Instead of the standardization sought by NIS, in practice there was fragmentation at different levels of the EU internal market
[datensicherheit.de, 30.09.2024] The first law on cyber security within the European Union (EU), the so-called NIS Directive, came into force in 2016 and was intended to ensure a higher and expanded level of cyber security in networks and information systems. “The NIS directive should initially apply to the areas of healthcare, transport, banking and financial markets, digital infrastructure, water supply, energy and providers of digital services.”explains Holger Fischer, “Director EMEA Central” at OPSWAT, in his current statement and often describes it “Bumpy implementation of the NIS2 requirements” and the underlying goals. This NIS directive was particularly aimed at: high common level of cybersecurity in all EU member states to reach. While it was initially able to improve the member states’ capabilities in cyber security issues, its implementation was slow “difficult overall” proven. Instead of the desired standardization, in practice there was fragmentation at different levels of the EU internal market.
Photo: OPSWAT
Holger Fischer: NIS-2 aims to improve the way the EU prevents, manages and responds to large-scale security incidents and crises
Replacement of the old NIS directive to strengthen cyber security requirements
Fischer continues: “In December 2020, the EU Commission responded to this situation with a new proposal, which then led to the NIS 2 Directive. In order to be able to react more decisively to the growing threats from digitalization and the increase in cyber attacks, a draft was then presented replace the old NIS policy and should therefore strengthen the security requirements.”
NIS-2 is particularly aimed at: Improve security of supply chainssimplify reporting requirements and introduce stricter supervisory measures and enforcement requirements in the EU, including harmonized sanctions across the EU. The expanded scope of NIS-2, which would now effectively require more companies and sectors to take appropriate measures, should help to effectively increase the level of cybersecurity in the European scope.
With NIS-2 the following areas of application have been added: providers of networks and data centers, waste control and destruction, space travel, production of medicines and chemical substances, postal and courier services, food systems as well public administration.
NIS 2 guideline: aspects of practical implementation
With its expanded and stricter requirements, the NIS 2 directive pursues one special approach to risk management. Companies would now have to identify critical systems where cyber attacks could cause particular damage. “They should particularly focus on taking additional security measures in such areas to reduce risks and increase the opportunity for appropriate responses.”said Fischer.
The NIS 2 directive further emphasizes that Importance of measures to protect security throughout the supply chain from companies: “For example, you should consider security controls that limit or prevent external access to sensitive systems and information by third parties. It is also intended to ensure that all necessary security standards are met before establishing digital connections with other companies and people.”
Measures on which greater emphasis should be placed included: for example, stricter access controlsmulti-factor authentication (MFA), and enhanced password policies. Organizations would also need to have strict patching processes in place to ensure “that regular scans for vulnerabilities are carried out and new patches are applied immediately”.
OT operators particularly challenged by NIS-2
Operators of infrastructures for so-called operational technology (OT), such as manufacturers, energy producers and distributors, should ensure that “that intelligent manufacturing and control devices are appropriately segmented and protected from unauthorized access”. In addition, they would have to protect themselves against the risk that embedded code in these devices is compromised by targeted malware, which could, for example, penetrate their OT networks via compromised firmware updates.
Fischer emphasizes: “Once access, systems and infrastructure are secured, attention should be focused on the Backup of data that flow in and out of the organization. Many organizations overlook this security step or do not implement it effectively.”
Scanning of files transferred between members of the digital supply chain and customers can then be carried out uncover hidden malicious payloads. Techniques such as “Content Disarm and Reconstruction” (CDR) are able to identify specific threats and remove them. Files would need to be examined and cleaned up “before they are processed and stored”.
NIS-2 has three principal goals:
- 1. NIS 2 objective: To increase the cyber resilience of a comprehensive group of companies operating in the EU in all relevant sectors
“This will involve introducing new rules to ensure that all public and private entities across the internal market, which perform important functions for the economy and society as a whole, take appropriate cybersecurity measures.”
This is also done by expanding the scope of the directive to include other sectors such as telecommunications, social media platforms and public administration. This stipulates that all medium and large companies operating in the sectors covered by NIS-2 must comply with safety regulations. The possibility for EU member states to adapt requirements in certain cases to national specifics will be abolished. “This had led to strong fragmentation between the different member states in the implementation of NIS-1.”
- 2. NIS 2 objective: There will be greater emphasis on reducing inconsistencies between states across the EU internal market
“To this end, the de facto scope, the requirements for safety and damage reporting and the provisions on national supervision and enforcement of the rules will be aligned.” In addition, the basic capabilities of the responsible authorities in the member states have been further standardized. NIS-2 contains a list of seven key elements that all companies must consider and implement as part of the measures they take:
These included, for example, incident response, supply chain security and vulnerability disclosure. In addition, a minimum list of administrative sanctions has been established, which should always be imposed “if companies violate cyber security risk management regulations or their reporting obligations set out in the NIS 2 Directive”.
- 3. NIS 2 objective: The preparation and response capabilities of the responsible authorities should be increased through measures to strengthen trust between the different authorities
In addition, the exchange of information and the establishment of rules and procedures in the event of special events should be improved. The new regulations should change the way “how the EU prevents, manages and responds to large-scale security incidents and crises”improve.
To this end, clear responsibilities, appropriate planning and increased cooperation should be introduced in the EU.
Further information on the topic:
datensicherheit.de26.09.2024
NIS-2 directive puts pressure on: Outdated software on devices increases cyber risk / Complete, up-to-date inventory of software in all devices, machines and systems is a prerequisite for cyber security and compliance with legal regulations – from NIS-2 to CRA
datensicherheit.de18.09.2024
NIS-2: Deadline October 17, 2024 leaves no doubt about the need for action / The importance of NIS-2 goes beyond that of a compliance exercise – cybersecurity means future security
datensicherheit.de12.09.2024
NIS-2 guideline: Communication is more than fulfilling the obligation to report to authorities / NIS-2 affects around 30,000 companies in socially important business areas such as energy supply, healthcare, transport and digital infrastructure
