Three regulatory frameworks are raising the bar for security reporting. Here's what each requires, where they converge, and what it means for how you build your metrics infrastructure.
For most of the last decade, cybersecurity reporting to boards and regulators was discretionary in form. Organizations knew they should report on security posture, but how, how often, and with what level of rigor was largely up to them. That era is ending.
Three regulatory frameworks — the SEC’s cybersecurity disclosure rules, the EU’s NIS2 Directive, and the Digital Operational Resilience Act (DORA) — are imposing structured, auditable, and in some cases mandatory cybersecurity reporting obligations on organizations across sectors. Understanding what each requires, and where they converge, is now a core CISO responsibility.
The U.S. Securities and Exchange Commission finalized its cybersecurity disclosure rules in 2023, applying to all public companies. The rules create two distinct obligations.
The first is incident disclosure: material cybersecurity incidents must be disclosed on Form 8-K within four business days of a materiality determination. This is an operational trigger, not a metrics requirement — but it has prompted organizations to sharpen their definitions of materiality and their internal escalation processes.
The second is the more structurally significant obligation: annual disclosure of cybersecurity risk management, strategy, and governance in the Form 10-K. This includes describing how the organization identifies, assesses, and manages cybersecurity risk, and the board’s role in overseeing that process.
The practical implication is that boards must now have a documented, explainable cybersecurity oversight process — which means CISOs must provide the board with the information necessary to exercise that oversight. Informal briefings and one-off presentations are insufficient. Regular, structured, consistent security reporting is now a governance expectation, not a courtesy.
The Network and Information Security Directive 2 (NIS2) significantly expanded the scope of the original NIS Directive, extending mandatory cybersecurity obligations to a much broader range of organizations operating in the EU, including those in energy, transport, health, finance, water, digital infrastructure, and managed services.
NIS2 requires organizations in scope to implement risk management measures and report significant incidents to national authorities. But beyond the incident reporting obligation, the directive places explicit responsibility on management bodies — boards and senior leadership — for approving cybersecurity measures, overseeing their implementation, and bearing direct accountability for compliance.
This is a shift in organizational governance, not just a reporting requirement. When boards are personally accountable for cybersecurity compliance, the quality of the information they receive from security teams becomes a governance matter. CISOs operating in NIS2-scope organizations face a direct obligation to produce metrics that allow their boards to exercise informed oversight — and to demonstrate that this is happening.
The Digital Operational Resilience Act applies to financial entities operating in the EU and their critical ICT third-party providers. It came into full effect in January 2025 and introduces one of the most prescriptive cybersecurity reporting frameworks applied to any sector.
DORA requires financial entities to maintain ICT risk management frameworks, conduct regular resilience testing, manage third-party ICT risk, and report major ICT-related incidents through a structured process. Critically, it requires that senior management maintain active awareness of ICT risks and that boards receive regular reporting on the entity’s ICT risk exposure and resilience posture.
For CISOs in financial services, DORA means that security metrics are no longer an internal program management tool — they are regulatory evidence. The metrics must be defined, collected, and reported in a way that could be presented to a regulator as proof of a functioning risk management process.
Despite their different jurisdictions and scopes, SEC disclosures, NIS2, and DORA share three common expectations.
Board oversight is explicit. All three frameworks require that boards and senior leadership are actively engaged in cybersecurity governance — not just informed after the fact. This requires regular, structured security reporting as a matter of governance hygiene.
Auditability is required. The days of informal security updates are ending. Regulatory frameworks expect that security posture assessments, risk management processes, and incident responses are documented and reproducible. Metrics that cannot be traced to their source data are a liability in this environment.
Materiality and risk must be communicated in business terms. All three frameworks are oriented around risk to the organization and its stakeholders, not technical performance. CISOs who continue to report in purely technical terms will struggle to satisfy governance expectations that are framed in business and risk language.
The combined effect of these frameworks is to raise the bar for what counts as credible security reporting. Organizations that have been managing security metrics informally — through spreadsheets, manual exports, and periodic one-pagers — will find that approach increasingly untenable.
The metrics infrastructure required to satisfy these regulatory expectations is the same infrastructure that makes security reporting genuinely useful: normalized data, documented metric definitions, reproducible computation, time-series storage, and role-appropriate reporting cadences.
Regulatory compliance and operational excellence in security metrics are, in this sense, pointing in the same direction. Building the infrastructure now, ahead of enforcement pressure, is both a risk management decision and a competitive advantage.
Platforms like Metric Maestro are designed precisely for this environment — normalizing data from existing security tools, computing KPIs with full auditability, and producing board-ready reporting on a consistent cadence. For organizations navigating SEC, NIS2, or DORA obligations, it is a practical starting point worth evaluating.