Creds

Comply or die: dealing with DORA

Ralf Bardoel and Daan Wagenaar, founders of CREDS, feature on how to respond to the Digital Operational Resilence Act (DORA), the new European regulation designed to ensure that organisations become more resilient to cyber threats.

Comply or die; the solutions from CREDS

Since January 2023, the Digital Operational Resilence Act (DORA) has been in force; a European regulation with the ultimate goal of making financial organisations improve their IT risk management and become more resilient to cyber threats. Because clearly, there has been a mismatch between increasing IT risk (and not just from China, Russia, North and South Korea and Iran) and the development of security procedures.

DORA aims to address technological risks for crowdfunding service providers, insurance intermediaries, investment institutions and trading platforms. To ensure digital robustness. The regulation focuses on strengthening risk management, IT incident management, supervision of critical IT service providers, governance & organisation as well as testing.

The very latter is where CREDS - an expert in offensive security - really excels.

Companies have until 17 January to comply with the new European regulations

Ralf Bardoel - together with Daan Wagenaar founder of CREDS, explain: ‘From 17 January 2025, the rules must then be implemented in every so-called ‘vital’ organisation for society. However, those vital sectors are increasingly expanding, including towards small and medium-sized businesses with 25 or more people on board. AFM and DNB are jointly monitoring compliance.’

Comprehensive penetration testing

CREDS thereby focuses on comprehensive penetration tests. What does a client consider to be important, what is the security status of the organisation’s crown jewels, what to do next and when? Because in daily practice, the DGA often turns out to be miles away from realising the risks his company faces. Of present threats that can be minutely detected by CREDS’ ART platform.

“Automated Red Teaming from CREDS performs truth-telling, creates a plan of attack towards those crown jewels, after which a security strategy, a sustainable and lasting solution, is developed and offered” says CEO Ralf Bardoel.

So no putting on band-aids, but looking for the reason why things went wrong. And preventing it from happening again.

Recently, CREDS has noticed many hacks in the transport sector in the Netherlands. “That kind of incident, a rapidly growing oil slick, helps to raise awareness” said Bardoel. “DORA addresses the risks in much more detail than we have experienced so far. Rule-based rather than principal-based. The non-committal has gone, so to speak. Stop-gaps are no more sufficient. And all this also applies, for instance, to US companies with Dutch clients.”

Founders often do not fear cyber attacks, but their IT suppliers generally do. They have several customers and find it extremely painful when cyber security turns out not to be in order internally. After all, IT is their business, their specialism.

It’s an illusion that you won’t find anything during an attack

“Well, it’s difficult to have all that knowledge in-house when you are smaller than the Capgeminis of this world” says Ralf Bardoel. “We put ourselves to the test and do so with a positive approach.

Increasingly important in mergers and acquisitions: what is the status of cyber risks at a company to be acquired? Are there cyber security-skeletons in the cupboard? And how do you qualify them, what is the cost-benefit ratio, what is the impact on the crown jewels of the entire organisation? If an acquiring company does not have its security in order, the parent company is at risk. For example, pension funds, which invest in third parties. DORA requires - and all very quickly - the status of chain security and that of critical chain partners.

CREDS’ offensive security experts work with financial sector consulting firms, in particular accounting and SME practices, among others. The aim is to enable companies to get in control, or to take current governance to the next level. Consulting firms bring clients into contact with CREDS, after which Bardoel and Wagenaar conduct research into what the crown jewels of an organisation actually are and how to safeguard them.

Ralf Bardoel: “It is important not to spend money on things that in reality are just a waste of time. With our Automated Red Teaming (ART) platform, we test the cyber resilience of organisations by carrying out real attacks. In terms of method and vision, CREDS and our clients complement each other flawlessly.”

Positive impact on society

Both founders strongly emphasise that making a positive impact on society counts heavily in their operations. For instance, CREDS works with clients in various society-social projects.

Getting people excited, imparting knowledge of hacking and keeping or bringing them on the straight and narrow in the process, that’s what we think is important.

One of the entities supported, for example, is Amersfoort-based ITvitae, founded in 2013 by social entrepreneurs Frans de Bie and Peter van Hofweegen. They both have strong social commitment and, with ITvitae, perceive opportunities to give talents with high-functioning autism or giftedness - often dropped out of mainstream education because autism profiles are not sufficiently taken into account there - perspective and come into their own in the overheated IT labour market.

“We have already had a number of ITvitae interns on board,” Ralf Bardoel explains. “What matters, we think, is that, as an organisation, you are open to helping others, helping them further. How beautiful is that?”

Another wonderful initiative that CREDS acts in is Quiet, foundation founded in 2013 with the aim of alleviating poverty and empowering people. Quiet structurally draws attention to poverty in the Netherlands and, among other things, publishes the glossy Quiet 500, with a nod to - and as a counterpart to - the Quote 500. The foundation now boasts about 13 Quiet Communities, spread throughout the Netherlands. In which more than 4,000 members exchange inspiring experiences of what poverty does to them in daily life.

Ralf Bardoel and Daan Wagenaar emphasise that all these social initiatives can be done ‘thanks to invoices we do send, to clients with whom things are going very well’. “Because of course you have to keep things going financially” smiles Ralf Bardoel. “Together we work with about 20 funds to make that happen.”

Ralf Bardoel: “You see, insurance against cybercrime certainly doesn’t automatically ensure that an attack won’t be deployed again a week later…” And so testing, both CREDS founders believe, is the best way to counter and ultimately neutralise cybercrime. “Of course, again, you don’t have to become Fort Knox, but improvement - as we see in daily practice - is indeed pure necessity” says Βardoel. “Only when cybersecurity becomes basic hygiene it will be widely accepted.”

The financial press reported earlier this year that DGAs could potentially be held personally liable in the future if their companies do not manage cyber security. “At CREDS, we then immediately received calls about what to do” responds Ralf Bardoel. “The financial sector is becoming increasingly dependent on tech companies for service delivery. That makes that same sector vulnerable to underlying problems with technology, so such a cyber attack.”

Want to know more?

Contact us