By Gregor Pracher
January 2, 2023

Beyond the Checklist: Mastering DORA and NIS2 Compliance with Microsoft 365 Security

Let’s be honest. For most of us, using Microsoft 365 is about getting things done. We send emails in Outlook, create presentations in PowerPoint, collaborate in Teams, and save our files in SharePoint. It’s the engine of our digital working life.

The world of cyber regulation is changing, and the rules are getting a lot more serious. From Europe, we have the new NIS2 Directive and the Digital Operational Resilience Act (DORA). And right here in the UK, the government is moving forward with the Cyber Security & Resilience Bill. These aren’t just new laws for lawyers and auditors; they are seismic shifts that demand a new way of thinking about how we use our everyday tools.


The New Rules of the Game: A Simple Breakdown

Before we dive into the “how-to,” let’s demystify these new regulations. They are all slightly different, but their core principles are remarkably similar.

  1. The EU’s NIS2 Directive: Proactive Cyber Health

NIS2 extends the list of “essential” and “important” entities across Europe, potentially affecting over 160,000 organisations.

  • Core Requirement: If you provide a service important to society, you have a fundamental duty to be cyber-resilient.
  • Proactive Mandate: You can’t just react to a breach; you must actively work to prevent one through incident response plans, MFA, and supply chain security.
  1. The UK’s Cyber Security & Resilience Bill: A Tougher Stance

A “fusion approach” that takes inspiration from both NIS2 and DORA to update existing UK regulations.

  • Managed Service Providers (MSPs): This Bill is set to bring more businesses into scope, most notably MSPs.
  • Reporting Deadlines: It proposes much stricter incident reporting potentially within 24 hours of becoming aware of a significant incident.
  1. The EU’s DORA: Financial Fitness for the Digital Age

Specifically aimed at the financial services sector and its critical technology suppliers.

  • Digital Resilience: Requires banks and insurers to have a comprehensive plan to handle a full-blown digital meltdown.
  • Third-Party Responsibility: Makes institutions directly responsible for the security posture of their third-party tech providers, like cloud providers.

The Elephant in the Room: The Shared Responsibility Model

This is the single most important concept to grasp. You might think, “Well, Microsoft must be compliant, so we are too”. This is a dangerous oversimplification

Feature

Responsible Party

Responsibility Scope

Security OF the Cloud

Microsoft

Physical data centres, networking hardware, and underlying infrastructure.

Security IN the Cloud

The User/Organisation

Your data, identities, devices, and access controls.

The new regulations place the burden of proof firmly on your shoulders. You must prove you are using the tools provided to secure your environment.


Turning the Dial: From Reactive to Proactive with Microsoft 365

How do you do this without hiring a team of in-house experts? The answer lies in leveraging tools already part of your Microsoft 365 subscription.

  1. Identity and Access Management: Your Front Door

Every cyberattack starts with an identity.

  • Microsoft Entra ID: The central hub for enabling Multi-Factor Authentication (MFA), the simplest way to block a vast majority of attacks.
  • Conditional Access Policies: Smart rules that manage risk based on user location or device status.
  • Privileged Identity Management (PIM): Provides “just-in-time” access to admin roles, reducing the risk of compromised admin accounts.
  1. Data Protection and Governance: The Vault
  • Microsoft Purview: A suite of tools to see and manage data across your entire environment.
  • Data Loss Prevention (DLP): Automatically prevents sensitive data from being emailed outside the company or saved to unapproved locations.
  • Sensitivity Labels: Used to classify and automatically encrypt documents based on risk.
  1. Incident Response and Management: The Fire Alarm
  • Microsoft Defender Suite: Scans emails for phishing and protects employee devices.
  • Microsoft Sentinel: A central security dashboard using AI to spot threats and automate responses, critical for meeting tight reporting deadlines.
  1. Continuous Compliance: Your Report Card
  • Microsoft Purview Compliance Manager: Provides a real-time “compliance score”.
  • Actionable Templates: Built-in templates for DORA and NIS2 break down requirements into clear tasks and allow you to upload evidence for auditors.

It’s a Mindset, Not a Product

Microsoft 365 gives you the toolbox, but you are the builder. Achieving continuous compliance is both a technical and a cultural challenge.

 
Key Takeaways for Organisations:

Make it a shared responsibility: Educate employees with regular cyber awareness training.

Don’t wait for a breach: Start with a gap analysis to understand your current position.

Embrace the tools: You are already paying for these features; use them to build a resilient, secure, and trustworthy organisation.

By using the tools you already have and seeking expert guidance from a partner like Elasticito, you can turn a regulatory burden into an opportunity to build a safer business.

 

Created: September 29th, 2025

Reviewed: March 16th, 2026

Share on:
Facebook
Pinterest
WhatsApp
Recent posts
Featured posts