**Disclaimer: The content of this blog post is for general information purposes only and is not legal advice. We are very passionate about cybersecurity rules and regulations and can provide insights into how Detectify’s tool can help fit legal requirements. However, Detectify is not a law firm and, as such, does not offer legal advice.**
Navigating the complex and ever-changing compliance landscape is difficult for many companies and organizations. With many regulations, selecting the appropriate security tooling that aligns with the compliance needs of your business becomes a significant challenge.
This article provides insights into how businesses across the EU can effectively navigate compliance hurdles and make informed decisions when choosing security tools, particularly emphasizing the role Detectify can play in these crucial processes.
The EU Directive on Security of Network and Information Systems (NIS2 Directive), The EU Digital Operational Resilience Act (DORA), and the EU Critical Entities Resilience Directive (CER) are some of the latest requirements that may be causing concern for companies. We aim to support our customers by offering insight into these specific requirements and, notably, how Detectify’s offerings can support organizations in achieving greater compliance.
The NIS2 Directive – (EU) 2022/2555
The NIS2 Directive is an EU-wide cybersecurity legislation in force as of January 16, 2023, and will be applicable through national legislations on October 18, 2024. The aim of the NIS (1 and 2) is to maintain a high level of cybersecurity within the entire European Union by posing requirements on the security of networks and information systems. It replaces and modernizes the NIS1 in an attempt to keep up with the evolving cybersecurity threat landscape. It also widens the scope of applicability so that new sectors and entities will now fall under the NIS2.
Who does it apply to?
The requirements in the NIS2 apply to entities in sectors which are vital for the economy, society, and which rely heavily on ICT, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure, and certain digital service providers (“essential and important entities”). Both private and governmental entities in the above-mentioned sectors are covered by the NIS2.
What are the requirements?
In short, the NIS2 poses requirements on the security of networks and information systems through incident reporting and risk management and, of course, a responsibility for member states to oversee and coordinate actions under the regulation.
In today’s landscape, where cyber threats and attacks are part of day-to-day business and where many malicious players exist (small-scale players, professional black hats, and governmental players), the cyber security requirements posed on critical businesses and providers are a must.
– Cecilia Wik, Head of Legal, Detectify
NIS2 Article 21. 1 outlines that essential and important entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.
Furthermore, Article 21. 2 sets out 10 different minimum requirements of such measures. One of the minimum requirements in which Detectify can play a key role is:
Article 21.2 e) “Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosures”
Member states can adopt stricter cybersecurity requirements in their national legislations, as the NIS2 Directive is a minimum harmonization directive. As the Directive is still not fully adopted on a member state level, we may see territorial differences within the EU.
In Sweden, a report released on March 5, 2023 by an expert group convened by the Swedish government has proposed a new Cybersecurity law set to take effect on January 1, 2025. In accordance with the Directive, the scope of NIS2 will cover 18 sectors, compared to only 7 sectors under NIS1. Additionally, non-compliance fines will be higher than previously, similar to those in the GDPR, as they will be calculated based on global annual revenue. Most companies in Sweden and across the EU will need to acquaint themselves with NIS2 and adopt a risk-based approach to their system’s security.
The Swedish Protective Security Act (2018:585)
Where networks and information systems are within the scope of NIS, in Sweden, the Protective Security Act (Sw: Säkerhetsskyddslagen) aims to protect the entire operations of entities of significance regarding Sweden’s national security and meet certain criteria. Such entities may hold sensitive information or carry out security-sensitive activities needing specific protection against terrorism, espionage, and sabotage to protect national interests.
The Protective Security Act specifically requires entities to adopt preventive measures to protect the confidentiality, integrity, and accessibility of classified information, and to protect systems used to carry out security-sensitive activities from harmful impacts.
NIS and the Protective Security Act may overlap and be applied simultaneously, but the Protective Security Act has precedence based on the lex specialis principle.
The CER Directive – (EU) 2022/2557
Another EU regulation is the CER Directive, aiming to ensure that critical entities maintain high resilience against “physical” threats, such as hybrid threats, natural disasters, and terrorist offenses, like the sabotage of the Nord Stream in 2022. Even if the CER Directive, similarly to the NIS2, includes requirements on risk management in networks and IT systems, cyber threats fall more naturally within the scope of NIS2. It will be up to the member states to ensure the compatibility of these two directives on a member state level.
