Digital transformation and the EU NIS Directive

There is an observed ongoing movement towards digital transformation during the very last years, not only in private and enterprise environments but also in critical national infrastructure operators, such as energy and water supply, banking, healthcare and transportation. It's a well-recognized moto that, with change, comes opportunity. However, there's a double dimension regarding those who benefit: apart from the primary groups which actually tranform digitally, there's the group of the adversaries who take advantage of the new conectedness models the new era of digital transformation proposes. In other words, digital transformation introduces increased cyber risk; thus, a proactive management model is crucial.

Especially for organizations related to critical national infrastructure, the risks are broader and have a heavier impact, as we're talking about essential services delivered to the public and an interruption of any essential service, such as electricity distribution or water supply can be easily imagined. History has shown that these types of attacks are not fictional:

• In 2020, amidst the COVID-19 pandemic, an attack postponed medical operations in a Czech hospital.
• During 2017, organizations in more than 120 countries had their data locked by ransomware.

Digital transformation should not be considered a facile modernism. It's a great enabler but there's a challenge in proper management of the new era of systems and processes. This challenge intensifies for 2 reasons:

• Absence of native, security by-design approach by infrastructure, hardware and software vendors round the globe.
• Lack of unification across different systems as they usually rely on various protocols without interoperability support.

By exploiting these factors, adversaries perform successful attacks which can remain undetected, at least at the time of actually happening. There are numerous breaches which were detected but it was several weeks or months after the actual incident.
Proactive actions, visibility and continuous improvement are the answer.

A European Initiative

European Commission introduced the EU 2016/1148 NIS Directive as part of the EU Cybersecurity strategy. The NIS Directive is the first piece of EU-wide cybersecurity legislation and its goal is to enhance cybersecurity across the EU, targeting mainly critical national infrastructure or Operators of Essential Services, and Digital Service Providers as the terms officially appear in the Directive. It was adopted in 2016 and subsequently, being an EU directive, every EU member state has started to adopt national legislation, which follows the directive.
The NIS Directive sets three primary objectives:

• to improve the national information security capabilities of the Member States
• to build mutual cooperation at EU level
• to promote a culture of risk management and incident reporting among actors (OES and DSP) of particular importance for the maintenance of key economic and societal activities in the Union

Especially for Greek interested parties, SpearIT has published an informative whitepaper on the greek legislature under EU NIS Directive, available for download right below: