The European Union (EU) Network and Information Security Directive 2022/2555 (NIS2) went into effect on January 16, 2023, triggering a 21-month countdown for Member States to transpose the measures into national law. Although NIS2 is an enhancement to its predecessor NIS1, the overall objective remains consistent: improve cybersecurity across the EU, thereby, building greater resilience to cyber-attacks.
Incremental changes and updates to cybersecurity frameworks and standards are a never-ending evolution due to inevitable changes in technology and the conduct of adversaries (i.e., nation states, cybercriminal organizations, etc.) seeking to exploit vulnerabilities that come with the changes. As technology evolves, the tactics, techniques, and procedures used by the operators—the person conducting the attack—force the need for new and innovative ways to protect systems and information. Thus, NIS2 will undoubtedly not be the end of the regulations to maintain a commitment to the objective. In other words, changes or enhancements are and will always be the norm, not the exception.
There will never be a point in time where cybersecurity is no longer a requirement. The rapid maturity of artificial intelligence (AI) is a perfect example of innovation that has the potential to change the world in a positive manner, but also promises unique cybersecurity risks and challenges. AI introduces new platforms for advanced persistent threats to conduct traditional crimes such as stealing sensitive information. However, it also produces new types of attack vectors, such as bias influence and deepfakes, which previously were not at the forefront of cyber risks being addressed.
Fortunately, the growing adoption of principles such as secure/security by design, the Secure Software Development Framework (SSDF), secure industrial control systems, and supply chain security serve to reduce vulnerabilities in the products and services being developed. In the EU specifically, the EU Cybersecurity Act (EU Regulation 881/2019) establishes a framework for certifying information and communications technology (ICT) products, services, and processes.
The risks these laws, regulations, standards, and policies seek to address have been, and will always be, difficult to get ahead of. And, as regulators play catch-up to the dynamics of a complex digital battleground, the resulting lattice of legislation being produced creates an ongoing challenge for Member States who must adopt and implement the requirements and the regulated organizations seeking to avoid being breached and/or fined due to non-conformity.
Challenges and Considerations
While NIS2 does directly align with and support the EU Cybersecurity Strategy for the Digital Decade three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter, and respond, and (3) advancing a global and open cyberspace, it falls short of addressing supervision and enforcement.
In Building Effective Governance Frameworks for the Implementation of National Cybersecurity Strategies, the EU Agency for Cybersecurity (ENISA) recognizes this issue, “The importance of a sound governance model for the implementation of the National Cybersecurity Strategies (NCSSs) has been highlighted in numerous testimonies of the Member States, as well as included in the NIS and NIS2 Directive.
However, each country deploys its own governance model with a different level of maturity.” The net result could be a fragmented, non-standardized implementation.
This fragmentation is complicated by the fact that legislators tasked with developing the NCSSs each have differing levels of cybersecurity proficiency, which creates an opportunity for inefficiencies and enforcement challenges. Although frameworks such as NIS2 are valued for their flexibility, inadequate prescription can lead to the framework producing inconsistencies and weak structural integrity. When this is evident, it leads to stopgap measures such as those outlined by ENISA.
ENISA proposes a governance model consisting of four layers of 28 practices segmented into 10 sub-categories.
- Political governance
- Political processes;
- Roles and responsibilities; and
- Legal measures.
- Strategic governance
- Strategy itself and its implementation; and
- Risk identification and mitigation.
- Technical governance
- International standards and technical guidelines; and
- Use of technology, tools, and certification schemes.
- Operational Governance
- Awareness raising;
- Incident response; and
- Information sharing.
Strategic and technical governance offer excellent considerations, but they are merely proposals and lack an enforcement mechanism. NIS2 recital 79 states, “The cybersecurity risk-management measures should therefore also address the physical and environmental security of network and information systems by including measures to protect such systems from system failures, human error, malicious acts, or natural phenomena, in line with European and international standards, such as those included in the ISO/IEC 27000 series.”
