NIS 2… was necessary
On 30 January 2020, the World Health Organisation declared a public health emergency for COVID-19 that would disrupt all our lives. Weeks later, most citizens were confined to their homes and had to work remotely. Of course, not everyone was ready for it. Neither do organisations. However, cybercrime groups were quicker than anyone to see the opportunity this presented. The boundaries between being inside and outside corporate information systems had broken down and measures such as two-factor authentication were a necessity. These groups were not going to miss the opportunity that the situation presented.
In the meantime, cybercrime groups have been able to adapt quickly in the face of the evolution in defensive deployment and operational actions carried out by entities and also by a constantly evolving industry. When large corporations had deployed more robust cyber-security systems, they sought an alternative way into their systems. For example, by attacking their supply chain, mimicking the operations of administrators or learning to use operating systems at a low level.
And aligned with the attack on the supply chain, adversaries found sectors that were apparently not critical and therefore not bound by the NIS Directive, where cyber-attacks have significantly affected a considerable set of citizens. Something did not seem to be flowing properly in the enforcement of the rule either. For example, if the NIS regulation stated the need to communicate, why was this not being done, or at least not as expected? If we read the articles of the Directive, it does not specify deadlines for its implementation. It is curious that Article 23 on notification indicated the following heading: Flexibility in the observance of deadlines for notification'. Now, the new NIS 2 standard sets crystal-clear deadlines.
The EU has rushed to issue a directive such as NIS 2 when the previous one was only 6 years old
Factors such as those mentioned above are undoubtedly the inspiration for the NIS Directive 2 we were talking about recently. And we can say that the European Union has been quick to bring out a directive such as NIS 2 when the previous one was only 6 years old. But the trend in cybercrime demanded changes and, above all, clarification of some aspects that could remain nebulous.
On the one hand, transposition has grounded the functions and mechanisms of the relationship between the different actors affected by the Directive. On the other hand, it has made clear to organisations the work of the Security Officer, as well as the need for co-responsibility and the necessity, if not clearly the obligation, to collaborate towards a common goal.
Once the preliminary draft was presented, the deadlines were only half-drawn. Although it can logically be modified when the Law is published, April this year seems to be a key date, setting the day on which the names of the entities listed as essential and important will be notified. From then on, it is time to adapt, and without much delay. The NIS Directive is in force and the Law will determine that its entry into force will take place on the day following its publication in the Official State Gazette.
Those who have already worked their way towards ENS certification at a high level will find it easier. Also those that are ISO 27001 certified, although a certain GAP will have to be covered, as the technical measures do not necessarily have to be fully aligned. For those who have not travelled this path, it will be a little more difficult. But it is not impossible, if the will is there.
DORA is an example of Lex specialis that is harmonized with the NIS Directive
What have we been doing at Izertis during this time? First of all, to prepare and develop the capabilities to help our customers adapt to or implement these upcoming regulations. It is true that we already have a long history of knowledge and implementation of many regulations already in force, but each of them has its own particularities.
Secondly, we have been identifying who, why and how. And the Directive has its own special feature. For example, if we talk about the essential sector 'Road transport' and we stick to the literal meaning of the expression, we may fall into a logical confusion. But if we read the accompanying text regarding the type of entity, it clarifies that it applies to 'Intelligent Transport System Operators as defined in Article 4(1) of Directive 2010/40/EU of the European Parliament and of the Council (14)'.
It is also necessary to consider who a priori may be affected by sector, but is not covered by the NIS 2 Directive. There is an interesting concept in law by the application of the concept 'Lex specialis derogat legi generali'. DORA is an example of Lex specialis which is harmonised with the NIS Directive.
Since many organisations have gone down paths such as ENS compliance or ISO 27001, we have prepared a GAP review for agile adaptation. This is because in some cases incident response procedures, communication protocols or supply chain assessment processes may need to be adapted.
Our architecture and hardening team has been working for years on regulations as sensitive as those for classified materials, adapting information systems to the most complex measures, where Zero Trust is not a possible condition. It is an obligation. They therefore have the skills to help organisations implement the necessary measures required by the standard. And, as if that were not enough, they are complemented by offensive security teams that, in a coordinated effort, position themselves with the attacker's vision to discover the gaps that need to be closed.
Finally, organisations can rely on the support offered by our Sidertia solution. Assessing ourselves in a continuous analysis model or performing a technical analysis and assessment of the supply chain is simple to carry out using our solution. In addition, a history will be kept on the evolution of compliance and with centralisation of the different assets, taking the approach from different visions: global, business, technical, etc.
The challenge is launched and we are fully prepared.