What is the Digital Operational Resilience Act (DORA) and who does it apply to?

DORA is an EU regulation establishing uniform cybersecurity requirements for the financial sector and critical third-party ICT service providers across all EU member states. It mandates periodic testing of ICT risk management frameworks, identification and mitigation of vulnerabilities, proportional resilience testing based on business size and risk profile, and threat-led penetration testing (TLPT) for high-risk entities. The UK has also signaled plans for similar laws post-Brexit, aiming for implementation by the end of 2023. Learn more.

What are the key requirements of DORA for financial institutions?

DORA requires financial institutions to conduct periodic ICT risk management testing, identify and mitigate vulnerabilities, implement resilient ICT systems, detect and respond to anomalies, maintain business continuity and disaster recovery plans, and establish incident learning mechanisms for continuous improvement.

What changes were introduced in PCI DSS v4.0?

PCI DSS v4.0, published in May 2022, introduces modifications to adapt security methods to evolving threats, promote security as a continuous process, support payment technology innovation, and improve verification methods. Version 3.2.1 will be retired in March 2025, giving organizations time to implement the required changes. Read Cymulate’s overview.

What are the main updates in SWIFT CSCF v2022?

SWIFT CSCF v2022, required since December 2022, added one mandatory control (2.9A: Transaction Business Controls), introduced a new advisory control (1.5A: Customer Environment Protection), and expanded the scope of several controls to include customer connectors and operator PCs. Numerous clarifications and minor modifications were also made to existing controls.

What is NIS2 and how does it differ from the original NIS Directive?

NIS2, adopted in Europe in November 2022, expands the scope of the original NIS Directive to include more sectors (such as postal, medical devices, food distribution, and digital providers) and all medium and large entities in those sectors. It introduces stricter risk management, incident reporting within 24 hours, and new requirements for business continuity, supply chain security, cryptography, and periodic assessment of cybersecurity measures.

What are the main changes in ISO/IEC 27001:2022?

ISO/IEC 27001:2022 reorganized Annex A controls, merging 57 controls into 24, renaming 23, and adding 11 new controls. The total number of controls is now 93, grouped into organizational, people, physical, and technological categories, with a strong emphasis on technological controls such as threat intelligence, cloud security, and secure coding.

Which new US state data privacy laws are coming into effect in 2023?

In 2023, new data privacy laws with cybersecurity elements will be enacted in Virginia (Consumer Data Protection Act, Jan 1), Colorado (Privacy Act, July 1), Utah (Consumer Protection Act, Dec 31), and Connecticut (Data Protection Act, July 1). These laws expand on the GDPR and California CCPA frameworks.

What is the Cyber Resilience Act (CRA) and who does it affect?

The Cyber Resilience Act (CRA) is an upcoming EU regulation that will apply to all products with digital elements intended for connection to a device or network. It requires manufacturers to design products with secure-by-default configurations, maintain confidentiality and data integrity, and conduct cybersecurity risk assessments throughout the product lifecycle. Mandatory recalls will be required for certain vulnerabilities.

How are continuous assessment and resilience validation becoming part of compliance requirements?

Virtually all compliance and standard bodies are increasing assessment requirements and adding continuous assessment or resilience validation. This trend is driven by the need to address rising cyberattack frequency and complexity, ensuring organizations can maintain operational resilience and regulatory compliance.

How does Cymulate help organizations meet DORA compliance requirements?

Cymulate supports DORA compliance by enabling continuous digital operational resilience testing, automating security assessments, and providing actionable insights to identify and mitigate vulnerabilities. The platform's automated testing aligns with DORA's requirements for periodic ICT risk management and resilience validation. Read the solution brief.

How does Cymulate assist with PCI DSS v4.0 compliance?

Cymulate enables organizations to validate their security controls and processes against PCI DSS v4.0 requirements through automated attack simulations and continuous assessment. This helps organizations adapt to evolving threats, maintain compliance, and improve verification methods. Read more.

What are the core features of Cymulate's platform?

Cymulate offers a unified platform that combines Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. Key features include continuous threat validation, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, and an extensive threat library with over 100,000 attack actions updated daily.

Does Cymulate integrate with other security technologies?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit our Partnerships and Integrations page.

How does Cymulate's platform use AI and automation?

Cymulate leverages machine learning to deliver actionable insights for prioritizing remediation, optimize security controls, and automate attack simulations. The platform updates every two weeks with new features, including AI-powered SIEM rule mapping and advanced exposure prioritization.

