Contact us
Request demo →
Contact us
German website
search
close

Securing critical infrastructure: new regulations mandate control

by Sebastiaan Bosman Blog 17 Sep 2021

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack.

Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

 

Resilience of Critical Entities

As written by OpenKRITIS, the RCE “is the resilience baseline for EU operators”. EU nations have parameters to determine whether or not an organisation can be classified as ‘critical infrastructure’. Examples are energy suppliers, transport services, water and waste water, financial institutions, the health sector, public administration, and more. Such organisations will be subjected to a scan to see if its digital resilience and risk management is up to par. If it isn’t, or is lacking in certain areas, it can face a fine.

Now, before any IT team might hastily start checking their assets, it’s important to note that the regulation is not yet in effect. OpenKRITIS: “RCE is EU legislation that still needs to be enacted by the EU. It will then be transposed into national law by EU member states.” That might not happen for a little while. It’s likely that EU member states start actively regulating the critical infrastructure as of 2022+, depending on internal processes. Still, both the NIS2 and RCE need to be transposed into national law within 18 months.

 

How do external audits work?

The RCE builds on the NIS2 directive, for a bundling of the regulations for a higher cybersecurity standard. Also, it draws parallels with the discussions around mandatory IT audits. Similarly to having your car serviced by a licensed car shop, there are pros and cons to having your (critical infrastructure) organisation audited for cybersecurity processes and general IT governance.

Critical infrastructures are obliged to implement resilience frameworks and security measures. The levels they have to meet are based on the type of services they provide and the risks and threats they face. The EU defines the baseline, individual nation states will implement their adapted versions.

What it comes down to is that all such organisations will have to prove they are in control of their attack surface. That means knowing what kind of digital assets they have, where they are hosted (including those at connected third parties), what risks they pose (even via the supply chain), and what actions they should take to mitigate the most relevant risks accordingly.

 

Potential effects

The direct result of such regulatory audits are a report and list of items the organisations might need to work on. Or better yet, continuous insights into their live attack surface. This improves the market’s cybersecurity maturity. Furthermore, there is also a long-term benefit. As this is a EU-regulated directive, cooperation and information sharing between nation states is facilitated. That means organisations can learn from each other’s best (and worst) practices. Additionally, cross-border incidents and events can be mapped in greater detail, providing a better view of the cybersecurity and threat developments.

Just as an audit or a threat actor can scan the attack surface from the outside-in, so too should the organisations themselves approach their IT infrastructure. Whether it be from an increasing regulatory push, security threats, or digitalisation, the bottom line is that insights into the attack surface are central to it all. To stay compliant to regulations, but more importantly: to stay cyber-secure.

To find out more about the attack surface and how to stay in control of the risks, read our whitepaper on Attack Surface Management. 

Download whitepaper (PDF) →

Uncanny Loggings: How poor data monitoring leads to The Danger Zone

The practice of logging has come a long way over the past few years. It started as a way to demonstrate regulatory compliance and to provide evidence in legal processes, but it has now evolved into being a norm for best security practice and governance evaluation. So what are the most important aspects? How do you start and maintain oversight over your logging capabilities?

read more

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Do you have a question?

Our experts have the answers

Contact us