The European Union’s leading security agency, Enisa, has raised concerns about the compliance of six critical infrastructure sectors with the NIS2 directive. This directive was established in response to the increasing threats faced by critical infrastructure across the EU, aiming to enforce a new set of stringent cybersecurity requirements.
In a recently released report that introduced the NIS360 security posture assessment scheme, Enisa identified six sectors that are deemed to be “within the NIS360 risk zone.” These sectors include IT service management, space, public administrations, maritime, health, and gas. Each sector faces unique challenges in complying with the directive, such as cross-border complexities, limited cybersecurity knowledge, legacy systems, and supply chain vulnerabilities.
Enisa also highlighted the digital infrastructure sector as being slightly less mature compared to the other critical sectors. This sector encompasses vital services like internet exchanges, data centers, and cloud services, which are crucial for the functioning of the digital economy.
Enisa’s executive director, Juhan Lepassaar, emphasized the agency’s collaboration with EU Member States to implement the NIS2 directive by providing expertise and guidance. The NIS360 report sheds light on the overall maturity levels of different sectors and outlines the specific challenges they face, aiming to guide them towards stronger cybersecurity practices.
Despite the challenges identified in the report, there were positive findings as well. The electricity, telecoms, and banking sectors were recognized as the most mature, benefiting from significant regulatory oversight, funding, political attention, and strong public-private partnerships. These sectors have managed to establish robust cybersecurity measures to safeguard their critical infrastructure.
In the context of OT (Operational Technology) security, James Neilson, SVP international at OPSWAT, pointed out a major gap in the availability of professionals skilled in both IT and OT security. He highlighted the vulnerability of ICS/OT infrastructure to cyber attacks through IT systems, internet connectivity, and transient devices. Neilson emphasized the importance of securing data flows and scanning files in transit to detect and neutralize malicious payloads that could infiltrate critical systems, not only for NIS2 compliance but also for overall cybersecurity enhancement.
While most UK organizations may not be subject to NIS2 regulations, those operating within the EU are required to adhere to its provisions. Compliance with the directive is essential to protect critical infrastructure from cyber threats and ensure the continuity of essential services for EU citizens.
In conclusion, Enisa’s report underscores the importance of strengthening cybersecurity measures across critical infrastructure sectors to mitigate risks and enhance resilience against cyber threats. By addressing the challenges identified and adopting best practices outlined in the NIS360 assessment, organizations can bolster their cybersecurity posture and better protect their critical assets.