What are the benefits of using Cymulate for continuous threat validation?

Organizations using Cymulate have reported up to a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. The platform validates threats 40 times faster than manual methods and consolidates multiple tools, reducing costs and improving operational efficiency.

How easy is it to implement Cymulate?

Cymulate is designed for rapid, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform integrates seamlessly into existing workflows. Comprehensive support and educational resources are available to help users get started quickly.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. Testimonials highlight the platform's ease of implementation, practical dashboards, and accessible support. For example, Raphael Ferreira, Cybersecurity Manager, noted, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.' Read more customer stories.

What security and compliance certifications does Cymulate hold?

Cymulate holds several key certifications, including SOC2 Type II (covering security, availability, confidentiality, and privacy), ISO 27001:2013 (Information Security Management), ISO 27701 (Privacy Information Management), ISO 27017 (Cloud Services Security Controls), and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. Learn more.

How does Cymulate ensure data security and privacy?

Cymulate ensures data security through encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a strict Secure Development Lifecycle (SDLC). The platform also incorporates GDPR compliance, mandatory 2FA, RBAC, IP address restrictions, and ongoing employee security training. Read more.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. The platform delivers measurable improvements in threat resilience, operational efficiency, and security strategy alignment. Learn more.

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery. The platform integrates exposure data, automates validation, and provides actionable insights for efficient remediation.

How does Cymulate help organizations prioritize vulnerabilities?

Cymulate validates exploitability and ranks exposures based on prevention and detection capabilities, business context, and threat intelligence. This enables organizations to focus on the most critical vulnerabilities and optimize their remediation efforts.

Are there case studies showing Cymulate's impact on compliance and resilience?

Yes, for example, Hertz Israel reduced cyber risk by 81% in four months using Cymulate. Saffron Building Society improved compliance and internal governance, and Nemours Children's Health increased visibility and detection in hybrid and cloud environments. Read more case studies.

How does Cymulate address the needs of different security personas?

Cymulate tailors its solutions for CISOs (providing metrics and risk prioritization), SecOps teams (automating processes and improving efficiency), red teams (offensive testing with a large attack library), and vulnerability management teams (automated validation and prioritization). Learn more.

What is Cymulate's approach to continuous threat exposure management (CTEM)?

Cymulate enables organizations to continuously validate security controls, prioritize and address vulnerabilities, enhance operational efficiency, and foster collaboration across teams. This supports a proactive and resilient approach to cybersecurity, aligning with the principles of CTEM.

How does Cymulate support organizations after a security breach?

Cymulate enhances post-breach recovery by improving visibility and detection capabilities, enabling faster response and remediation. The platform replaces manual processes with automated validation, ensuring organizations can recover quickly and strengthen their defenses.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected for testing and validation. For a detailed quote, schedule a demo with the Cymulate team.

What support options does Cymulate offer?

Cymulate provides comprehensive support, including email support at support@cymulate.com, real-time chat support, a knowledge base with technical articles and videos, webinars, e-books, and an AI chatbot for instant answers and guidance.

Where can I find Cymulate's educational resources?

Cymulate offers a Resource Hub with insights, thought leadership, and product information at cymulate.com/resources/. Additional resources include a blog, glossary, newsroom, and events/webinars page.

How can I stay updated with Cymulate's latest news and research?

You can stay informed by visiting Cymulate's company blog for the latest threats and research, and the Newsroom for media mentions and press releases.

Does Cymulate provide resources for understanding cybersecurity terms?

Yes, Cymulate maintains a comprehensive cybersecurity glossary explaining terms, acronyms, and jargon, which is regularly updated.

How are revisions to Cymulate's Privacy Policy handled?

Cymulate reserves the right to revise, amend, or modify its Privacy Policy at any time. Updates are posted on the website, and users are encouraged to review the policy regularly to stay informed about current practices. Read the Privacy Policy.

What is Cymulate's mission and vision?

Cymulate's mission is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. The vision is to create a collaborative environment for lasting improvements in cybersecurity strategies. Learn more.

What industry recognition has Cymulate received?

Cymulate has been recognized as a market leader in automated security validation by Frost & Sullivan and named a Customers' Choice in the 2025 Gartner Peer Insights. The company is also rated #1 by customers on G2 and other review platforms. See reviews.

What is Cymulate's company size and customer base?

