are not indicated within data packets traversing the Internet: those packets only indicate the destination IP address, which a router will match to a subnet.

Subnet Mask Example

Suppose an IP packet is addressed to the IP address 192.0.2.15. This IP address is a class C network, so the network is identified with “192.0.2” (or technically, 192.0.2.0/24). Network routers forward the packet to a server on the network indicated by “192.0.2.”
Once the packet reaches that network, a router on the network queries its routing table. It performs binary mathematical operations with its subnet mask of 255.255.255.0, sees the address of the device “15” (the rest of the IP address indicates the network) and calculates which subnet the packet should go to. It forwards the packet to the router or switch responsible for delivering the packets on that subnet, and the packet arrives at IP address 192.0.2.15.
In short, a subnet mask helps routers classify and route traffic efficiently within a large network, thereby improving network performance and organization.

Conclusion

Subnetting is a kay technique for dividing large networks into more manageable subnets, thereby improving network performance, security, and management. Although the process can be complex, online tools and calculators can make it significantly easier. Understanding and effectively applying subnetting is essential for any network administrator.

Market analyst and writer with +30 years in the IT market for demand generation, ranking and relationships with end customers, as well as corporate communication and industry analysis.

Analista de mercado y escritora con más de 30 años en el mercado TIC en áreas de generación de demanda, posicionamiento y relaciones con usuarios finales, así como comunicación corporativa y análisis de la industria.

Analyste du marché et écrivaine avec plus de 30 ans d’expérience dans le domaine informatique, particulièrement la demande, positionnement et relations avec les utilisateurs finaux, la communication corporative et l’anayse de l’indutrie.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

What NordPass can do that OS-specific password managers can’t

It’s not about the name – it’s about functionality

Apple recently made headlines with the launch of Apple Passwords, a new password management app currently in beta for iOS 18 users. Although this is significant news, this isn’t the first time a major tech player has ventured into password management. Microsoft introduced its Windows Credential Manager with Windows XP back in 2001, and it has been a part of every version of Windows since then, continuously updated.

When a big name like Apple releases a new product, there’s always a buzz about it aiming to be the best in its category. However, a big brand name doesn’t always guarantee the best option available—though it doesn’t mean the product is bad either.

So, when it comes to choosing the right password manager, it’s important to look beyond the brand and focus on functionality. To help with that, let’s compare the features of these OS-specific password managers with NordPass and highlight the elements that stand out.

OS-specific password managers vs. NordPass

When comparing NordPass to platform-specific password managers, two key factors to consider are security and ease of use. Let’s dive into these aspects in detail:

Security

Although the core function of all password managers is to keep all passwords safe in one place, it is not that all password managers provide the same level of protection.

Password storage

Microsoft Credential Manager stores passwords locally on your device and encrypts them using the Windows Data Protection API (DPAPI). This setup is convenient for Windows users, but it relies on the security of the Windows operating system itself. Apple Passwords, in contrast, stores passwords in the iCloud Keychain, allowing secure access across all Apple devices.

NordPass takes a slightly different approach by keeping all passwords and other sensitive data in an encrypted cloud vault that can be accessed from any device. Moreover, NordPass uses XChaCha20, an encryption standard known for its exceptional security and performance, to encrypt the data before it is uploaded to the cloud. This ensures that all the information stored in the vault remains fully secure.

The zero-knowledge architecture

The term “zero-knowledge architecture” describes a design where a product is built so that the provider cannot access the user’s data stored in the system or service. Microsoft Credential Manager doesn’t fully follow this approach. Although it encrypts passwords, the encryption keys and processes are managed by Windows, which means Windows itself could potentially decrypt the data.

Apple Passwords uses a version of zero-knowledge with end-to-end encryption. This setup ensures that Apple can’t access your passwords because only your device holds the decryption keys.

NordPass goes all in with zero-knowledge architecture, with encryption and decryption occurring only on the user’s device to ensure that no one—including the NordPass team—can access their passwords.

Safe credential sharing

Microsoft Credential Manager doesn’t offer a built-in way to share passwords, so you have to do it manually, which can be quite risky. Apple Passwords makes sharing easier and more secure by using AirDrop and iCloud, with encryption to protect your credentials during transfer. NordPass, however, offers secure password-sharing features directly in the app, allowing you to share passwords with trusted contacts through encrypted channels.

