The European Commission has sought feedback on the draft implementing act under the NIS2 Directive on measures for a high common level of cybersecurity across the Union. The move comes ahead of the Commission’s plan to adopt an implementing act to lay down the technical and methodological requirements of the cybersecurity risk management measures for some entities in the digital infrastructures, digital providers, and ICT service management (business-to-business) sectors.
The draft implementing act is available for public feedback through the ‘Have Your Say’ portal until July 25. This four-week consultation period allows the public to contribute to refining the initiative. All feedback received will be considered in the finalization process and published on the site, adhering strictly to the established feedback rules.
The NIS2 Directive enhances cybersecurity risk management measures and standardizes incident reporting requirements for numerous operators throughout the EU. Due to the transnational activities of some operators in digital sectors, the NIS2 necessitates the alignment of regulations at the EU level. This act will assist in this alignment and define when an incident should be deemed significant.
Also, the directive has expanded its scope to include medium and large-scale entities from additional critical sectors, such as public electronic communications services, digital services, wastewater and waste management, space, manufacturing of critical products, postal and courier services, and public administration.
The draft proposal, currently open for feedback, stipulates technical and methodological requirements for cybersecurity risk management measures. It also provides detailed specifications on scenarios where incidents should be considered significant. This applies to various service providers, including DNS service providers, TLD name registries, cloud computing, data centers, content delivery networks, managed services, security services, online marketplaces, search engines, social networking platforms, and trust services.
The EU proposal said that in line with the principle of proportionality, where relevant entities cannot implement the technical and methodological requirements of the cybersecurity risk management measures due to their size, those entities should be able to take other compensating measures that are suitable to achieve the purpose of those requirements. Expanding the scope of the cybersecurity rules to new sectors and entities further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.
As part of the cybersecurity risk management process, entities must adopt a risk management methodology and tools aligned with European and international standards; establish relevant risk criteria; identify risks to network and information systems security, particularly from third parties and potential disruptions, including single points of failure; assign risk owners; analyze risks, considering threat intelligence and vulnerabilities; evaluate risks against the criteria; prioritize risk treatment measures based on assessment outcomes; assign responsibility for implementing these measures and define timelines; educate key personnel on primary risks and management measures; and document security measures and justification for accepted residual risks.
Competent authorities can decide to guide and support relevant entities in the identification, analysis, and assessment of risks to implement the technical and methodological requirements concerning the establishment and maintenance of an appropriate risk management framework.
Also, such guidance can include, in particular, national and sectoral risk assessments as well as risk assessments specific to a certain type of entity. Moreover, competent authorities can support entities in identifying and implementing appropriate solutions to treat risks identified in such risk assessments.
The draft proposal addresses network security measures concerning the transition towards the latest generation network layer communication protocols, deployment of internationally agreed and interoperable modern email communications standards, and application of best practices for Internet routing security and routing hygiene entail specific challenges regarding the identification of best available standards and deployment techniques.
To achieve as soon as possible a high common level of cybersecurity across networks, the Commission, with the assistance of the European Union Agency for Cybersecurity (ENISA) and in collaboration with competent authorities, industry, including the telecommunication industry, and other stakeholders, should support the development of a multi-stakeholder forum.
The relevant entities are required to independently review their approach to managing the security of network and information systems, encompassing people, processes, and technologies. Additionally, these entities must develop and maintain procedures for conducting independent reviews, which should be executed by individuals possessing the necessary audit competence.
To detect anomalous behavior and potential incidents, the relevant entities should monitor their network and information systems and should take action to evaluate potential incidents. Those measures should be capable of allowing the detection of network-based attacks based on anomalous ingress or egress traffic patterns and distributed denial of service attacks promptly. When the relevant entities conduct a business impact analysis, they are encouraged to carry out a comprehensive analysis establishing, as appropriate, maximum tolerable downtime, recovery time objectives, recovery point objectives, and service delivery objectives.
Also, to mitigate risks stemming from a relevant entity’s supply chain and its relationship with its suppliers the relevant entities should establish a supply chain security policy that governs their relations with their direct suppliers and service providers. These entities should specify in the contracts with their direct suppliers or service providers adequate security clauses, for example by requiring, where appropriate, cybersecurity risk management measures.
The draft lays down that to prevent significant disruption and harm from the exploitation of unpatched vulnerabilities in network and information systems, relevant entities must establish and implement appropriate security patch management procedures aligned with their change management processes. These entities should take measures that are proportionate to their resources to ensure that security patches do not introduce additional vulnerabilities or instabilities. Furthermore, if the application of security patches necessitates planned service downtime, relevant entities are encouraged to inform their customers in advance.
It added that to protect against cyber threats and support the prevention and containment of data breaches, the relevant entities should implement network security solutions. Typical solutions for network security include the use of firewalls to protect the relevant entities’ internal networks, the limitation of connections and access to services where it is needed, or the use of virtual private networks for remote access and allowing connections of service providers only after an authorization request and for a set period, such as the duration of a maintenance operation.
The draft said that to protect the networks of the relevant entities and their information systems against malicious and unauthorized software, those entities should use malware detection and repair software. Where the relevant entities, based on the risk assessment, consider that the use of malware detection and repair software is not adequate or where the malware detection and repair software is not available at all times, those entities should consider additional measures and controls that prevent or detect the use of unauthorized software, and the use of known or suspected malicious websites.
The relevant entities should also consider implementing measures to minimize the attack surface, reduce vulnerabilities that can be exploited by malware, control the execution of applications on user workstations or user end devices, and employ email and web application filters to reduce exposure to malicious content.
Relevant entities must manage and safeguard valuable assets through robust asset management, serving as a foundation for risk analysis and business continuity management. This includes managing both tangible and intangible assets, creating an inventory, assigning classification levels, and tracking assets throughout their lifecycle.
Assets should be classified by type, sensitivity, risk level, and security requirements, with appropriate measures like encryption, access controls, audits, backups, and disposal protocols implemented to ensure their availability, integrity, and confidentiality. Employees handling assets must be well-versed in asset management policies and procedures.
The proposal also identified that the allocation and organization of cybersecurity roles, responsibilities, and authorities should establish a consistent structure for the governance and implementation of cybersecurity within the relevant entities, and should ensure effective communication in case of incidents. When defining and assigning responsibilities for certain roles, the relevant entities should consider roles such as chief information security officer, information security officer, incident handling officer, auditor, or comparable equivalents.
The EU draft document said the duration of an incident should be measured from the disruption of the proper provision of the service in terms of availability, authenticity, integrity, or confidentiality, until the time of recovery. Where a relevant entity is unable to determine the moment when the disruption began, the duration of the incident should be measured from the moment the incident was detected, or from the moment when the incident was recorded in network or system logs or other data sources, whichever is earlier.
This post was originally published on the 3rd party site mentioned in the title of this this site