Statistics indicate that cyber-attacks across the world rose by 45%, especially targeting critical infrastructure (a term used by Governments to designate assets of national importance for the effective functioning of the society as well as the economy) in addition to a staggering increment (220%) of cyber-attacks on members of the European Union between 2020 and 20211. Keeping in mind such numbers, the importance of an effective framework to tackle such violations cannot be over-emphasized.
In order to fight such cases of cyber-attacks and further prevent such incidences, the European Union, on January 16, 2023, approved the implementation of the newer Network and Information Security Directive (“NIS2”) and the Directive on the resilience of Critical Entities (“CER Directive”). Being hailed as a game changer and a much-needed boost to the cyber-security protocols across the EU, this blog post shall be elucidating upon these two directives and the implications accompanying such an implementation.
- NIS2 and CER: An Upgrade or a Fancy Veil?
- The second Network and Information Security Directive (NIS2)
As stated above, the increase in cyber-threats in addition to the widespread acceptance of computers and internet-enabled digital gadgets, due to COVID-19, instances of cyber-attacks have been on the rise. The NIS2 has been approved by the EU, intending to take over the jurisdictions which, previously, the NIS Directive had. In addition to the NIS2, the CER Directive shall be taking over the European Critical Infrastructure Directive to assist in developing a stronger body of regulations for Critical Entities and Networks.
Some of the advantages which are associated with the new NIS2 Directives are as follows:
- Broader Scope: In comparison to the first framework, a considerable increase will be seen in the number of entities subject to duties under the NIS2 Directive. This is mainly because, contrary to what is now the case, Member States are no longer required to identify organizations that are deemed essential and hence subject to the original NIS Directive’s requirements. Now that the requirements are defined in the new NIS2 Directive, a larger range of companies is covered.
- Reinforced Obligations: Technical, operational, and organizational measures must be put in place by essential and significant entities in accordance with the NIS2 Directive in order to manage the risks to the security of their networks and information systems and to avoid or lessen the effects of events. Among other things, these procedures must address handling incidents, business continuity, using encryption and secure authentication, and training.
- Enforcement: Any event that significantly affects the delivery of a service by an essential or important entity must be reported without undue delay to the national computer security incident response teams (CSIRT) or, if applicable, the appropriate government. A broad range of enforcement and investigative capabilities, including the capacity to carry out raids, conduct security audits, and demand data, information, and documents will be available to competent authorities (amongst others).
- Security Requirements: A list of security precautions that must be taken is provided by NIS2.
- Supply Chain Security: Companies must thoroughly investigate their supplier chain.
The Directive on Critical Entities (CER Directive)
The three primary areas covered by the CER Directive are international cooperation, preparedness, and responsiveness.
Organizations covered by the CER Directive are required to complete a risk assessment at least every four years to identify organizations that offer vital services. They also need a national strategy to execute the changes.
Organizations covered by the CER are required to conduct their own risk analyses to analyze cyber security hazards. Additionally, they must have plans in place to ensure their resilience and alert the appropriate authorities in the event of disruptive situations.
The EU Commission and member states are urged to collaborate in order to create a strategy for a coordinated response to interruptions of crucial infrastructure with major cross-border implications.
Some of the advantages which are associated with the new CER Directives are as follows:
- The new regulations will increase the critical infrastructure’s resilience to a variety of dangers, including terrorism, insider threats, natural disasters, and sabotage, all of which might, of course, involve cyber security or other related issues.
- Energy, transportation, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food are among the 11 important sectors that are covered by the CER Directive.
- Member states will need to identify the important entities that offer vital services, conduct a risk assessment at least every four years, and develop a national strategy to improve the resilience of critical entities.
- Critical entities must determine the pertinent risks that might seriously impair the delivery of important services, take the necessary precautions to maintain their resilience, and report disruptive occurrences to the appropriate authorities.
The NIS2 Directive (Network and Information Systems Directive) aims to improve the security of network and information systems across the EU. It sets out the legal framework for a common level of network and information security across all member states and establishes cybersecurity obligations for certain operators of essential services and digital service providers. The directive is designed to increase the resilience of critical infrastructure by requiring operators of essential services to put in place effective measures to prevent, detect, and respond to cyber threats. This is particularly important given the increasing frequency and severity of cyber-attacks and the potential for these attacks to cause significant disruption and harm to critical infrastructure.
The CER Directive (Critical Infrastructure Directive) complements the NIS2 Directive by establishing a common framework for the identification and designation of European critical infrastructure. It aims to ensure the resilience and security of critical infrastructure by requiring member states to identify and protect critical infrastructure in a consistent and coordinated manner. The directive also requires member states to carry out regular risk assessments of critical infrastructure and to ensure that appropriate measures are put in place to prevent and mitigate any potential threats.
These directives are important steps toward improving the cybersecurity and resilience of critical infrastructure across the EU. They provide a common framework for member states to work towards, helping to create a more coordinated and effective response to cyber threats. By requiring operators of essential services to take effective measures to prevent, detect and respond to cyber-attacks, the NIS2 Directive can help to reduce the risk of disruption to critical services, protect personal data and ensure the safety and security of citizens. The CER Directive can help to ensure that critical infrastructure is identified and protected consistently across the EU, reducing vulnerabilities and strengthening the resilience of the region’s infrastructure. reliability, manageability, and security to the business transaction. Upgrading the process and software helps in implementing encryption, data loss prevention, and file access monitoring to strengthen supply chain security protocols. In the event of a supply chain attack, your responses should be planned and coordinated, not sporadic and lacking in strategy. A well-crafted incident response plan should help your security team prepare for every supply chain attack scenario with minimal impact on business continuity
Vulnerability mitigation and Penetration Testing Run a vulnerability scan to identify the basic security concerns. Reducing risk with minimal impact on downtime or productivity can be done by fixing bad database configurations, and poor password policies, and securing endpoints. Another way is pen testing helps in finding advanced supply chain security threats overlooked by security systems. Hence. Engaging penetration test specialists can help in finding vulnerabilities through phishing simulation and red teaming in all aspects of old and new applications, and IT infrastructure underlying the supply chain.
Zero Trust Strategy
The NIST designed the cybersecurity architecture known as Zero Trust (National Institute of Standards and Technology). This approach operates under the presumption that any network activity—internal or external—poses a security risk. Zero Trust operates under the assumption that, unless shown otherwise, all users are threat actors. Zero Trust is excellent at preventing and identifying supply chain threats because of its uncompromising desire to implicate every user. This is according to IBM’s new Cost of a Data Breach report, which found that one in five breaches occurred because of a compromise at a business partner, with a supply chain breach taking on average 26 days longer to identify and contain than the global average. The total cost of a supply chain compromise was $4.46 million – 2.5% higher than average. The report also found that the global average cost of a data breach has hit an all-time high of $4.35 million – up nearly 13% over the last two years.
Stay ahead of the game by keeping up with the latest cybersecurity developments, including the new cybersecurity directives NIS2 and CER. These directives are designed to improve cybersecurity across various sectors, including energy, transport, finance, and healthcare.
To ensure that your organization is compliant with these directives, it is essential to have a comprehensive cybersecurity strategy in place. This strategy should include regular security assessments, employee training, and the implementation of robust security measures such as firewalls, intrusion detection systems, and encryption.
At TSAARO, we offer a wide range of cybersecurity services and solutions to help organizations stay secure and compliant with the latest directives. Our team of experts can assess your organization’s cybersecurity posture, identify vulnerabilities, and develop customized solutions that meet your unique needs.
Contact us today to learn more about how we can help your organization stay secure and compliant with the latest cybersecurity directives.