Cymulate serves organizations of all sizes, from small enterprises to large corporations with over 10,000 employees, across industries such as finance, healthcare, retail, media, transportation, and manufacturing. Learn more.

Where can I find Cymulate's case studies and customer success stories?

You can explore Cymulate's case studies and customer success stories, including measurable outcomes and industry-specific examples, at cymulate.com/customers/.

Overview of 2022 Cybersecurity Compliance Regulations and Planned 2023 Revisions

By: Cymulate

Last Updated: June 18, 2025

The recent adoption of DORA (Digital Operational Resilience Act) by the EU Council is only one of the cybersecurity compliance regulations to emerge or undergo a thorough update in 2022. The accelerated regulators’ activity in matters related to cybersecurity is a direct answer to the combination of cyberattacks’ rising frequency and escalating complexity. The resulting threat to the continued operation of critical services and the potential for major disruption of civilian lives are contributing factors to this flurry of activity.

As 2022 is ending, it is appropriate to review the year’s compliance landscape evolution and prepare for planned regulation updates for 2023.

Key Cybersecurity Compliance Regulations and Updates

The most heavily impacted sector in terms of cybersecurity compliance regulations updates this year was the financial sector, with the creation of the EU-wide new regulatory framework DORA and the revision or updates of PCI DSS and Swift requirements.

Digital Operational Resilience Act (DORA) – EU

Adopted by the EU Council, DORA establishes uniform cybersecurity requirements for the financial sector and critical third-party ICT service providers across all EU member states. Key requirements include:

Digital Operational Resilience Testing:

Periodic testing of ICT risk management frameworks.
Identification and mitigation of vulnerabilities.
Proportional resilience testing based on business size and risk profile.
Threat-led penetration testing (TLPT) for entities with high-risk exposure.

ICT Risk Management:

Implementation of resilient ICT systems.
Continuous identification of ICT risks and protection measures.
Anomaly detection and response mechanisms.
Business continuity and disaster recovery planning.
Incident learning mechanisms for continuous improvement.

The UK has signaled plans to introduce similar laws following Brexit, aiming for implementation by the end of 2023.

PCI DSS v4.0 (Global)

May 2022 saw the publication of PCI DSS v4.0. The current version 3.2.1 will be retired in March 2025, leaving some time to implement the modifications required for compliance. Those numerous modifications aim at:

Adapting security methods to the evolving threats
Promoting security as a continuous process
Enabling additional support to payment technology innovation
Improving verification methods and procedures

Cymulate’s in-depth overview of PCI DSS v4.0 requirements is available for more information.

SWIFT CSCF v2022 (Worldwide)

Required for compliance since December 2022, CSCF v2022 provides information on changes to controls, additional guidance, and many clarifications to existing controls and the associated implementation guidelines. This year added one mandatory control to the existing 32.

The main changes from v2021 to v2022 are:

Promotion of Control 2.9A (Transaction Business Controls) to 'mandatory' after significant scope and implementation guidelines clarifications.
New Advisory Control 1.5A (Customer Environment Protection) to align requirements, of Architecture A4 with the other type ‘A’ Architectures
Scope modifications of many controls:

Extension of all Architecture A4 controls’ scope to include ‘Customer Connector’ as an ‘in scope’ component

Extension of existing Control 1.2 (Operating System Privileged Account Control) scope to include 'General Purpose Operator PCs' as 'advisory', to ensure basic security hygiene on employee computers
Extension of existing Control 6.2 (Software Integrity) for Architecture A4’s scope to include 'customer connectors' components as 'advisory.'

In addition, there are numerous minor guidance clarifications or modifications.

In Europe, November 2022 also saw the adoption of the NIS2, which defines a more robust common level of cybersecurity across the EU and replaces the current Network and Information Systems Directive (NIS Directive). EU member states have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.

NIS2

The main changes between the NIS Directive and NIS2 include:

Scope expansion:
- Sectors: in addition to the initial sectors covered by the NIS Directive - energy, transport, health, banking, and digital infrastructure – NIS2 includes postal and courier services, medical devices, food distribution, public electronic communications networks, and publicly available electronic communications services, and digital providers.
- Size: a new size-cap rule includes all medium-size and large entities operating within the sectors or providing services covered by the directive. The wide-ranging scope of NIS2 is to be more granularly defined as stated by the EU Council. “Its text includes additional provisions to ensure proportionality, a higher level of risk management, and clear-cut criticality criteria for allowing national authorities to determine further entities covered.”
Minimum Obligations: all entities covered by the scope are required to adopt policies covering:
- Adopt policies covering:
  - Risk analysis and information system security
  - Incident handling
  - Business continuity and crisis management
  - Supply chain security
- Adopt policies and procedures covering:
  - Cryptography
  - Encryption
- Periodically assess cybersecurity management measures' effectiveness.
- Communicate security incidents: a newly defined obligation to submit an early warning to the appropriate authority within 24 hours of becoming aware of a significant incident. That authority might be the newly created cyber crisis liaison organization network (EU-CyCLONe) that supports the coordinated management of large-scale cybersecurity incidents.

