“DORA and NIS 2 Regulations: Transforming Security in Software Development”

Settembre 8, 2025 E-MAGAZINE ENG, News ENG
"Normative DORA e NIS 2: Trasformare la Sicurezza nello Sviluppo Software"

### The Impact of DORA and NIS 2 Regulations on Software Development Practices

Recently, European regulations such as DORA (Digital Operational Resilience Act) and NIS 2 (Network and Information Systems Directive) are transforming the security landscape in software development. Specifically, these regulations impose new and significant requirements not only on security but also on the operational resilience of systems, pushing organizations to rethink their development practices, especially in cloud-native and DevSecOps contexts.

One of the most interesting and complex challenges arising from these regulations is the need to reconcile their prescriptive and documentation-focused nature with the agile principles typical of the cloud-native world. In this context, companies are faced with a crucial question: how can compliance be integrated into a fast and automated development process?

The answer to this challenge lies in the evolution of DevSecOps towards a “compliance as code” model. This approach implies that compliance is no longer viewed as a mere retrospective check but rather as an integrated process that occurs in real-time throughout the software lifecycle. Consequently, it is essential to implement security controls directly within Continuous Integration and Continuous Deployment (CI/CD) pipelines.

Transforming compliance into code enables the automation of collecting evidence necessary for audits and utilizes observability tools to monitor the security posture of applications in real-time. These practices reduce the likelihood of human errors and enhance the effectiveness of risk management.

In particular, the DORA regulation encourages organizations not only to ensure security but to pursue a broader and more resilient approach. This includes adopting practices such as “chaos engineering,” a methodology that involves simulating failures within the infrastructure to test its robustness. Through these experiments, companies can uncover vulnerabilities and improve their systems’ ability to withstand adverse events.

In a cloud-native context, where applications typically consist of a large number of microservices and open-source libraries, managing risks related to third-party vendors becomes exponentially more complex. European regulations require companies to adopt tools like the Software Bill of Materials (SBOM), which provides a detailed list of the software components in use. This tool is essential for monitoring and managing vulnerabilities throughout the entire software supply chain.

Implementing an automated compliance model requires a shift in mindset within organizations. Development teams must no longer view security as a barrier to their processes, but as an essential and integrated element in the product creation phase. This implies investing in training and tools that empower teams to work collaboratively and responsibly while maintaining control and alignment with regulations.

In conclusion, the DORA and NIS 2 regulations are not just a set of rules intended to create a bureaucratic burden for companies; they also represent an opportunity to make software development processes more robust and secure. These regulations are set to act as a catalyst for the maturation of DevSecOps practices, encouraging organizations to integrate security and compliance more deeply and meaningfully.

If you would like to explore these topics further and stay updated on the latest developments in software and security, we invite you to follow our social media profiles. Your interaction is important for building an informed and aware community!

Share Button