Where Detectify comes in
Detectify’s External Attack Surface Management (EASM) platform can play a significant role in risk management for “essential and important entities.” With rigorous discovery and 99.7% accurate vulnerability assessments, Detectify’s platform provides complete coverage across the external attack surface for thousands of customers.
The Detectify EASM platform comprises two products: Surface Monitoring and Application Scanning. Surface Monitoring is key in mapping the customer attack surface by giving customers a comprehensive view of their attack surface through continuous discovery and monitoring of all hosted Internet-facing assets. At the same time, Application Scanning provides deeper insights into custom-built applications and actual business-critical vulnerabilities with advanced crawling and fuzzing.
With Detectify’s EASM platform, customers can apply appropriate technical measures to manage external risks from both known and unknown vulnerabilities that threaten their systems and digital services by mapping, identifying, and proactively managing risks before they materialize. Mapping your attack surface is the first step to understanding what is there from a risk management perspective.
We’ve also noticed significant parallels between specific industries, like the public sector, technology and digital services, which are the main focus of the NIS2 Directive legislation, and areas where Detectify’s EASM tool excels. Our EASM solution is specifically designed for sectors like these, which face issues like rapid digital innovation, leading to an increasingly large attack surface, and the need for secure cloud hosting while maintaining full visibility over the entire attack surface.
DORA – The Digital Operational Resilience Act (DORA) – EU Regulation 2022/2554
The aim of the DORA is to create a regulatory framework whereby financial firms, and importantly also certain ICT providers, such as cloud service providers, will have to make sure they can withstand, respond to, mitigate and recover from all types of ICT-related disruptions and cyber threats. The focus for financial firms has, in other words, shifted from not only focusing on traditional financial resilience, but to also include a strong digital resilience.
Financial sector entities must comply with the DORA starting January 17, 2025. A draft text is available, with final versions ready, but it has yet to be formally adopted.
Who does it apply to?
The DORA is significant as it will cover over 22 000 companies in the EU, harmonizing the financial sector’s operational resilience, not only to financial institutions but also third-party service providers providing critical services to such institutions, such as cloud service providers. The DORA will be governed by the ESA (European Supervisory Authority).
What are the requirements?
The DORA regulates 5 central areas:
1) Governance and Risk Management
2) Incident Reporting
3) Testing of Digital Operational Resilience
4) Management of ICT Third-Party Risks
5) Information Sharing
Where Detectify comes in
Detectify can help strengthen the resilience of financial institutions and ICT service providers by:
1. Setting up protection and prevention measures within risk and governance by:
Firstly, mapping an organization’s external attack surface, where even unknown assets can be identified;
Secondly, setting up Surface Monitoring, which will keep such assets under continuous surveillance;
Lastly, applying Application Scanning, whereby customers can identify risks (vulnerabilities) and the actual scope of the threat landscape.
2. Users of Detectify can promptly detect anomalous activities by using Application Scanning and by setting up specific monitoring rules under Detectify’s Attack Surface Custom Policies.
3. Getting insights into identified vulnerabilities, their severity, and actional remediation tips to help teams prioritize and remediate threats more effectively.
4. Enabling responsible disclosure of major vulnerabilities to authorities when needed, through the help of the vulnerability information provided by Detectify.
Closing remarks
We will continue to add updates to this post as we receive more information about regulations and their implications. As in the regulations above, Detectify emphasizes proactive cyber security and is passionate about helping its customers become more secure. In this article, we have covered only a handful of topical regulations that apply in the EU, and we know there are many more specific standards and regulations that may apply.
With Detectify’s Attack Surface Custom Policies, users can monitor for policy breaches as they occur in production. If a policy breach is detected, an alert is produced with helpful insights to help accelerate remediation.
Attack Surface Custom Policies leverage the complete coverage capabilities of Surface Monitoring to continuously monitor your external attack surface, ensuring your clearly-defined security policies are enforced, no matter the size of your attack surface. Many of our customers have built their own personalized compliance rules on their exposed web assets.
Are you interested in learning more about Detectify? Start a 2-week free trial or talk to our experts.
The post Navigating the EU compliance landscape: How Detectify helps support customers in their NIS2 Directive, CER, and DORA compliance challenges appeared first on Blog Detectify.