Thanos Vrachnos
Partner — eGovTech, Cybersecurity & Trust Services Principal Consultant
In an age where digital operations underpin every critical service, regulatory frameworks are rapidly advancing to enforce resilience, oversight, and trust. SpearIT supports organizations in navigating this evolving landscape, translating complex legal obligations into pragmatic compliance strategies.
Our advisory spans key frameworks, including DORA, NIS2, and the EU Cybersecurity Regulation for EU institutions, and offers a unified, future-proof approach to regulatory readiness.
Our methodology addresses both the breadth and depth of regulatory requirements. Whether you are a financial entity facing DORA’s operational resilience obligations, a critical infrastructure operator under NIS2’s broad scope, or an EU body subject to the Regulation (EU, Euratom) 2023/2841, our experts deliver tailored compliance road-maps, governance models, and assurance frameworks.
We help financial-sector organizations and their ICT service providers meet DORA’s requirements for ICT-risk management, digital-resilience testing, third-party oversight, and governance accountability.
The Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (aka Digital Operational Resilience Act - DORA) has been adopted by EU in November 2022. Targeting any financial entity within EU, as well as critical providers of ICT services to financial entities, it aims to create a harmonized regulatory framework on digital operational resilience. To achieve this, the practice of ICT risk management is brought to the foreground, along with requirements on operational resilience testing and indentification, handling, and notification of operational resilience incidents.
The National Competent Authorities of Member States will need to enforce the regulation and supervise compliance, with the power to impose administrative penalties on members of the management body of the non-conformant financial entity.
| Financial Entities | ICT Service Providers |
|---|---|
| BFSI sector entities | Cloud Service Providers (CSPs) |
| Brokers | Software Providers |
| Investment firms | Critical ISVs |
| Credit Institutions | Fraud Management Providers |
| Managed Security Service Provides (MSSPs) | |
| Payment Solutions Providers |
We support essential and important entities across sectors—from energy and transport to IT-services—in achieving full alignment with NIS2’s requirements for cyber-risk strategies, incident handling, supply-chain resilience, and supervisory readiness.
The Directive on Measures for a High Common Level of Cybersecurity across the Union (aka NIS 2 Directive) was published on 27 December 2022. The NIS2 Directive is a significant extension of the initial, NIS Directive of 2016. A core difference between these 2 directives is the wider industries scope, required to comply with the Directive.
Like all European directives, it is transposed into national legislation by all Member States, with the deadline set to October 2024. Thereafter, the National Competent Authorities of Member States will need to ensure compliance at the national level and enforcement of the national law, with the power to impose penalties and conformance measures.
NIS 2 defines 2 categories of entities within EU, based on their criticality to EU economy and society: essential and important:
| Essential Entities (EEs) | Important Entities (IEs) |
|---|---|
| >250 employees, >50 M€ turnover, >43 M€ balance | 50-250 employees, turnover between 10 and 50 M€, balance < 43 M€ |
| Energy: supply, distribution, transmission and sale of electricity, gas, oil, heating/cooling, hydrogen, EV charging point operators | Postal and courier services providers |
| Air, rail, road and water transport | Waste management |
| Banking & finance: credit, trade, market and infrastructure | Chemical products: production and distribution |
| Health: healthcare providers, research laboratories, pharmaceuticals, medical device manufacturing | Food: distribution and production |
| Water: drinking water suppliers and wastewater operators | Manufacturers: medical/diagnostic devices, computers, electronics, optics, machinery, motor vehicles, trailers, semi-trailers, other transport equipment |
| Digital infrastructure and IT services: DNS, name registries, trust services, data centres, cloud computing, electronic communication services, managed services and managed security services | Digital providers: online marketplaces, search engines, social platforms |
| Public administration | Research organisations |
| Space: ground-based infrastructure operators |
Regulation (EU) 2023/2841 establishes a unified cybersecurity governance and resilience framework for all EU Institutions, Bodies, Offices, and Agencies (EUIBAs). It mandates structured risk management, stronger oversight, and systematic cooperation among EU entities and CERT-EU.
We deliver specialized advisory on governance, cyber-risk maturity, incident-coordination, supply-chain assurance, and compliance monitoring tailored to the regulation’s unique institutional obligations, such as:
| Harmonized Cybersecurity Framework The regulation establishes a standardized cybersecurity framework across all EU institutions, ensuring that they follow consistent security protocols and policies. |
| ICT Risk Management EUIBAs are required to implement risk management strategies, identify vulnerabilities, and adopt appropriate cybersecurity measures proportionally to the identified risk levels. |
| Cybersecurity Policies & Measures EUIBAs shall have comprehensive cybersecurity policies in place, implemented by specific measures, including but not limited to the following domains: zero-trust architecture, teleworking, multifactor authentication, end-to end communications encryption, proactive malware protection, ICT asset management, vulnerability management, penetratio n testing, BC/DR management. |
| Incident Reporting & Response EUIBAs shall must adopt incident detection and response mechanisms, including procedures for reporting cybersecurity incidents. They are required to notify the Computer Emergency Response Team for the EU institutions (CERT-EU) promptly when significant incidents occur. |
| Continuous Auditing & Monitoring Regular audits and continuous monitoring of ICT systems are mandatory to ensure compliance with the regulation, including the evaluation of cybersecurity defenses and regular reviews of implemented security measures. |
| Coordination & Information Sharing EU institutions must cooperate with CERT-EU and other relevant bodies to share cybersecurity information, best practices, and lessons learned from incidents. |
| Supply-chain Security Institutions must ensure that third-party vendors and suppliers meet the required cybersecurity standards, as supply chain vulnerabilities can pose significant security risks. Supply chain security is a key element in the overall cybersecurity strategy. |
We bring together regulatory insight, cybersecurity assurance, and organizational design expertise to guide organizations through common challenges, such as:
Our success stories highlight our work with governments, regulators, and trust service providers to design, assure, and secure national eID schemes and trust service ecosystems recognized across Europe and beyond, through:
