AIGovHub
Guide

The 2026 Cybersecurity Guide: Combating Phishing Attacks with NIS2, DORA, and PSD2 Compliance

Updated: March 26, 202610 min read14 views

This guide provides a comprehensive framework for organizations to combat sophisticated phishing attacks while ensuring compliance with key regulations like NIS2, DORA, and PSD2. Learn actionable mitigation strategies, incident response requirements, and how to leverage tools for continuous monitoring.

Introduction: The Evolving Threat of Phishing in a Regulated Landscape

Phishing attacks have evolved from generic spam to highly sophisticated, targeted campaigns that exploit human psychology and technical vulnerabilities. As the FBI warns of criminals impersonating U.S. city officials to defraud businesses, and the EU Advocate General clarifies stringent refund obligations under PSD2, organizations face a dual challenge: defending against these threats while navigating a complex web of cybersecurity regulations. This guide provides an actionable framework to combat phishing, ensuring compliance with the EU's NIS2 Directive (Directive (EU) 2022/2555), DORA (Regulation (EU) 2022/2554), and PSD2. You'll learn to implement effective mitigation strategies, avoid regulatory penalties, and enhance your overall security posture.

Prerequisites for Effective Phishing Defense and Compliance

Before diving into specific steps, ensure your organization has these foundational elements in place:

  • Executive Buy-In: Cybersecurity is a business risk, not just an IT issue. Management must understand the financial and reputational stakes, especially with regulations like NIS2 holding leadership accountable.
  • Basic Security Hygiene: Implement core controls like multi-factor authentication (MFA), regular software patching, and secure email gateways. The Cisco Catalyst SD-WAN exploitation (CVE-2026-20127) highlights the critical need for prompt vulnerability management.
  • Regulatory Awareness: Identify which regulations apply to your organization. NIS2 applies to 'essential' and 'important' entities across sectors like energy, transport, and digital infrastructure. DORA applies specifically to financial entities. PSD2 applies to all payment service providers in the EU.
  • Incident Response Foundation: Have a basic plan for identifying, containing, and reporting security incidents. This is a core requirement under both NIS2 and DORA.

Step 1: Understanding Modern Phishing Trends and Tactics

Attackers are leveraging detailed reconnaissance and social engineering to create highly convincing lures. The FBI's warning about impersonation of planning officials is a prime example. Scammers use publicly available permit details—application numbers, property addresses—to craft emails that appear legitimate, requesting fee payments via wire transfer or cryptocurrency. Key indicators include emails from non-governmental domains (e.g., @usa.com), attachments prompting further email contact, and pressure tactics to expedite payments.

Beyond impersonation, threat actors are rapidly exploiting technical vulnerabilities. The widespread exploitation of CVE-2026-20127 in Cisco Catalyst SD-WAN, often chained with older vulnerabilities like CVE-2022-20775, demonstrates how phishing can serve as an initial access vector for more destructive attacks. Once inside, attackers bypass authentication, escalate privileges, and establish persistence. Organizations must assume that exposed, unpatched systems are compromised.

Step 2: Mapping Compliance Requirements to Phishing Defense

Your phishing mitigation strategy must align with specific regulatory obligations. Non-compliance can result in significant penalties and operational disruption.

NIS2 Directive: Incident Reporting and Risk Management

NIS2 mandates robust risk management measures and strict incident reporting timelines for covered entities. Member states had until 17 October 2024 to transpose the directive into national law.

  • Incident Reporting: You must report significant incidents. The directive requires an early warning within 24 hours of becoming aware, followed by a more detailed notification within 72 hours, and a final report within one month.
  • Risk Management: Implement appropriate technical and organizational measures to manage risks to network and information systems. This includes policies for human risk (e.g., phishing training), supply chain security, and business continuity.
  • Management Accountability: Senior management is responsible for overseeing cybersecurity risk and can be held liable for non-compliance, with penalties up to EUR 10 million or 2% of global annual turnover.

DORA: Operational Resilience for Financial Entities

DORA applies from 17 January 2025 and focuses on the digital operational resilience of financial entities (banks, insurers, crypto-asset service providers).

  • ICT Risk Management Framework: Establish a comprehensive framework that includes protection from cyber threats, with phishing being a primary vector.
  • Incident Reporting: Similar to NIS2, DORA requires classification and reporting of major ICT-related incidents to competent authorities.
  • Resilience Testing: Conduct regular testing, including Threat-Led Penetration Testing (TLPT), to ensure your defenses can withstand sophisticated attacks, which often start with phishing.
  • Third-Party Risk: Manage risks from ICT third-party service providers, ensuring their security practices (like SOC 2 attestations) are robust.

PSD2: Customer Refund Obligations and Strong Authentication

PSD2 has been in effect since January 2018 and includes critical rules for unauthorized transactions, which often result from phishing.

  • Immediate Refund Obligation: As highlighted in the recent EU Advocate General opinion, payment service providers (like banks) must immediately refund customers for unauthorized transactions, even in cases of customer negligence, unless there are reasonable grounds to suspect customer fraud. The bank's recourse is to later seek recovery from the customer through legal action if gross negligence or intentional breach is proven.
  • Strong Customer Authentication (SCA): PSD2 requires SCA for electronic payments, which helps mitigate account takeover resulting from credential phishing. Ensure your payment processes enforce SCA correctly.
  • Liability Shift: Understanding these refund rules is crucial for managing financial liability and customer disputes arising from phishing scams.

Step 3: Implementing a Phishing Mitigation and Response Framework

Build a multi-layered defense that addresses human, technical, and procedural vulnerabilities.

Employee Training and Awareness

  • Regular, Simulated Training: Conduct phishing simulation exercises tailored to current threats (e.g., impersonation scams). Train employees to verify sender domains, avoid clicking unsolicited links/attachments, and confirm payment requests through official channels.
  • Clear Reporting Procedures: Establish an easy, non-punitive way for employees to report suspected phishing emails (e.g., a dedicated 'Report Phish' button).

Technical Controls

  • Email Security Gateways: Deploy advanced solutions that use AI and threat intelligence to filter spear-phishing and impersonation attempts.
  • Endpoint Detection and Response (EDR): Use EDR tools to detect and respond to malicious activity that evades perimeter defenses, such as payloads delivered via phishing.
  • Vulnerability Management: Prioritize patching critical vulnerabilities. The Cisco SD-WAN case shows how unpatched systems are weaponized. Implement a rigorous patch management cycle.
  • Domain-based Message Authentication (DMARC): Implement DMARC policies to prevent email domain spoofing, a common tactic in impersonation attacks.

Incident Response Plan Aligned with Regulations

  1. Preparation: Develop a plan that integrates NIS2 and DORA reporting timelines. Designate a response team and ensure communication channels are established.
  2. Identification & Analysis: Use monitoring tools to detect incidents. For a phishing incident leading to data breach or system compromise, immediately assess impact and whether it triggers reporting thresholds under NIS2/DORA.
  3. Containment, Eradication & Recovery: Isolate affected systems, remove threat actor access, and restore services from clean backups. For financial entities under DORA, this directly ties to operational resilience.
  4. Reporting: Notify your national competent authority (for NIS2) or financial regulator (for DORA) within the mandated timelines. For PSD2-related payment fraud, ensure internal processes align with refund obligations.
  5. Lessons Learned: Conduct a post-incident review to update policies, training, and technical controls. This fulfills the continuous improvement aspect of frameworks like NIST CSF 2.0.

Step 4: Learning from Real-World Cases and Common Pitfalls

Analyzing past incidents provides invaluable lessons for strengthening your program.

Case Study: Banking Phishing and PSD2 Refunds

The Polish case underpinning the EU Advocate General's opinion involved a customer who entered credentials on a phishing site. The bank initially denied a refund, citing customer negligence. The opinion clarifies that the bank must refund first and can only pursue the customer later in court if it proves gross negligence. Pitfall to Avoid: Assuming customer negligence absolves you of immediate PSD2 refund obligations. Update your dispute resolution processes accordingly.