The main additional regulatory change in 2022 is the updated version of the international standard to manage information security ISO/IEC 27001, published in October 2022.

ISO/IEC 27001:2022

The controls included in ISO 27001:2022 Annex A underwent a major rehaul, merging 57 controls into 24, renaming 23 controls, and adding 11 new ones. The resulting 93 controls (down from the previous 114) have been reorganized into four control groups:

Organizational (37 controls) including three new controls:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity

People (8 controls)
Physical (14 controls) including one new control:
- Physical security monitoring
Technological (34 controls) including seven new controls:
- User endpoint devices
- Configuration management
- Information deletion
- Data masking
- Monitoring activities
- Web filtering
- Secure coding

Of those eleven new controls, even if filed under 'Organizational', ten are of technological nature, clearly pointing at the increased importance of technological factors in security.

Up and Coming Cybersecurity Compliance Regulations in 2023

United States: Expanding Data Privacy and Security Laws

Initiated in 2018 with GDPR, the data privacy laws with cybersecurity elements keep burgeoning and, after the 2020 California CCPA, four other states passed similar data privacy legislation that will be enacted in 2023:

Virginia: Consumer Data Protection Act, January 1st, 2023
Colorado: Privacy Act, July 1st, 2023
Utah: Consumer Protection Act, December 31st, 2023
Connecticut: Data Protection Act, July 1st, 2023

The financial sector will also have to keep an eye on the upcoming update of the 23 NYCRR 500 that include:

An extension of penetration testing scope to include testing the security of information systems
An extension of the definition of “risk assessment“ to the “process of identifying cybersecurity risks to organizational operations, organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system.
New requirements to:

Develop and implement written policies and procedures for vulnerability management designed to assess the effectiveness of the covered entity’s cybersecurity program. Those include continuous monitoring or periodic penetration testing, and vulnerability assessments.
Establish plans that contain proactive measures to investigate and mitigate disruptive events and ensure operational resilience, including incident response, business continuity, and disaster recovery plans.
Establish and implement policies and procedures designed to ensure the security of information accessible to, or held by, third-party service providers.

On the standards size, MITRE Supply Chain Security Framework is likely to be updated and the significant updates planned for NIST Cybersecurity Framework (CSF) v2.0 will be finalized in 2023.

Europe: The Cyber Resilience Act (CRA)

In Europe, the most impactful upcoming regulatory newcomer is the announced Cyber Resilience Act (CRA). The CRA will apply to all products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network not covered by exceptions.

Such products will require the application of a standard form or a third party-assessment.

Manufacturers aiming at selling their products to an EU country will have to design their products in line with CRA-defined “essential cybersecurity requirements.” To date, those include secure-by-default configurations, maintenance of confidentiality and data integrity mechanisms, and undertaking cybersecurity risk assessments throughout the product's lifecycle.

In addition, mandatory recalls will be mandated upon detection of certain vulnerabilities.

Virtually all compliance and standard bodies are increasing assessment requirements and adding some level of continuous assessment or resilience validation. As the 2022 Frost and Radar innovation leader for Breach and Attack simulation, Cymulate keeps ahead of compliance regulators’ evolving requirements with automated security assessment and validation catering to all company exigencies, regardless of their size or cybersecurity maturity level.

Discover how Cymulate can enhance your security posture—book your demo today!

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

Key Cybersecurity Compliance Regulations and Updates Digital Operational Resilience Act (DORA) – EU PCI DSS v4.0 (Global) SWIFT CSCF v2022 (Worldwide) ISO/IEC 27001:2022 Up and Coming Cybersecurity Compliance Regulations in 2023

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

Solution Brief

Digital Operational Resiliency Act (DORA)

Use Cymulate to support DORA compliance through continuous digital operational resilience testing.

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo

Frequently Asked Questions

Cybersecurity Compliance Regulations & Updates