Interview with Renaud André, Head of Segment Services & Utilities, DEEP
Through NIS2, the European regulator is requiring critical players, organizations occupying a systemic position, to reinforce the security measures of their information systems.
The new version of the directive is more demanding. It also applies to a wider range of players, in a variety of sectors and sizes. In view of the entry into force of these new requirements, the organizations concerned need to prepare themselves actively.
DEEP, with its expertise in sensitive data management, security and resilience, supports companies and organizations in meeting these challenges.
In 2016, with the first NIS Directive, the European Union introduced a set of rules designed to ensure a common high level of cybersecurity throughout its territory. In particular, the aim was to protect against incidents affecting systemic players, which could have major repercussions throughout the Union.
The new requirements mainly concerned players identified in each Member State as operators of essential services, operating in certain sectors considered vital, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructures.
Broader scope, stronger measures
Evolving rapidly at the heart of a digital economy, where everything is increasingly connected and interconnected, at the end of 2022, the European legislator adopted a revision of this directive.
Through NIS2, the intention is to modernize the existing legal framework to support the digitization of the economy and society, taking into account the changing landscape of cybersecurity threats,” explains Renaud André. With this in mind, the directive extends the scope of cybersecurity rules to new sectors and entities, with a view to further improving the resilience and incident response capabilities of public and private players, as well as the competent authorities and the EU as a whole.”
Effective mid-2024
Adopted at European Union level, the directive must be transposed into national law in each member state, to effectively come into effect before October 2024. Although the list of these essential operators will not be publicly disclosed, for security reasons, it is expected to include more players.
Each of the entities affected by this directive will be required to raise its level of security and meet a set of requirements vis-à-vis the regulator, including, for Luxembourg, the ILR and the CSSF.
At the heart of our digital society, beyond the major players such as banks, airport companies, energy suppliers or digital service operators like DEEP, smaller structures may find themselves affected by this directive,” assures Renaud André. Many innovative players, for example, can play a role in the management of operations considered to be systemic, in the fields of healthcare, finance, payments or even energy.”
Preparing without delay
All players likely to be affected by the new directive need to take stock of the new requirements, and the expectations of regulators, by anticipating any notifications they may receive.
“These requirements include documenting security measures, implementing crisis management procedures, and notifying incidents within defined deadlines”, continues Renaud André. These requirements can be relatively complex to understand and onerous to implement. So it's important to be prepared. “It starts with identifying the stakes and risks, for the company and its service providers. Working with regulators, in a constructive and proactive approach, players need to implement or reinforce their security arrangements, as soon as possible, looking for the most appropriate solutions.”
A structured approach
There are many answers to these questions. There are, however, a number of standards on which to base a robust approach to security and resilience.
These include ISO27001, which describes the best practices to be followed when setting up an information security management system, and ISO22301, which covers business continuity management. For services hosted in the cloud, we can also mention the European cybersecurity certification scheme for cloud services (EUCS), which is still in gestation.
Renaud continues: “A good understanding of these standards is the basis for preparing for these new requirements. Through our services, having obtained the certifications relating to these standards for ourselves, we can help the entities concerned to structure their approach and comply with the directive. On the other hand, with DEEP's various areas of expertise, we can support the implementation of technical solutions guaranteeing everyone a high level of security and resilience.”
For the players concerned, now classified as essential entities (EE) or important entities (IE), it will be a matter of relying operationally on players who are equally aware of and involved in these issues.