Case Study: Vulnerability Exploitation (Cisco SD-WAN)

The mass exploitation of CVE-2026-20127 shows how phishing can lead to initial access, followed by exploitation of unpatched vulnerabilities for privilege escalation and persistence. Pitfall to Avoid: Delaying critical patches. Treat vulnerability management as a core component of phishing defense, as compromised systems can be used to launch further internal phishing campaigns.

Case Study: Impersonation Phishing (FBI Warning)

The impersonation of U.S. officials targets specific individuals with credible context. Pitfall to Avoid: Relying solely on technical filters. These attacks bypass standard security by using legitimate-looking information. Defense requires a combination of employee vigilance, verification procedures (e.g., calling known contacts via official numbers), and advanced email security that analyzes context and intent.

Step 5: Tools and Best Practices for Continuous Monitoring and Improvement

Compliance and security are not one-time projects but ongoing processes.

  • Security Awareness Training Platforms: Use platforms that offer updated phishing simulation templates based on real-world campaigns.
  • Security Information and Event Management (SIEM): Aggregate logs from email gateways, endpoints, and network devices to detect phishing-related activity and investigate incidents faster.
  • Compliance Automation Tools: Platforms like AIGovHub's cybersecurity compliance dashboard can help track control implementation, manage evidence for frameworks like SOC 2, and monitor regulatory changes for NIS2 and DORA.
  • Threat Intelligence Feeds: Subscribe to feeds that provide indicators of compromise (IOCs) related to active phishing campaigns and exploited vulnerabilities.
  • Regular Testing and Audits: Conduct internal and external phishing tests. For DORA compliance, schedule regular resilience testing, including TLPT. Pursue SOC 2 attestation to demonstrate security controls to partners and regulators; remember, SOC 2 is an attestation report, not a certification, based on the AICPA Trust Services Criteria.

Frequently Asked Questions (FAQ)

What are the key differences between NIS2 and DORA incident reporting?

NIS2 applies broadly to essential and important entities across many sectors, with reporting to national competent authorities. DORA applies specifically to financial entities, with reporting to financial regulators. While timelines are similar (24h/72h), the specific forms and authorities differ. Financial entities may need to report under both regimes for a single incident.

Under PSD2, can we deny a refund if a customer falls for a phishing scam?

Based on the recent EU Advocate General opinion, no—you cannot deny the immediate refund. PSD2 requires the refund to be provided promptly. The payment service provider can only refuse if it has reasonable grounds to suspect fraud by the customer and informs the relevant authority. The provider must then seek to recover the funds from the customer through legal proceedings, where it must prove the customer acted with gross negligence or intent.

How often should we conduct phishing simulation training?

Best practice is to run simulated campaigns at least quarterly, with varying levels of sophistication. Training should be continuous, with micro-lessons delivered regularly. After any major real-world phishing incident targeting your industry, consider an ad-hoc simulation to reinforce awareness.

Does the EU AI Act impact phishing defense tools?

Potentially, yes. If you use AI-based systems for email security, user behavior analytics, or automated incident response, they may fall under the EU AI Act. AI systems used for biometric identification or critical infrastructure are classified as high-risk. While most security tools may be lower risk, it's prudent to assess their classification. For more on AI governance, see our EU AI Act compliance guide.

What is the first step if we suspect a system is compromised via phishing?

Immediately isolate the affected system from the network to prevent lateral movement. Activate your incident response plan. Begin forensic data collection if possible. Simultaneously, assess whether the incident meets the criteria for reporting under NIS2 or DORA, and initiate the reporting clock. Notify internal legal and communications teams.

Next Steps: Building a Resilient, Compliant Future

The convergence of sophisticated phishing threats and stringent regulations like NIS2, DORA, and PSD2 requires a proactive, integrated approach. Start by conducting a gap analysis against these regulatory requirements. Prioritize employee training and patch management as immediate, high-impact actions. Consider leveraging specialized tools to streamline compliance monitoring and incident response workflows.

For organizations seeking to consolidate their compliance efforts, AIGovHub offers vendor solutions and dashboards that can help track NIS2 controls, manage DORA resilience testing schedules, and prepare for SOC 2 attestations. Remember, in the face of evolving threats and regulations, continuous improvement is not just best practice—it's a compliance imperative.

This content is for informational purposes only and does not constitute legal advice.