ISO/IEC 27001 aids organizations in addressing security threats by implementing policies, leveraging technology, and conducting staff training. Additionally, it promotes annual risk assessments and provides verified certification via independent evaluations. ISO 22301, focusing on business continuity management, augments adherence and robustness. Integrating both ISO/IEC 27001 and ISO 22301 creates a comprehensive management framework, enhancing overall cyber resilience.
Trust is Good – Verification is Better
The use of should noted above creates possible issues. It means that Member States may or may not choose to adopt ISO/IEC 27001 as the means for validating NIS2 implementation.
Without conformity synchronization, NIS2 is likely to produce differences in Member State resiliency. It may also make it nearly impossible to validate NIS2 conformance, or at least make it impractical to do so in a standardized manner. Member States may want to consider the lessons learned from a similar set of conditions that were faced by the U.S. Department of Defense (DoD).
Since 2016, the DoD has been struggling with the adoption of security controls mandated by a contract clause with suppliers in the defense industrial base (DIB). Through Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the DoD requires contractors within its supply chain implement the security controls from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. It also calls for protection in cloud environments and requirements for incident reporting.
Unfortunately, overwhelming evidence proved that the controls were not being implemented, despite a contractual requirement to do so. From a practical perspective, the DoD witnessed warfighting assets being manufactured by adversaries with a remarkable resemblance to those being produced by contractors in the DoD supply chain; this served as a clear indication that sensitive information was being exfiltrated. Couple this with the outright admittance by contractors in the supply chain that they have limited to no awareness of the contract clause nor its controls (from NIST SP 800-171) and the conditions were ripe for needed change.
These factors, combined with a strategic goal of optimizing DIB cybersecurity assessments already being performed by the DoD, created the need for the new Cybersecurity Maturity Model Certification (CMMC) program, which transitions many contractors from an attestation-based trust model to an evidence-based verification one. This program relies on private industry to establish an ecosystem of certified processionals and assessors to validate the implementation of NIST SP 800- 171 cybersecurity controls for a subset of the DIB. Once fully in force, select contractors must demonstrate control implementation. Without similar proactive verification, the EU, via NIS2, is at risk for a similar set of conditions across its critical infrastructure.
Although the defense sector is not part of the NIS2 critical infrastructure because the EU collectively relies on Member State military forces, it does include manufacturing, which could serve as a point of correlation. In addition, as the CMMC conformity assessments expand into the global defense supply chain, a lack of governance standardization at the Member State level could create needless challenges for EU manufacturers subject to the CMMC.
The DoD has not established criteria for reciprocity for the CMMC, but it is expected due to the global nature of the defense supply chain. With heavy reliance on NIST SP 800-171, it makes sense to look at it more closely. What is found is that in Appendix D, Mapping Tables, there is a crosswalk between the NIST SP 800-171 controls and two other standards: NIST SP 800-53 (cybersecurity controls used by the U.S. federal government to protect its systems and information) and ISO/IEC 27001. Hence, it would seem reasonable (and is the author’s pure speculation) that if there was going to be near-term reciprocity for the CMMC it would come in the form of ISO/IEC 27001.
Harmonization of standards is front of mind for the US government and should be for all governments looking to benefit from efficiencies gained from standardization and reuse.
Albeit more U.S. focused, in a proposed rule issued by the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) on October 3, 2023, it states, “Contractors must be able to adapt to the continuously changing threat environment, ensure products are built and operate securely, and coordinate with the Government to foster a more secure cyberspace. It also is essential that the Government – and its contractors – take a coordinated approach to comply with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines.”
As EU Member State legislators work towards the future of establishing national laws to implement NIS2 by October 16, 2024, they may want to consider a broader, coordinated perspective and take advantage of a well-established international ecosystem of trained professionals (e.g., ISO/ IEC 27001 implementers and auditors). In doing so, it could also strategically position their defense manufacturers for streamlined integration with other standards (e.g., NIST SP 800-171 and the CMMC).