< Back
Copyright: perfectpixelshunter

Tags:

Cyber protection Regulation
12 February 2024

Cybersecurity is not voluntary

By Eric ten Bos, co-founder & technical lead of the Thales Cyber OT Convergence Center (OTCC)

When it comes to cybersecurity, organisations have taken great steps over the last few years. Cybersecurity awareness is increasing, and various initiatives to improve digital resilience have been launched at national and international levels. But the results of all these efforts are still falling short. All too often, it is clear that vulnerabilities in infrastructure are resulting in security incidents and data breaches. The time has therefore come to step up the pressure.

With the arrival of a new European directive, the voluntary nature of existing directives has been replaced by enforcement, for example in the form of fines. One thing to beware of with compulsory measures, however, is that organisations only comply with the rules on paper, and this makes them compliant. But what should happen is that organisations map out their security landscape, take measures where necessary, and continuously monitor the status. Security is much more than just ticking off requirements. In this blog we put you on the right track.

NIS and WBNI

To be specific, we are talking about the Network and Information Security Directive (NIS), which has been in force since 2016. This Directive created a legal framework for increasing the general cybersecurity level in the European Union. In the Netherlands, the NIS is enshrined in the Network and Information Systems Security Act (Dutch abbreviation: WBNI). This act has been in force since 2018 and creates an obligation to report incidents and a duty of care in the form of taking security measures. The WBNI applies to vital providers, national government and digital service providers. In short, the vital sector. The NIS of 2016 is now deemed insufficient, so the EU has drawn up a set of additional rules that is simply called NIS2.

Exchange of information has improved

Let’s take a short look at the results of the NIS and the WBNI first. Then we will take a look at, for example, the requirement for setting up a supervisory authority. This pertains to an authority that focuses on increasing digital resilience. In the Netherlands, we have had the National Cyber Security Centre since 2012; other countries did not have a similar authority at that time. In addition, cooperation between Member States has been reinforced by simplifying the exchange of strategic and operational information.

Working in chains makes organisations vulnerable

We can therefore conclude that the NIS Directive has been valuable. Given the current developments, the necessity for better resistance to cybercrime has increased. In short, we need to step up. After all, a lot has changed in the past few years. The digital transformation has expanded further, an increasing number of organisations are connected to each other with the aim of cooperating efficiently. By working in chains, however, organisations make themselves vulnerable. The dilemma here is that more connections make you, as an organisation, more effective, but by definition also more vulnerable. By taking the right cyber measures, you can strike a good balance between these considerations.

It also became clear that the NIS Directive was too limited in scope, focusing on vital sectors such as the government, banks, and utilities. In modern society, social media and e-commerce platforms, food and logistics enterprises are at least as important. It is therefore logical that NIS2 has a much wider scope and that, as an organisation, you have to check whether this will apply to you.

Does NIS2 apply to your organisation?

This is not implausible. Companies in many different sectors with a turnover of 10 million euro or more and with 50 employees will fall under this new legislation. However, the fact that, as an organisation, you have to consider NIS2 now, and the Dutch equivalent when it is implemented, should not cause you unnecessary concern. Of course, this will involve additional efforts and investments for you, but they will benefit your digital resilience. Besides, NIS2 contains a number of concrete indications:

  • An incident must be reported within 24 hours.
  • Organisations must build their security policies based on protect - detect - respond.
  • You are responsible for security, even if you pay for managed security.
  • You are obliged to monitor the security measures of chain partners.
  • End-to-end encryption becomes the standard.

When you take an assessment to check to what extent you already meet these requirements, you will see that many measures are already standard practice. You should not forget, however, to report this. You have to demonstrate by continuous monitoring that measures have been taken and solutions have been implemented.

Don’t wait until the ink of the legislative text is dry 

The prevalent question now is: what does the time schedule look like? In the Netherlands, NIS2 will be transposed into WBNI2 by the end of 2024, according to the provisional planning. Of course, we will have to wait and see exactly how the legislator will put this into words. However, NIS2 is much more concrete in terms of what needs to be done. The ‘how’ can be fleshed out as you see fit, as long as it is properly substantiated and documented. 

Usual practice for legislation is that we have to wait until the act has been written out in full, and then start focusing on the details of the formulation for the measures to be taken. At the same time, there is the pitfall of putting compliancy first. Given the fact that NIS2 is much more concrete than NIS1, you can already start working on your first steps now. In particular, the connectivity of IT, OT (operational technology), and IIoT (industrial internet of things) in the automation landscape calls for various tools. 

So the first step is: get to work and don’t wait until the ink of the Dutch WBNI2 has dried. In the upcoming blogs, we will discuss the consequences of NIS2 in more detail and present follow-up steps. After all, the intention and the ambition are to take cybersecurity to a higher level. It’s never too soon to start on that.

Are you interested in how Thales can help you anticipate your business to comply with NIS2? Contact us at cyberdefencesolutions@thalesgroup.com