 

Ease of use

The ease of use for password managers largely depends on their compatibility with your devices and how simple it is to use and manage your stored passwords. Let’s look at how these aspects compare among the OS-specific solutions and NordPass.

Compatibility

Windows Credential Manager is well-integrated with the Windows system but is limited to Microsoft environments. It only supports browser extensions for Internet Explorer and Microsoft Edge, which might be inconvenient for users who prefer other browsers.

The Apple Passwords app works seamlessly across Apple devices like iPhones, iPads, and Macs, and integrates well with various Apple services. It also offers browser extensions for Safari, providing a smooth experience for users within the Apple ecosystem. However, its support for non-Apple platforms and browsers is highly limited.

NordPass offers broad compatibility across multiple operating systems, including Windows, macOS, Linux, iOS, and Android. It also provides extensions for popular browsers like Chrome, Firefox, and Edge, ensuring a consistent experience regardless of the platform or browser you’re using.

Login experience

Microsoft Credential Manager does a decent job with autofill and autosave for Windows apps, but it’s quite basic compared to other options. Apple Passwords excels at autofill and autosave features within the Apple ecosystem. It automatically fills in login details and saves new passwords across Safari and other supported apps, making it easy for users to manage their credentials on Apple devices.

NordPass offers robust autofill and autosave features across various browsers and applications. It ensures that your credentials are automatically filled in and saved as you browse, making password management effortless. NordPass also provides seamless integration with its mobile and desktop apps, enhancing the overall user experience.

Additional features

Some modern password managers do more than just help you manage your passwords – they offer extra features that can boost your cybersecurity and make navigating the online world somewhat easier. However, this isn’t true for all of them.

OS-specific solutions

Microsoft Credential Manager mainly focuses on handling credentials without offering much beyond that. Its key extra feature is support for Windows Hello, which allows you to log in using biometric authentication.

Apple Passwords, on the other hand, provides a wider range of features. It can detect weak, reused, and compromised passwords, generate strong new ones, and sync credentials across Apple devices. It also integrates with two-factor authentication, generating and autofilling verification codes for supported accounts. These features make Apple Passwords a more optimal choice for Apple customers.

NordPass

NordPass includes the features of Apple Passwords, such as password health checks, secure credential sharing, two-factor authentication (2FA), password generation, and data breach alerts. But it also offers some additional benefits:

  • Email Masking: This feature lets users create temporary email addresses for signing up for services or newsletters so that they don’t have to share their real email addresses.

  • Activity Log: With NordPass, businesses can keep an eye on all account access activity across their organizations, making sure that only the right people are getting into the right resources.

  • Data Breach Scanner: Apple Passwords can alert you if your passwords are compromised, and so can NordPass. But NordPass goes a step further with its advanced data breach monitoring tool for businesses. It scans the dark web for any mentions of a company’s credentials and sends instant alerts if its business information is at risk.

  • Company-Wide Settings: NordPass also lets organizations set and enforce a strong password policy for all employees. This ensures everyone uses secure passwords, enhancing overall security.

Additionally, by making it easy to onboard and offboard members, and featuring a user-friendly design that’s easy to navigate, NordPass provides a comprehensive solution that covers a lot of cybersecurity ground. This allows both individual users and organizations to protect themselves more effectively and enjoy greater freedom online.

What are the risks associated with using an OS-specific password manager?

First off, using a password manager tied to a specific OS, like Apple Passwords, can cause issues if you want to sync or access your passwords across different devices, unless they’re all from Apple. This could lock you into one vendor’s ecosystem and make it difficult to switch platforms later without losing access to your passwords. There are also potential security risks if the OS updates, which could affect how the password manager works and lead to compatibility issues or vulnerabilities.

For companies, the problems can be even bigger. Employees on different operating systems might face inefficiencies because there’s no unified solution, leading to downtime and decreased productivity. IT departments would need to manage multiple systems, which can be more complex and require more time to support and maintain. This might also mean extra training, which adds to the costs.

Additionally, since it’s uncommon for all employees to use the same brand of device, enforcing consistent security policies for multiple password managers becomes challenging. This can create security gaps and make it harder to meet some industry standards and data privacy regulations.

