Europe needs to secure its critical infrastructures from repeated and sophisticated attacks. With its expanded scope, the NIS2 Directive is an important step towards a united and harmonized European response, writes Chris Gow.
Chris Gow is Senior Director for EU Public Policy and Head of the Brussels Office for Cisco Government Affairs
The news cycle on the previous story barely seems to wind down before the latest one on a cyber-attack against critical infrastructure starts up. A ransomware attack against the IT system of the Irish heath care service, deemed the most serious cybercrime against the Irish State, seems to flow on from similar attacks against French hospitals a couple of months before.
Ransomware taking down the operations of Colonial Pipeline, an operator responsible for almost half the flow of fuel on the US’s East Coast. Manipulation of lye concentration in a water treatment facility threatening the health of citizens in Florida. And the SolarWinds supply chain attack, which compromised nine US federal agencies and has been described as the largest and most sophisticated attack ever. And that’s just a sample from the last six months.
While critical infrastructure is essential to the functioning of our societies and our economies, technology has become equally essential to the functioning of that same critical infrastructure.
NIS2 – Europe’s efforts towards protecting critical infrastructure
Europe’s answer to protecting critical infrastructure from cyber-attacks has been legislative. As long as the regulatory requirements are appropriate to the risk, recognize the international nature of cyber security and do not lock us into technologies that quickly become outdated, that strikes us as a perfectly valid path forward.
2016 brought us the first pan European cybersecurity law, targeting critical sectors – the NIS Directive. And in 2021, we’re looking at NIS part deux.
It’s safe to say that NIS2 is an evolution, not a revolution. The core elements of version one are still there: institution building, preparedness and cross-border cooperation on the public authorities’ side, and security requirements, incident reporting and oversight for the private sector.
While I recognize there are important updates to supply chain, sanctions and vulnerability disclosure, the primary difference sits with the scope of the Directive. In a world informed by the pandemic, it’s no surprise to see labs, R&D and manufacturing for pharma and critical medical devices now included. Electronic communication networks and services are brought into the fold from their previous home under telecom legislation. Public administration makes the cut, and post, waste, food supply and a range of manufacturers are also added.
It makes sense to reevaluate what sectors are considered essential (or “important”, in the Directive’s lingo) in today’s world, and thus to enlarge the Directive’s scope. And looking at the well-received draft report from MEP Bart Groothuis, it seems that the European Parliament’s Rapporteur agrees.
Learning the lesson
At Cisco, we’re both directly regulated by NIS1, as a cloud service provider, and indirectly by flow down requirements from our customers from across the critical infrastructure spectrum in utilities, transport, finance, health and beyond. And there’s lessons to be learned from that experience.
The most important text to understand what was expected of us wasn’t the Directive. It was the technical guidelines from the European Union Agency for Cybersecurity (ENISA) on the security measures for Digital Service Providers. That’s because it did something very practical. It mapped the security objectives against internationally-recognized standards in information security and risk management – such as ISO 27001, BSI’s C5 and the NIST Cybersecurity Framework. It gave us something to work with that we understood, and our customers too.
The reason that could work was because the rules for cloud service providers were harmonized. The approach was not as conclusive for our customers. Frankly it was, and is, a free-for-all at the national level. And if you are a company like ours, with 90 cloud services across 27 Member States and multiple different sectors, it’s not easy to distill that into a meaningful set of security controls that can move the needle in a clear direction, and that allow our customers to understand our security posture.
So, while a broader scope stands to reason, it should also rest on a consistent set of security requirements. With a Directive – and the national transpositions that come with it – that’s always going to be difficult. But the tools are there. ENISA has the power to draw up guidance, and the cybersecurity certification framework presents an additional opportunity to create a common approach. What it will take is discipline from the Member States, and perhaps a further nudge from the policy makers in the EU, to make sure that vision becomes a reality.
One piece of the jigsaw
As important as NIS2 is, we should bear in mind that it’s not sufficient by itself to address cybersecurity concerns. Europe’s Cybersecurity Strategy, of which the review of the NIS Directive is arguably the centrepiece, has shown just how wide the range of policies that intersect with cybersecurity are: foreign policy, defence, security union, justice, law enforcement, industrial policy and research.
And that’s just policy and regulation. When we asked over 4800 IT and security professionals from 25 countries (2021 Cisco Security Outcomes study) to assess the success of their security programmes in enabling the business and managing risks, regulatory compliance was considered the easiest to reach. I don’t see that as criticism of check-box compliance (or worse, a sign of an overly complacent profession). Rather, it’s recognition that regulation might help focus minds and set the tone for governance but there are many moving parts to good security.
Governments, businesses and individuals all have a role to play, and we need to focus on people, process and technology. One of the punishing aspects of security is that it’s a never-ending journey. There’s no destination at which you can hop-off. But it’s good to know that there’s plenty of us along for the ride.