Digital transformation and the EU NIS Directive

There is an observed ongoing movement towards digital transformation during the very last years, not only in private and enterprise environments but also in critical national infrastructure operators, such as energy and water supply, banking, healthcare and transportations. It's a well-recognized moto that, with change, comes opportunity. However, there's a double dimension regarding those who benefit: apart from the primary groups which actually tranform digitally, there's the group of the adversaries who take advantage of the new conectedness models the new era of digital transormation proposes. In other words, digital transformation introduces increased cyber risk; thus, a proactive management model is crucial.

Especially for organizations related to critical national infrastructure, the risks are more broad and have a heavier impact, as we're talking about essential services delivered to the public and an interruption of any essential service, such as electricity distribution or water supply can be easilly imagined. History has shown that these types of attacks are not fictional:

Digital transformation should not be considered a facile modernism. It's a great enabler but there's a challenge in proper management of the new era of systems and processes. This challenge intensifies for 2 reasons:

  • Absence of native, security by-design approach by infrastructure, hardware and software vendors round the globe.
  • Lack of unification across different systems as they usually rely on various protocols without interoperability support.

By exploiting these factors, adversaries perform successfull attacks which can remain undetected, at least at the time of actually happening. There are numerous breaches which were detected but it was several weeks or months after the actual incident.
Proactive actions, visibility and continuous improvement are the answer.

A European Initiative

European Commission introduced the EU 2016/1148 NIS Directive as part of the EU Cybersecurity strategy. The NIS Directive is the first piece of EU-wide cybersecurity legislation and its goal is to enhance cybersecurity across the EU, targeting mainly critical national infrastructure or Operators of Essential Services, and Digital Service Providers as the terms officially appear in the Directive. It was adopted in 2016 and subsequently, being an EU directive, every EU member state has started to adopt national legislation, which follows the directive.
The NIS Directive sets three primary objectives:

  • to improve the national information security capabilities of the Member States
  • to build mutual cooperation at EU level
  • to promote a culture of risk management and incident reporting among actors (OES and DSP) of particular importance for the maintenance of key economic and societal activities in the Union

The deadline for national transposition by the EU member states is 9 May 2018.

SpearIT, being already involved in cybersecurity consulting and governance operations in the filed of critical national infrastructure, has compiled a services bundle in a holistic approach, customizable according to your organizational and legislative requirements.
View Solutions

Especially for greek interested parties, SpearIT has published an informative whitepaper on the greek legislature under EU NIS Directive, available for download right below:

Download our whitepaper on EU NIS Directive and learn who, why and how to comply.

DOWNLOAD

Latest Blog Posts

EU eID Schemes Landscape

Electronic Identification (eID) is a digital solution for the identity proofing of citizens or organizations achieving mutual recognition of electronic identification schemes across borders and increases citizens confidence in the online world...
Read More

Digital transformation and the EU NIS Directive

There is an observed ongoing movement towards digital transformation during the very last years, not only in private and enterprise environments but also in critical national infrastructure operators...
Read More

Choosing between a Vulnerability Scan and a Penetration Test

The terms "vulnerability scan" and "penetration test" are oftentimes mistakenly used interchangeably, even by people involved with IT...
Read More