Give NordPass a try and form your own opinion

We could go on to explain the differences between NordPass and OS-specific password managers, and point out how we think NordPass excels in terms of security and usability. However, it’s always better to feel the difference rather than just hear about it.

Therefore, we encourage you to try our 14-day free trial for the Business plan (30 days for Premium) and see for yourself how NordPass offers an enhanced password management experience beyond what you might expect from similar tools. We’d be interested to hear your thoughts!

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Understanding the differences between DORA and NIS2

Are you prepared for the new cyber storm on the horizon? Major regulatory changes are coming that will impact many European organizations. With the rise of cyber threats in recent years, European governments have introduced new regulations to strengthen the cybersecurity requirements for organizations across industries.

Two major upcoming directives—DORA and NIS2 from the European Union—aim to bolster cyber resilience for essential services. Strengthening defenses is crucial, yet sorting through shifting security rules and standards can feel overwhelming.

While both address improving cyber defenses, these regulations differ in scope and requirements. This guide is here to help you navigate the changes with clarity. We’ll explore the key details of each directive, compare their differences, and discuss how to prepare your organization for compliance.

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring the financial sector within the EU can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It focuses specifically on financial entities like banks, investment firms, and others that provide critical financial services.

The primary goal of DORA regulation is to enhance operational resilience and manage risks associated with third-party service providers. Set to take effect in January 2025, DORA will significantly impact financial sector organizations operating within the European Union.

What is NIS2?

The Revised Network and Information Systems (NIS2) Directive is an updated EU cybersecurity law that expands the scope of its 2013 predecessor. NIS2 broadens the categories of “important” and “essential” entities subject to the regulation beyond just operators of critical infrastructure like energy, transport, banking, financial market infrastructures, and health. 

Essential versus important entities

The directive also imposes new requirements for supply chain security, risk assessments, incident reporting, and third-party risk management. The NIS2 Directive will be enforced starting in October 2024 and apply to any essential service provider operating within the EU.

Why are NIS2 and DORA important?

Attacks can disrupt essential functions and compromise privacy as more services and personal data move online. To mitigate cyber risks, both NIS2 and DORA aim to increase operational resilience and security practices across crucial sectors.

Therefore, the two directives are crucial for businesses due to several compelling reasons:

  • Enhanced cybersecurity. DORA focuses on the financial sector, emphasizing operational resilience and risk management, ensuring financial entities can withstand and quickly recover from cyber incidents. NIS2 applies to a broader range of essential service providers, significantly bolstering their cybersecurity measures.

  • Regulatory compliance. Both directives set strict regulatory requirements. Non-compliance can lead to hefty fines, sanctions, and damage to a company’s reputation. Ensuring compliance helps businesses avoid these financial and legal risks, maintaining a positive standing with regulators and customers.

  • Customer trust & confidence. Compliance with NIS2 and DORA demonstrates a business’s commitment to protecting personal and financial data, fostering trust and confidence among customers. This trust can translate into customer loyalty and a competitive edge in the market.

  • Operational resilience. Both directives aim to enhance the resilience of critical infrastructure. DORA ensures that the financial sector can continue operating smoothly during cyberattacks, whereas NIS2 focuses on ensuring the continuity of services provided by essential entities across various sectors.

  • Supply chain security. NIS2 requires businesses to assess and manage risks associated with their third-party vendors, mitigating potential vulnerabilities. DORA also includes provisions for third-party risk mitigation, ensuring robust measures are in place to manage risks from external service providers.

  • Incident reporting & response. Both NIS2 and DORA mandate comprehensive incident reporting and response mechanisms, ensuring businesses can promptly detect, respond to, and recover from cyber incidents. Regular breach reporting and analysis help improve overall cybersecurity strategies.

  • Harmonized standards. These directives aim to harmonize cybersecurity standards across the EU, creating a more consistent and secure digital environment. This simplifies compliance efforts and ensures businesses operate at the highest security standards across all regions.

  • Future-proofing. As cyber threats evolve, regulatory requirements are likely to become more stringent. By complying with DORA and NIS2, businesses position themselves ahead of the curve, proactively adopting best practices to adapt to future regulatory changes.

Key differences between NIS2 and DORA

Even though NIS2 and DORA directives may seem similar, there are some key differences organizations should be aware of. While both frameworks aim to bolster security, their scopes, sectors, compliance dates, and requirements vary.

