Organisations responsible for critical infrastructure often also take care of their own cybersecurity. Now though, with the European Commission having proposed a new directive to enhance the resilience of critical entities, such organisations need to start preparing for change.
When something goes wrong with the daily operations of the organisations that run the critical infrastructure we all rely on, it can have severe consequences, causing disruption for individuals and companies alike. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack.
Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive (also known as the CER). What is the EU RCE? And how should critical infrastructure organisations prepare?
Resilience of Critical Entities
As written by OpenKRITIS, the RCE “is the resilience baseline for EU operators”. EU nations have parameters to determine whether or not an organisation can be classified as ‘critical infrastructure’. Examples are energy suppliers, transport services, water and waste water, financial institutions, the health sector, public administration, and more. Such organisations will be subjected to a scan to see if its digital resilience and risk management is up to par. If it isn’t, or is lacking in certain areas, it can face a fine.
Now, before any IT team might hastily start checking their assets, it’s important to note that the regulation is not yet in effect. OpenKRITIS: “RCE is EU legislation that still needs to be enacted by the EU. It will then be transposed into national law by EU member states.” That might not happen for a little while. It’s likely that EU member states start actively regulating the critical infrastructure as of 2022+, depending on internal processes. Still, both the NIS2 and RCE need to be transposed into national law within 18 months.
How do External Audits Work?
The RCE builds on the NIS2 directive, for a bundling of the regulations for a higher cybersecurity standard. Also, it draws parallels with the discussions around mandatory IT audits. Similarly to having your car serviced by a licensed car shop, there are pros and cons to having your (critical infrastructure) organisation audited for cybersecurity processes and general IT governance.
Critical infrastructures are obliged to implement resilience frameworks and security measures. The levels they have to meet are based on the type of services they provide and the risks and threats they face. The EU defines the baseline, individual nation states will implement their adapted versions.
What it comes down to is that all such organisations will have to prove they are in control of their attack surface. That means knowing what kind of digital assets they have, where they are hosted (including those at connected third parties), what risks they pose (even via the supply chain), and what actions they should take to mitigate the most relevant risks accordingly.
The direct result of such regulatory audits are a report and list of items the organisations might need to work on. Or better yet, continuous insights into their live attack surface. This improves the market’s cybersecurity maturity. Furthermore, there is also a long-term benefit. As this is a EU-regulated directive, cooperation and information sharing between nation states is facilitated. That means organisations can learn from each other’s best (and worst) practices. Additionally, cross-border incidents and events can be mapped in greater detail, providing a better view of the cybersecurity and threat developments.
Just as an audit or a threat actor can scan the attack surface from the outside-in, so too should the organisations themselves approach their IT infrastructure. Whether it be from an increasing regulatory push, security threats, or digitalisation, the bottom line is that insights into the attack surface are central to it all. To stay compliant to regulations, but more importantly: to stay cyber-secure.
To find out more about the attack surface and how to stay in control of the risks, read our whitepaper on Attack Surface Management.
This post was originally published on the Cybersprint blog.
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Thank you for reminding us all that this proposal is on the table. We had a look earlier this year and used the opportunity to respond to the EU's consultation on the proposal. A copy of our response is available at https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-response-to-critical-entities-resilience-directive_april-2021.pdf While we welcome the efforts to focus on security, we are mostly interested to see how this particular proposal will work in connection to the NIS (in force) and the proposed NIS2 directives, also because this proposal appears to be dependent on the NIS2 definitions and scope. Regards, Marco Hogewoning Manager Public Policy and Internet Governance - Ripe NCC
Just as a quick update, last night the European Parliament voted on a set of amendments and adopted their position, giving the green light to enter the negotiations with the Commission and member states in the so called "trilogue" process. The press release can be found at: https://www.europarl.europa.eu/news/en/press-room/20211006IPR14307/essential-infrastructure-new-rules-to-boost-co-operation-and-resilience and the same page also has pointers to the proposed amendments and other relevant documents.
Hide one reply
Sebastiaan Bosman •
Hi Marco, Thank you for your comments and the update! It will probably take some time before negotiations with the Council are done, but I'm also curious as to what will be decided in full. Regards, Sebastiaan
Marco Hogewoning •
Fresh update 10 December: The EU Council has published their general approach which is expected to be adopted in a ministerial meeting scheduled for 20 December 2021. The text as proposed by the EU member states can be found at https://data.consilium.europa.eu/doc/document/ST-14594-2021-INIT/en/pdf