On May 13, European policymakers reached a deal on a new law regulating cybersecurity for critical infrastructure entities (NIS 2 Directive). Cisco welcomes this agreement and the continued attention that the European Union (EU) is dedicating to secure critical infrastructure.
The pandemic brought awareness that disruption of operations can cause a cascade of consequences along the supply chain and disrupt critical industries like food supply, transport and manufacturing. But Colonial Pipeline provided a real-world example of how a cyberattack can disrupt critical infrastructure, taking out supply in the largest fuel pipeline on the US East Coast for almost a week last year.
And while Ukraine has been a testing ground for cyberattacks on the EU’s doorstep for several years, the full-scale invasion in February has crystallised awareness that we are operating in a new geopolitical environment, with cyberspace one of the battlegrounds.
A broader scope for a safer Europe
The new European Directive significantly broadens the scope of the existing legal framework by covering sectors like telecoms, post, food production, waste management, chemical and critical manufacturing.
The most significant change in scope is probably its application to the public administration, which is even more relevant given the tie in to the European certifications that will apply to the public sector. While the carve-out for parts of the public administration may be a missed opportunity, Cisco welcomes the broader scope of the new Directive, where critical sectors must be better protected from new threats as they digitalise.
Harmonisation will help uplevel cybersecurity for all
A broader scope only makes sense if there are mechanisms to ensure greater harmonisation of security measures and supervision across different sectors and countries in Europe. Not only do critical entities often operate across borders but they do not exist in isolation – they are part of a wider ecosystem of interdependencies up and down the value chain. Many of their vendors will be providing services that are offered across multiple sectors and consistency is important for effective security.
If it is not easy for a company like Cisco, with over 90 cloud services across 27 Member States and multiple different sectors, to distill rules into a meaningful set of security controls, imagine how complex it may be for smaller players with a variety of products in different markets.
Although it will be up to European Member States to transpose the Directive, we see the tools are there for effective national implementation. This is provided they focus energies on the secondary processes to determine a consistent set of security measures at European level and to coordinate supervision.
Operationalising security measures
We eagerly await the ENISA guidelines (mandated by the law) that will map appropriate standards and certifications to demonstrate compliance with the security measures. ENISA accomplished this job with aplomb for ‘digital service providers’ under NIS 1. We also look forward to learning the details on the use of European cybersecurity certification schemes and European and international standards.
As a security leader, Cisco’s products and services are generally well-prepared to meet the Directive’s requirements. We stand ready to support our customers to help them throughout this change in reinforcing their security posture. The timing could not be better for the public release of the Cisco Cloud Controls Framework, which we think is a fantastic tool to operationalise NIS 2’s security measures by creating a rationalised and structured approach for meeting the standards and achieving certifications that will demonstrate compliance.
Multi-factor authentication as a basis for better security
While the Directive rightly leaves it to technical guidance to determine the exact nature of the required technical and organisational security measures, we can’t help but give a nod to the call out for multi-factor and continuous authentication.
In today’s world of hybrid work, administrators must not only verify a user’s identity, they also need to verify the posture of a multitude of devices before granting access to minimize the risk of unauthorized access. Multi-factor authentication is one of the best ways to thwart bad actors using stolen credentials. It decreases the risk of account compromise by 99.9%.
Incident reporting – get ready!
As I write this blog, citizens in parts of Belgium are seeing their medical appointments canceled and other services disrupted in a cyberattack on a regional hospital group. This is the kind of attack the authorities want to keep a better eye on with their incident reporting provisions.
One aspect that makes us and others sweat, however, is the requirement to flag incidents that cause a significant financial implication or operational disruption to the service or to others within 24 hours.
One can debate the wisdom of such a short deadline as it limits entities’ ability to provide meaningful information, takes focus away from resolving the incident, and disincentivises notification if one misses the original deadline. Nonetheless, we will all have to get ready for it by adopting solutions to improve incident visibility and adapt existing incident response processes.
Next steps and continued collaboration
Formal adoption of the text by the Member States and European Parliament is expected in June, with the Directive entering into force the following month. With a 21-month transposition deadline, that gives Member States and industry approximately till April 2024 to get into shape.
Cybersecurity is never a done job, it is an ongoing journey involving all of us – whether it is being proactive about technology refreshes; detecting and responding to vulnerabilities, threats and incidents or keeping on top of regulatory compliance. And for those of us focused on the latter and tempted to rest on our laurels now that NIS 2 is in the bag, note that the European Cyber Resilience Act is just around the corner.
To find out more about Cisco security news, visit https://blogs.cisco.com/security