Contact us
Request demo →
Contact us

Securing critical infrastructure: new regulations mandate control

by Sebastiaan Bosman Blog 17 Sep 2021

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack.

Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?


Resilience of Critical Entities

As written by OpenKRITIS, the RCE “is the resilience baseline for EU operators”. EU nations have parameters to determine whether or not an organisation can be classified as ‘critical infrastructure’. Examples are energy suppliers, transport services, water and waste water, financial institutions, the health sector, public administration, and more. Such organisations will be subjected to a scan to see if its digital resilience and risk management is up to par. If it isn’t, or is lacking in certain areas, it can face a fine.

Now, before any IT team might hastily start checking their assets, it’s important to note that the regulation is not yet in effect. OpenKRITIS: “RCE is EU legislation that still needs to be enacted by the EU. It will then be transposed into national law by EU member states.” That might not happen for a little while. It’s likely that EU member states start actively regulating the critical infrastructure as of 2022+, depending on internal processes. Still, both the NIS2 and RCE need to be transposed into national law within 18 months.


How do external audits work?

The RCE builds on the NIS2 directive, for a bundling of the regulations for a higher cybersecurity standard. Also, it draws parallels with the discussions around mandatory IT audits. Similarly to having your car serviced by a licensed car shop, there are pros and cons to having your (critical infrastructure) organisation audited for cybersecurity processes and general IT governance.

Critical infrastructures are obliged to implement resilience frameworks and security measures. The levels they have to meet are based on the type of services they provide and the risks and threats they face. The EU defines the baseline, individual nation states will implement their adapted versions.

What it comes down to is that all such organisations will have to prove they are in control of their attack surface. That means knowing what kind of digital assets they have, where they are hosted (including those at connected third parties), what risks they pose (even via the supply chain), and what actions they should take to mitigate the most relevant risks accordingly.


Potential effects

The direct result of such regulatory audits are a report and list of items the organisations might need to work on. Or better yet, continuous insights into their live attack surface. This improves the market’s cybersecurity maturity. Furthermore, there is also a long-term benefit. As this is a EU-regulated directive, cooperation and information sharing between nation states is facilitated. That means organisations can learn from each other’s best (and worst) practices. Additionally, cross-border incidents and events can be mapped in greater detail, providing a better view of the cybersecurity and threat developments.

Just as an audit or a threat actor can scan the attack surface from the outside-in, so too should the organisations themselves approach their IT infrastructure. Whether it be from an increasing regulatory push, security threats, or digitalisation, the bottom line is that insights into the attack surface are central to it all. To stay compliant to regulations, but more importantly: to stay cyber-secure.

To find out more about the attack surface and how to stay in control of the risks, read our whitepaper on Attack Surface Management. 

Download whitepaper (PDF) →

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us