Securing critical infrastructure: Why Europe’s risk-based regulations matter

The Deputy CISO blog series is where Microsoft Deputy Chief Information Security Officers(CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, Freddy Dezeure, Deputy CISO for Europe at Microsoft dives into the global security benefits of recent European legislation.

Today's cyberthreats are not just targeting individual enterprises-they are undermining the very foundations of our society. Hospitals where emergency care is delivered. Power grids that keep our cities running. Communication networks that connect families and emergency services. Financial systems that enable commerce and livelihoods. These aren't abstract IT problems; they're questions of human welfare and societal continuity.

Microsoft's security commitments are key to tackling these challenging cyberthreats. Security isn't simply a product feature or compliance checkbox-it's a fundamental commitment to protecting the people, communities, and critical services that depend on Microsoft's technology and services. These commitments also include adherence to Europe's groundbreaking new cybersecurity regulations into meaningful protection.

After a decade leading community cybersecurity efforts across critical infrastructure, from energy to telecommunications to financial services, I had planned to enjoy a quieter chapter. But when Microsoft approached me about joining the company as Deputy CISO for Europe, I couldn't resist getting involved in defending one of the world's most critical infrastructures and having impact from within. Because, at this moment in history, those of us who understand critical infrastructure security have a responsibility to act.

The landscape we face

Human society, the global economy, and the national security of every country in the world rely heavily on information, communication, and the operational technologies that make them possible at the speed and scale required by the modern world. Whenever these technologies face disruption, it becomes immediately clear just how reliant upon them we all are. Many organizations are ill-prepared to operate without information and communication technology (ICT). However, the current cyberthreat landscape makes the risk of digital disruptions very real, reinforcing the importance of cybersecurity and technological resilience. In short, cyber risk has become not just a material business risk, but a societal risk as well.

The findings from Microsoft's 2025 Digital Defense Report underscore this reality with striking clarity. Cybercriminals have become highly capable and organized, operating fast, at scale, and causing worldwide havoc. They've developed access brokerage services as a business model, selling stolen tokens and credentials to other hackers as an easy way into organizations. With AI commoditizing, even cybercriminals with limited technical expertise can expand their operations significantly.

Meanwhile, state-sponsored threat actors have moved beyond their traditional realm of strategic espionage. They're now hacking to gather operational information about their targets' logistic operations¹ and law enforcement² organizations. These cyberattackers have also been observed deploying antagonistic cyber activities as a precursor or accompanying measure to physical war, such as the disruption of satellite communication networks.³ Recently, we've seen a massive increase in attacks on telecommunications companies⁴ and the exploitation of vulnerable edge devices-routers, firewalls, switches, VPNs, and mobile device management solutions. The report notes that malicious actors remain focused on attacking critical public services because when compromised, these targets have direct and immediate impact on people's lives. Hospitals and local governments have faced real-world consequences: delayed emergency medical care, disrupted emergency services, canceled school classes, and halted transportation systems.

How NIS2 and DORA are transforming the CISO role

To combat these trends, the European Union adopted two powerful new legislations: the Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA). These new legislations, as well as the factors that led to their creation, have broadened the role of the CISO so that it ideally reaches across all of an organization's infrastructural components-IT, operational technology (OT), Internet of Things (IoT), AI, and the supply chain. The role has become more strategic in focus through increased reporting to the board of directors and supporting their informed oversight. In my mind, this makes the role of CISO a much more complete and fulfilling endeavor.

NIS2 is sweeping cybersecurity legislation, establishing a common, high level of cybersecurity across the EU by strengthening requirements for risk management, incident reporting, and governance oversight for entities operating in critical sectors. DORA was similarly adopted to bolster the digital resilience of financial entities operating within the EU. The change required by these legal provisions is far-reaching, requiring organizations to take adequate measures to manage cybersecurity and resilience risks. There are stipulations making it the duty of directors to not only approve these measures but to oversee their implementation. Directors can also be held liable for adherence and must meet new requirements regarding training, knowledge, and expertise.

