EDR/XDR: Continuous detection aligned with NIS 2 (Art. 21) and DORA (Art. 10)

What the law requires

Two texts now mandate solid and measurable detection and incident management capabilities:

• NIS 2 – Article 21: “essential” and “important” entities must implement cybersecurity risk‑management measures covering, among others, incident handling, effectiveness assessment, cyber hygiene and access control. In practice: be able to detect, analyze, contain and document incidents, and provide evidence. See the consolidated text on EUR‑Lex — Directive (EU) 2022/2555 (NIS 2).
• DORA – Article 10 (Detection): financial entities must operate multi‑layered detection mechanisms with alert thresholds, triggering criteria, and automated notifications to response teams. These capabilities integrate with Chapter III incident management (classification and notification). See the regulation on EUR‑Lex — Regulation (EU) 2022/2554 (DORA). A structured presentation of Art. 10 is available here: Judict — DORA Article 10. The CSSF also recalls the entry into application on 17 January 2025 and the primacy of DORA over overlapping circulars: CSSF — Entry into application of DORA.

To guide concrete implementation of Article 21, ENISA publishes technical guidance with example evidence and mappings to standards: ENISA — NIS2 Technical Implementation Guidance. These guidelines detail, among other things, detection and incident response (operations and expected evidence). For a concise compliance overview, see our page on the DORA regulation.

The technical solution (state of the art)

EDR/XDR (Endpoint/Extended Detection & Response) is the core component for continuous detection required by NIS 2 and DORA:

• Coverage: agents on workstations, servers and cloud workloads (EDR), enriched by correlating network/identity/SaaS logs via an XDR platform.
• Real‑time detection: rich telemetry (processes, commands, loaded modules, connections) and detection models (rules, ML, behaviors) to identify ATT&CK TTPs (discovery, privilege escalation, lateral movement).
• Guided response: endpoint network isolation, process kill, persistence removal, automated forensic artifact collection (timelines, hashes, sockets).
• Evidence chain: timestamps, log integrity, preservation and export of artifacts to investigate and justify notifications (NIS 2 / DORA).
• SOC/SIEM/SOAR integration: cross‑source correlation, escalation playbooks, and compliance‑oriented reports (classified alerts, MTTA/MTTR, action logs).

Aligned control frameworks:

• ISO/IEC 27001:2022: Annex A.8.16 (monitoring activities), A.8.7 (malware protection), A.8.12 (event logging), A.5.15 (access management) — EDR/XDR delivers monitoring, logging and containment controls.
• NIST CSF 2.0: Detect (DE.AE — anomalies & events, DE.DP — continuous detection) and Respond (RS.AN/RS.MI — analysis and mitigation).
• CIS Controls v8: C13 (Network Monitoring & Defense), C8 (Audit Log Management), C6 (Access Control Management) — EDR/XDR telemetry feeds these controls.

Additional public best practices: BSI frames IDS/EDR as network/system “alarms” and highlights escalation and retention of attack data for attribution and compliance: BSI — IDS guide (overview), BSI — Concepts, BSI — Organisational/legal aspects.

How Luxgap deploys this

Our approach is “provable compliance” from day one:

• Our managed SOC (24/7): multi‑vendor EDR/XDR integration, SIEM correlation, detection scenarios mapped to MITRE ATT&CK and to NIS 2 Art. 21/DORA Art. 10. SOAR playbooks include: host isolation, binary blocking, artifact extraction and a formatted incident report (timeline, indicators, actions) reusable for regulatory notifications.
• Our ISO 27001 governance: our Lead Implementers define your detection policy, alert thresholds, indicators (MTTA/MTTR, agent coverage), and log retention/integrity. We establish the matrix of expected evidence (e.g., effectiveness per NIS 2 Art. 21(2)(f)). To frame certification work, see ISO 27001 in Luxembourg.
• Our outsourced DPO and CISO: scope personal data impacts (EDR logs), minimization/retention, and alignment with notification circuits (NIS 2/DORA) and customer communications required by DORA Chapter III.

Practically, we deliver a compliance runbook: mapping between alerts/incident types and obligations (DORA severity criteria, NIS 2 handling/notification), with report templates and artifact export models.

Concrete case in Luxembourg or the EU

A Luxembourg PSF de support subject to DORA and potentially NIS 2 (via MSP services) had legacy antivirus and scattered logs. In six weeks: EDR on 1,200 endpoints (>95% coverage), XDR + SIEM integration, isolation playbooks and automated artifact collection. Outcome: first lateral movement (T1021) detected and contained in <15 minutes; one‑click exportable incident report with timeline, IOCs and actions—used as‑is for internal prudential notification and to prepare DORA Chapter III obligations. Effectiveness evidence (blocking rate, escalation delays) was filed under NIS 2 Art. 21(2)(f), per ENISA guidance.

First concrete steps

1. Map covered surface: inventory endpoints/servers and installed EDR agent rate. Target ≥95% coverage, time‑stamped gap list (evidence of effectiveness per NIS 2 Art. 21(2)(f)).
2. Define thresholds and playbooks: tie each EDR/XDR alert type to a severity threshold and an escalation playbook. Align thresholds with DORA Art. 10 (detection) and Chapter III classification.
3. Ensure log integrity and retention: sign/hash, centralize in a SIEM, document retention periods (ISO 27001 A.8.12). Monthly export test of the “evidence pack” (alerts, actions, timestamps).
4. Test technical response: monthly containment exercise (endpoint isolation, persistence removal) and verify MTTA/MTTR, with report mapped to NIST CSF Detect/Respond.
5. Align governance and notification: validate escalation chain to DPO/CISO, prepare compliant report templates (NIS 2 Art. 21 — incident handling; DORA Chapter III) and regulatory points of contact (e.g., CSSF for DORA). For local operational context, also see DORA Luxembourg.

Official sources

• EUR‑Lex — Directive (EU) 2022/2555 (NIS 2), Art. 21
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA), notably Art. 10 and Chapter III
• ENISA — NIS2 Technical Implementation Guidance (26 June 2025)
• CSSF — Entry into application of DORA (reminder and interaction with circulars)
• BSI — Guidance on IDS/EDR implementation — overview

Need a quick assessment? Luxgap can deliver a two‑week detection compliance check: EDR/XDR coverage, alert thresholds, exportable evidence and preparation for regulatory notifications.