It's no secret that critical infrastructure assets are increasingly under threat. Lawmakers are pulling policy levers to ensure organizations in their jurisdictions are doing their best to protect the assets that citizens depend on most.
The European Union, one such jurisdiction, has been at the forefront of critical infrastructure regulation.
Here’s what they’ve been doing.
The NIS (Network and Information Security) Directives
Indeed, the EU’s response to the critical infrastructure threat has been longstanding and multifaceted, befitting an economic zone experiencing a disproportionate number of attacks on its critical sectors. Passed into law in 2016, the NIS1 (Network and Information Security) Directive was one of the first major actions the EU took to enhance cybersecurity cooperation among its Member States.
What that Directive sought to do was attempt to mitigate the threats to network and information systems used to provide essential services in key sectors across the EU.
However, implementation of NIS1 was left up to the individual Member States. And as it came to pass, many obligations were implemented unevenly, leaving in place internal-market fragmentation precisely at the moment that cyber vulnerabilities were increasing.
Major NIS2 requirements
As a result, the EU went back to the drawing board, developing a second set of network and information security directives that would be more stringent.
Thus was promulgated NIS2, which passed into law in November 2022 and came into force the year after, with compliance deadlines set for last fall. So, to whom does NIS2 apply?
Well, NIS2 establishes a uniform criterion for determining qualifying entities via the application of a size-cap rule. According to the Directive, all medium-sized enterprises or larger (whether essential or important) operating within the following sectors are subject:
- Energy (electricity, district heating and cooling, oil, gas, and hydrogen)
- Transport (air, rail, water, and road)
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management (business-to-business)
- Public administration
- Space
Per EU guidance, these entities must take appropriate, proportionate, risk-based technical, operational, and organizational measures to manage the risks posed to the security of their network and information systems, covering hardware, firmware, and software.
These measures must also be based on an all-hazard approach, meaning they should address the physical and environmental security of network and information systems from failure, human error, malicious acts, or natural phenomena.
To comply, entities must protect both their network and information systems and the physical environment of those systems from any event, e.g., sabotage, theft, fire, flood, telecommunication or power failures, and/or unauthorized physical access capable of compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the services offered by, or accessible via, network and information systems.
Required measures will encompass the following:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, e.g., backup management and disaster recovery
- Crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies, and asset management
- The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity
Finally, NIS2 is in the news again, because Member States are rolling out national legislation to comply with the Directive. However, NIS2 isn’t the only Directive effecting the sector.
The Directive on the Resilience of Critical Entities also aims to strengthen the resilience of critical entities in the EU against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.
What should critical infrastructure organizations in the EU know about that Directive? We cover it all in our breakdown, How Critical Entities in the European Union Can Prepare for the Directive on the Resilience of Critical Entities.
.svg)
.svg)
.svg)