Both NIS2 and DORA are quite prescriptive, writing industry best practices regarding specific mitigating measures into law-multifactor authentication, cryptography, supply chain security, red teaming, and more. They also highlight the need to implement a risk-based approach, with DORA furthermore emphasizing the need to preserve resilience. They require many organizations to review their existing risk management and control systems, including those of the supply chain, as well as clearly spelling out their cyber governance, including the defining of roles, responsibilities, authorities, and reporting structures.

But compliance in and of itself is not the end goal. What compliance with NIS2 and DORA really means is ensuring the success and continuity of governments and businesses, along with the security of citizen and customer data. Resilience becomes more robust. Compliance, really, is a guidepost by which we direct our security strategy.

Less is more: Not all controls are created equal

The EU legislation rightly emphasizes a risk-based approach to cybersecurity (prioritizing protections based on the likelihood of a threat and its capacity for damage) alongside the need to validate the real-world effectiveness of key mitigating controls. It underscores that resilience must be preserved as the final safeguard when other defenses fail, and places ultimate accountability for cyber risk governance on the board of directors. These guiding principles should be embraced not only by industry leaders, but also by auditors and regulators, and deployed with rigor and strategic intent.

The Microsoft Digital Defense Report reinforces why this prioritization matters. With more than 97% of identity attacks being password attacks-and identity-based attacks surging by 32% in the first half of 2025 alone-we know where to focus at this point in time. Phishing-resistant multifactor authentication can stop more than 99% of these attacks. This is the kind of high-impact control that a risk-based approach demands we prioritize.

Conducting risk-based cybersecurity means prioritizing efforts to reach maximum effectiveness. Experience shows that a very limited subset of key mitigating controls can manage the most important security risks. Aiming for a complete implementation of all possible controls, as if they were all equal, is not ideal. In many ways, this represents a recalibration from the traditional framework-based deployment and audit approach.

Focusing on the implementation of key controls, assuring that they're functioning properly, and then measuring their effectiveness helps enable CISOs to create a strategic dashboard of key control indicators (KCIs) to support informed oversight. This will be an increasingly important tool moving forward, so let's look at what one might include. The following is a list of KCIs compiled by the CISO Metrics Working Group, comprised of CISOs from large multinational corporations. It should serve us well as a starting point for determining KCIs. The first KCI in this list, which involves establishing an "inventory of ICT systems," is by far the most important. After all, an organization cannot protect something it doesn't know exists.

This list is not exhaustive, and the above KCIs may need to be finetuned to every organization. For example, a production enterprise may need to focus specifically on OT security and resilience while being mindful that patching vulnerabilities may not be very simple. Other mitigating measures like network segmentation would naturally also become key controls to highlight.

The EU legislation deliberately demands a risk-based approach. The bottom line here is that we should focus our cybersecurity and resilience efforts on mitigation measures that bring the highest possible benefit to our specific cyberthreat environment. Less is more, but do it well!

From regulation to action

Comprehensive and actionable guidance for CISOs and directors can be found in the recent publication of the Dutch Cyber Security Council Guide to Cybersecurity for Directors and Business Owners, which I co-authored. While the annexes of the document refer to EU legislation, I believe the core of the text to be broadly applicable.

Microsoft has already shared its new digital commitments in Europe, including a digital resilience commitment and additional security and encryption options. To learn more, check out Microsoft announces new European digital commitments.

The release of the Microsoft Digital Defense Report provides the latest intelligence on the cyberthreat landscape and actionable recommendations for organizations worldwide. The report makes clear that in this environment, organizational leaders must treat cybersecurity as a core strategic priority-not just an IT issue-and build resilience into their technology and operations from the ground up. Legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹ https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a

² https://www.microsoft.com/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

³ https://cyberconflicts.cyberpeaceinstitute.org/law-and-policy/cases/viasat

⁴ https://www.wired.com/story/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers/