The next few months are likely to be dominated by the NIS2 Directive in the cybersecurity industry. Let’s find out which article will trigger the most reactions! There are emblematic passages in European cybersecurity regulations that can be found in everything from the press, through sales presentations by major technology [...]
The next few months are likely to be dominated by the NIS2 Directive in the cybersecurity industry. Let’s find out which article will trigger the most reactions!
There are emblematic passages in European cybersecurity regulations that can be found in everything from the press, through sales presentations by major technology companies, to the final exams of universities. Such as Article 32 of the GDPR and certainly Article 21 of the NIS2 Directive (https://eur-lex.europa.eu/eli/dir/2022/2555#d1e3337-80-1). Some of the lines that will fundamentally change information security requirements and could represent a multi-million-euro investment for organizations. Using the analogy of a card game called blackjack, this 21 will therefore be a serious gamble for those who take the risk of regulatory controls by not complying with the Directive. If only because, according to paragraph 4 of the article, national authorities will do their utmost to ensure that “an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.”
Even paragraph 1 contains some interesting facts that require more serious explanation. In this section, we find requirements very similar to those of the GDPR, such as the mention of risk-based protection, but the text of the legislation already highlights the spill-over effects of cybersecurity incidents, the inter-dependencies that may even affect other sectors. It is not enough to protect ourselves, we must also take into account the cyber-physical impact on our direct partners or even indirect users! Another interesting point is that, also like the GDPR, the use of state-of-the-art technologies should be considered, taking into account both European and international standards. Here, a small contradiction can be immediately noted, given that we see new product announcements in the field of cybersecurity techniques almost every week, but their implementation is quite time-consuming. We can assume, that solutions with European cybersecurity certification will be appreciated, as these products, certified to some standard, may not always be the latest, but they will give the otherwise rather conservative European information security market a sense of what technologies are best to use.
But the real challenge will be to meet the set of requirements set out in paragraph 2! Perhaps risk analysis, incident management, business continuity, the existence of regulations or proper authentication are not yet unachievable requirements for a company. But how many organizations are prepared for supply chain security issues? Or even the secure development of IT products and systems? Or the widespread awareness of cyber hygiene within the company? Or even ensuring the security of human resources? All of these requirements are areas where classical (conservative, European) information security thinking has devoted very few resources, and where good practices are not necessarily in place or can be bought from a vendor as a ‘black box of everything’. These tasks require expertise that information security experts from the technology side do not necessarily have. This in turn increases the need for external experts, managed security service providers.
These Managed Security Service Providers may also be covered by NIS2, and therefore may be subject to the same requirements as Critical Infrastructure Operators. Among other things, a deep analysis of the risks associated with such external service providers is called for in paragraph 3, which states that “entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.” According to paragraph 5, the Commission shall, by 17 October 2024, adopt detailed rules that will include, inter alia, the requirements for these managed security service providers. So how to achieve a win-win situation in cybersecurity blackjack? It is likely to be difficult for an organization covered by NIS2 to meet all the requirements of Article 21 from its own resources. It is therefore advisable to engage an external service provider to build and operate cybersecurity that has the right skills in the relevant area. The risks arising from outsourcing will be managed by expecting uniform European requirements for these managed security service providers. NIS2 therefore provides a good opportunity to achieve a uniformly high level of cybersecurity. Will Europe seize this opportunity?
The NIS2 Directive (https://eur-lex.europa.eu/eli/dir/2022/2555) will certainly open a new chapter in Europe’s cyber defence. Although the expectations that all Member States will have to apply it by 18 October 2024 at the latest, details are still poorly understood by the [...]
