It’s fair to say the General Data Protection Regulation (GDPR) has received attention in recent months, but another, less talked about directive from the European Parliament and the Council of the European Union is ramping up: Directive (EU) 2016/1148, also known as the “Directive on Security of Network and Information Systems (NIS).”
The Directive was originally issued a few years ago and focused on measures for a “high common level of security of network and information systems across the Union”, which translates to:
- Improved cybersecurity capabilities at the national level
- Increased EU-level cooperation
- Risk management and incident reporting obligations for operators of essential services and digital service providers
These measures could have clear implications on a wide range of industry sectors, from energy and banking to aviation and manufacturing. However, although its implementation is well under way, with key dates already mapped out for the next five years, EU NIS hasn’t benefitted from the same spotlight as GDPR. This is mostly due to EU NIS not being a formal regulation like GDPR.
Indeed, compliance with GDPR is now mandatory across all EU member states and does not allow for any deviation – it acts as a standard for all EU member states. EU NIS, on the other hand does not enshrine any rights or requirements into law – it simply states that each EU member state must review the directive and enact a similar interpretation into their legislature.
This means that each country can adopt its own version of the directive. Where GDPR created a common framework which all EU member states could adopt, EU NIS is deliberately ambiguous, so it can be subject to each county’s own interpretation.
Additionally, GDPR concerns every industry that handles data; EU NIS has a much more refined scope as it applies only to critical infrastructure (such as utilities companies, healthcare organizations transport bodies and so on).
Nonetheless, even though it hasn’t been as widely mentioned as GDPR, EU NIS will have a significant impact on cybersecurity practices and policies, and should be at the forefront of companies’ thinking as begin to implement the directive’s recommendations.
How EU NIS will put the security focus on response strategies
In the first instance, EU NIS will have the greatest impact in industries that historically haven’t been regulated as heavily as others such as banking and insurance. The energy and telecoms industries, for example, will now have to directly address their cyber risk exposure, instead of simply ensuring they remain compliant with existing cybersecurity standards.
Rather than focusing on preventing attacks, they will instead need to adopt a more proactive approach to security, in which they adopt the mindset of external attackers, scope out their own security vulnerabilities and envisage what attackers will do when they infiltrate a company’s networks. This is where the EU NIS comes into play, by forcing organizations to consider how they would respond to and contain a breach, rather than only concentrating solely on strategies for prevention.
Protecting access to critical data
When going through all the various materials concerning the directive, the word that continues crops up time and again is access.
As organizations across Europe align their security strategies with the directive, they therefore must prioritize the security and management of privileged access when they consider how to protect their networks and information systems.
Unsecured secrets, privileged accounts and their associated credentials can provide an attacker with the ability to seize control of an environment, disable systems and take down services that support an entire city’s population.
Placing controls on privileged users – both humans and machines – is a crucial step in reducing the risk of a security event that impacts critical services. There are various tactics which can help in this process: introducing the principle of least privilege, enforcing multi-factor authentication and segregation of duties (SoD), and locking down privileged access pathway to systems and applications are fundamental measures that can help prevent the compromise of critical services and systems, upon which EU citizens and businesses rely.
Taking it one step further, the application of threat detection and analytics on privilege-related activity can also help prevent attackers from comfortably navigating the network, performing their own reconnaissance and gaining access to domain controllers, where they can harvest the accounts and credentials that provide privileged access.
Risk Management and Incident Reporting
Digital Service Providers (DSPs) and operators of essential services will also need to put technical and organizational measures in place to better manage risk, ensure the level of security of the network of information systems is appropriate to said risk, and effectively handle incidents to prevent and minimize the impact on the IT systems used to deliver services.
Whether data and applications are cloud native, running in a traditional on-premises environment or a combination of the two, nefarious characters and nation-state attackers continue to find ways to compromise the infrastructure and gain access to top tier resources. The one thing that remains crystal clear is that the management and prevention of risk begins and ends with protecting access to an organization’s most critical assets and resources.
Like GDPR, doing nothing in preparation for EU Directives is not only considered regulatory blasphemy, but has the potential to result in serious reputational and financial repercussions.
Despite the deadline to transpose the directive into national law having passed, we can expect another countdown as organizers seek to meet the November deadline of identifying operators of essential services. Utilities, transport and other critical infrastructure industries should therefore ensure they familiarize themselves with the directive, and use the milestone date to deliver controls around it.
Every organization will implement the EU NIS directive according to their country’s rules and laws. But regardless of where they are based, organizations must not see this as another compliance exercise. Rather, they must start thinking like an attacker and imagine how attackers can infiltrate an organization, and what they are likely to do once they penetrate company networks.
Limited protections of individual IP will no longer be enough to ward off attackers and remain compliant, so organizations must improve their access policies and management of risk to meet the conditions of the new directive.