Security Directives for the European Union

I read the Cybersecurity Strategy of the European Union and the Cybersecurity Strategy of Spain three years ago to apply for the ISACA Challenge for Young Professionals. However, this summer, the European Parliament and the Council of the EU have published measures for a high common level of security of network and information systems (NIS) across the Union, which are interesting and I wanted to read to discuss in this blog.

The goal of this document is to have a minimum security threshold for the Member States to have the same security level of network and information systems in the whole European Union due to the fact that, today, the existing capabilities aren't sufficient and each country has his own security measures. For instance, reporting and notification of all incidents is one of the main measures of cooperation.

Reading the Directives, I have remembered when we implemented the ISO 27001 in Ariadnex S.L. and it's amazing how processes and tasks referenced in this document of the European Union are the same than in a small company but in a huge context. For example, we can read the next processes or domains:

While we identified assets like servers, firewalls, software, etc the European Union has to identify operators of essential services, like gas and water suppliers or air transport operators, and digital service providers like cloud computing operators. Therefore, the first task is to make a list of operators of essential services.

In addition, once we have identified the operators of essential services, we have to give an indication of the importance of each sector. For that, Member States should take into account the number and the size of those operators.

Another process that we should take into account is the risk management, where we have to think about incidents that would have a significant disruptive effect on the provision of an essential service, or as we called it “Risk assessment”, to make measures and mitigate risks.

After writing the Cybersecurity Strategy of the EU, Member States should write their own Cybersecurity Strategy. Once it is done, they have to write concrete policy actions.

This is an important process within these Directives where CSIRTs play an essential role because Member States should report all incidents to a single point of contact for sharing incidents information with the whole EU. Therefore, international cooperation is a must and to do this, cooperation between the public and private sectors is essential.

If we want to know how well we are doing it, we have to test ourself with exercises to simulate real-time incident scenarios. For example, the biggest ever European cyber-security exercise organized by ENISA concluded recently.

There are two fundamental groups, operators of essential services and digital service provides, but we should take into account hardware manufactures and software developers as well due to the fact that their product have to enhance the security of network and information systems.

When we outsource some service, we have to ensure that service providers offer the same security level as we have. Therefore, security requirements should be written as contractual obligations.

This Directive must respect all other laws in the European Union and this is done referring in the next paragraph.

As we can see, a information security framework, like the ISO 27001, always includes main processes that we should take into account to implement security to our organization.

Regards my friends, drop me a line with the first thing you are thinking!!!