  • Scope: DORA applies to financial sector entities within the EU, while NIS2 Directive covers all essential service providers across the EU

  • Sectors: DORA targets the financial sector, whereas NIS2 expands to industries like health, energy, and more

  • Compliance date: DORA is set to take effect in January 2025, while NIS2 Directive goes into effect in October 2024

  • Requirements: DORA regulation emphasizes operational resilience, whereas NIS2 includes comprehensive supply chain reviews and stringent reporting obligations

  • Non-compliance penalties: Entities found non-compliant with DORA may face fines up to 2% of annual global turnover or €1 million for individuals, whereas NIS2 establishes larger fines of up to €10 million or 2% of turnover—whichever is higher—for non-compliance

By recognizing these distinctions, businesses can better navigate their compliance strategies, ensuring they meet the necessary standards and improve their cybersecurity defenses.

Preparing for increased compliance

To effectively prepare for NIS2 and DORA compliance, businesses should take the following steps:

Conduct risk assessments

Perform thorough vulnerability assessments to identify potential vulnerabilities and threats. Evaluate the impact of identified risks on your organization and prioritize mitigation strategies.

Review third-party relationships

Assess the security posture of all third-party vendors and partners and ensure that third-party risk mitigation practices, including regular audits and reviews, are in place.

Develop and document incident response plans

Create detailed incident response plans outlining steps to take during a cybersecurity event; ensure these plans are well-documented and accessible to all relevant personnel.

Implement reporting procedures

Establish clear procedures for reporting security incidents to regulators and stakeholders. Ensure these procedures comply with the requirements of NIS2 and DORA.

Train staff regularly

Conduct regular training sessions on cyber hygiene, focusing on password management and recognizing phishing attempts—provide specialized training on spear phishing and other targeted attack methods.

Document compliance efforts

Maintain thorough documentation of all compliance-related activities and efforts. This documentation demonstrates diligence and can be beneficial during regulatory reviews.

Outsource to experts

Consider outsourcing functions like cloud infrastructure management, security monitoring, or compliance auditing to specialized service providers. Leveraging expert services can reduce the burden on in-house teams and ensure higher compliance standards.

Audit & update regularly

Schedule regular internal audits to review compliance status and identify areas for improvement. Stay updated on changes in regulatory requirements and adjust your strategies accordingly.

Engage with regulatory bodies

Maintain open communication with relevant regulatory bodies to stay informed about compliance expectations. Seek guidance and clarification on any aspects of DORA and NIS2 that may be unclear.

How NordLayer can help achieve compliance

As a network security provider, NordLayer offers tools and services tailored to help organizations achieve compliance with both directives:

  1. Secure access management: Utilize our business VPN for encrypted connections with masked identities, and implement Always-On VPN and Multi-Factor Authentication (MFA) to ensure safe and controlled access to your network. Secure access technologies ensure compliance with DORA’s emphasis on thorough access control practices, in addition to fulfilling many of the access governance standards outlined in NIS2.

  2. Network segmentation: Enforce stringent security policies using a robust Cloud Firewall and advanced access control features like Network Access Control (NAC).

  3. Continuous visibility & monitoring: A network visibility solution ensures comprehensive monitoring of network activity and devices. It fuses activity information, Server Usage Analytics, and Device Posture Monitoring to track traffic and performance in real-time. Ensure secure network access through features such as DNS filtering and Device Posture Security checks that verify endpoint security posture before network entry. Such visibility is crucial for meeting regulatory requirements, facilitating audits, and demonstrating practical usage of security controls.

  4. Protection of sensitive information: Comply with data sovereignty requirements through comprehensive NAC solutions like VPN gateways, dedicated servers, Cloud Firewall, and Device Posture Security, as well as advanced user authentication methods, such as MFA, biometrics, SSO, and user provisioning—addressing DORA’s and NIS2’s mandates for data protection.

  5. Manage vendor risks: Our solutions isolate third-party access to only needed resources. Additionally, NordLayer can be trusted to comply with customers’ vendor security requirements and international standards.

With NordLayer, businesses can simplify infrastructure security management and meet the stringent requirements of both the NIS2 and DORA directives. Contact us to discuss how we can assist with your compliance journey.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×