In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
The NIS.2 Directive: NIS with teeth? Or biting off more than we can chew?
9 juni 2021 – Cyber Security Coalition
Ready for NIS.2?
The 2016 NIS directive only concerns a limited number of crucial organizations, so your company shouldn’t bother? Ooooops, with NIS.2 you might be very, very wrong! So check out this presentation.
Though the initial NIS directive (on Security of Network and Information Systems) has not yet run its first full cycle (with the first external audits not until 2023), its limitations are already clear: too limited in scope; too many differences in national approaches and variations in resources; and not enough information sharing. So a NIS.2 proposal has been introduced.
Though still very much a work in progress, with no enforcement expected before 2024, organizations would do well to start evaluating its impact on their security posture today. And no better place to start than the presentation “NIS2: NIS with teeth? Or biting off more than we can chew?” by Pieter Byttebier of the Center for Cybersecurity Belgium (CCB). As International Relations Officer, he is deeply involved in the discussions around the NIS.2 proposal.
The proposal rests on three pillars: member state capabilities; risk management; and cooperation and information exchange. In his presentation, Pieter Byttebier touches upon five key questions, with ‘will NIS.2 apply to my organization’ foremost among them. And let’s be clear, an overview of ‘essential’ and ‘important’ entities as listed in the Annexes of the NIS.2 proposal illustrates the much broader scope of this directive. As an example, take ‘important entities, sector manufacturing, subsector manufacture of machinery and equipment n.e.c.’ as referred to in ‘section C division 28 of NACE Rev.2’: not many companies in this subsector will evade NIS.2… Micro companies with fewer than 50 personnel and less than 10 million euro annual turnover will be exempted, but national authorities could even include them selectively.
One other question refers to the ‘teeth’ of NIS.2. Indeed, entities will run not only a gamut of e.g. warnings and administrative fines. Management must sign off on cyber security measures, and in ‘essential’ entities, management will be held liable, including temporary bans against managers.
Again, this NIS.2 proposal is still very much a work in progress. So Pieter Byttebier is inviting input from organizations on all aspects of this proposal. Start with his presentation, and do contact him. And find out whether NIS.2 ‘as is today’ applies to your organization, so you can start to prepare. That is not wasted effort, as any measures you take, make your company more secure and act as business enablers.
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.