NIS2 is the EU Network and Information Security Directive, effective from October 2024. It requires essential and important organisations to implement cybersecurity controls and report incidents.

Who needs to comply with NIS2?

NIS2 applies to organisations in essential sectors (energy, transport, banking, healthcare, digital infrastructure) and important sectors (postal services, waste management, manufacturing, food, digital providers) with more than 50 employees or €10 million in turnover. Member states may extend the scope.

What is the difference between red teaming and penetration testing?

A penetration test systematically evaluates vulnerabilities within a defined scope. Red teaming simulates a real adversary with specific objectives, without a predefined scope, over an extended period.

How long does ISO 27001 certification take?

The timeline depends on the organisation's size and existing security maturity. For most mid-sized organisations, the process from gap analysis to certification audit takes between 6 and 12 months. Thorough planning and structured evidence collection can significantly reduce that timeline.

What is MDR (Managed Detection and Response)?

MDR is a managed cybersecurity service combining threat detection technology with human analysts available 24/7. Unlike a traditional SIEM, MDR includes active response — containment, investigation, and remediation when a threat is detected, not just alerts.

DORA (Digital Operational Resilience Act) is mandatory for EU financial entities from January 2025. It requires ICT risk management, resilience testing, and incident reporting.

What should we do if we experience a security breach?

If you suspect an active breach, immediately call your incident response team. Do not take premature containment actions as they can destroy forensic evidence. Under NIS2, essential and important organisations must notify significant incidents to the competent authority within 24 hours of becoming aware.

Your defences were designed for an attacker that no longer exists

Organisations build their security around an assumption that is no longer true: that attackers must choose between scale and precision. AI removed that tradeoff. The phishing message that arrives today was written specifically for you.

All insights

Insights29 May 2026

Your defences were designed for an attacker that no longer exists

Post on X Share on LinkedIn

When an organisation designs its security programme — training, filters, protocols — it does so against a mental model of the attacker: someone with limited resources who must choose between volume and precision. Send thousands of generic emails and some will land, but most will be caught. Research a specific target in depth and the attack will be more convincing, but you can only do it for a handful of people at a time.

That mental model is no longer accurate. AI removed the tradeoff between scale and precision. And the defences you built assuming that tradeoff need revisiting.

The phishing that doesn't look like phishing

Traditional security awareness training teaches people to spot warning signs: typos, sender domains that don't quite match, artificial urgency, unexpected attachments. Those signs corresponded to high-volume attacks designed for the lowest common denominator — convincing someone, anyone.

That phishing still exists. But it is no longer the only kind.

A language model can, in seconds per target, draft an email that references your actual job title, the project you are working on, the name of your manager, and the context of a recent conversation. It does this with the right tone, no errors, and details that only an insider would know. It can be sent from an address that is easily confused with a real supplier or colleague.

The problem is not that the message looks legitimate. It is that it was written so that you, specifically, would find it legitimate. Training that teaches people to spot generic signals has no answer for that.

The gap nobody measures

Organisations update their security posture in long cycles: annual training, quarterly policy reviews, tool renewals every few years. That is the pace the organisation can sustain.

Attackers operate at a completely different pace. They can test variants of a lure in hours, change infrastructure in minutes, and tailor the message to each target's specific profile before sending. There is no approval meeting. There is no change process.

The result is a cadence gap that widens silently. Organisations train their employees to spot the phishing of two years ago. Attackers have spent months using techniques for which that training has no response.

This gap does not appear on any dashboard. There is no indicator that measures how long you have been defending against attacks that are no longer being used. But it exists, and it grows.

What changes for organisations

The direct consequence is that the prevention model based on user detection is broken for sophisticated attacks — not because employees are careless, but because they were trained to spot signals that are no longer there.

This does not mean training is useless. It means it cannot be the first line of defence for high-risk actions.

Organisations adapting their model are doing three things:

Verification protocols for critical actions. Wire transfers, credential changes, access to sensitive systems: regardless of who requests the action, there is a verification step outside the digital channel. The digital channel is the one that may be compromised.

Behaviour-based detection, not signature-based. A well-written email does not trigger content filters. But an unusual sequence of actions — accessing a system that is rarely used, exporting data outside business hours, running an unfamiliar process — can be detected. The focus shifts from the message to the behaviour that follows the click.

Resilience when prevention fails. Assuming that some attacks will succeed changes how the system is designed. Network segmentation, least privilege, rapid response capability: these are not last-resort measures, they are part of the design from the start.

Perspective

The gap is not technological. It is a matter of model.

Current defences were built for an attacker who had to choose: reach many or reach well. That attacker still exists, but is no longer the only one. The attacker who does not have to choose is the one most likely to get through.

The answer is not to spend more on the same things. It is to revisit the assumption on which they were built.

Next step

Train your team for the attacker that exists today

Awareness programmes built around yesterday's signals leave your team exposed. We design training matched to the real threat model.

Talk to Dasenda

Solutions

Company

Sectors