In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
Operationalizing NIS in digital infrastructures: a testimonial from DNS Belgium – Webinar 11 June 2020
11 June 2020 – Cyber Security Coalition
A new series of webinars by the NIS Focus Group, chaired by Kurt Callewaert (HOWEST), zooms in on ‘digital service providers’ and related digital infrastructures. A most interesting kick-off was the testimonial on NIS implementation by Kristof Tuyteleers, security officer at DNS Belgium – a most critical infrastructure provider if there ever was one, as top level domain registry for .be, .brussels and .vlaanderen. A small organization – 35 people – they are challenged to cope with requirements from two complementary pieces of European legislation: the NIS Directive (concerning critical infrastructure, rather reactive by nature) and the European Cybersecurity Act (e.g. security by design, rather proactive). This means an effective integration of standards (e.g. 27K family) with technical standards and best practices, while translating all of this in everyday real life security measures. Including the need for relevant audits and monitoring.
The presentation provides a concise and clear overview of this sector of the Internet ecology, indicating the role and position of an organization as DNS Belgium. Kristof Tuyteleers provided quite some insights into how his organization tackles its challenges, internally and as a member of a collaborative European centre (with Tuyteleers chairing its Security working group). He stresses the use of a statement of applicability to map standards on needs, and points out the need for ways to monitor the effectiveness of it all (by combining audit results, KPIs, statistics, etc.). However, “I’m still missing some real security testing!” Also, some more sector specific guidance would be welcome, including clear ‘do’s’ and don’ts’. With European colleagues, he authored a very helpful ‘security maturity model’ to evaluate the security posture of an organization. But also, he emphasized that “we need the cooperation of all of you” to implement secure services, as e.g. DNSSEC!
Other blog posts
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.