Author: info@edirama.org

Posted on by Leave a comment

ENISA NIS360 2024 report: A comprehensive look at cybersecurity maturity and criticality of NIS2 sectors

Posted on by Leave a comment

Managing artificial intelligence threats with ISO/IEC 27001

Managing artificial intelligence threats with ISO/IEC 27001

The increasing integration of artificial intelligence (AI) into business processes brings both opportunities and new challenges in terms of information security. To effectively address the threats associated with AI, the adoption of ISO/IEC 27001 provides a structured framework for information security management.

ISO/IEC 27001 and IA Security

ISO/IEC 27001 is an international standard that defines the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). This standard is designed to protect organisations’ information from threats, vulnerabilities and attacks, ensuring confidentiality, integrity and availability of data.

ISO 27001 Controls Relevant to IA

In the field of IA, some specific controls of ISO/IEC 27001 are particularly relevant:

  1. Risk Assessment (Clause 6.1.2): Identify and assess the risks associated with IA systems, considering potential vulnerabilities and specific threats.
  2. Data Security (Clause 8.2): Ensure that data used for training and operation of AI models is protected from unauthorised access and manipulation.
  3. Technical Vulnerability Management (Clause 12.6.1): Implement processes to identify, assess and mitigate vulnerabilities in AI systems, ensuring timely updates and patches.
  4. Access Management (Clause 9.1): Define and control access rights to AI systems, ensuring that only authorised personnel can interact with them.
  5. Security in Development (Clause 14.2.1): Integrate security measures during the development and implementation of AI systems, following secure coding practices and rigorous testing.

Enhancing IA Security with ISO 27001

Implementation of ISO/IEC 27001 helps organisations to:

  • Structure Risk Management: Through systematic risk assessment, organisations can identify and mitigate specific AI-related threats.
  • Establish Operational Controls: Establish operational procedures and policies that ensure the safe and responsible use of AI systems.
  • Ensure Regulatory Compliance: Align with applicable data protection and information security regulations, reducing the risk of penalties.
  • Promote a Culture of Security: Raise staff awareness of the importance of security in the use and development of IA, promoting an organisational culture geared towards information protection.

In addition, the recently published standard ISO/IEC 42001:2023 provides specific guidelines for the management of IA systems, complementing and extending the security measures provided by ISO/IEC 27001.

By adopting an ISO/IEC 27001-based approach, organisations can proactively address AI-related security challenges while ensuring innovation and operational efficiency.

Self-Assessment Checklist:

  1. Risk Assessment
    • Have we identified and assessed the specific risks associated with our AI systems?
    • Is there a documented process for managing AI-related risks?
  2. Data Security
    • Is the data used for training and operating AI models protected from unauthorised access?
    • Have we implemented measures to ensure the integrity and confidentiality of AI data?
  3. Technical Vulnerability Management
    • Is there a procedure for identifying and resolving vulnerabilities in AI systems?
    • Do we regularly monitor vulnerabilities and apply the necessary patches in a timely manner?
  4. Access Management
    • Do we have clearly defined access rights to AI systems?
    • Do we use authentication and authorisation mechanisms to control access to AI systems?
  5. Security in Development
    • Do we apply secure development practices when creating our AI systems?
    • Do we perform regular security tests on our AI models before their implementation?
  6. Regulatory Compliance
    • Are our AI processes aligned with current data protection and information security regulations?
    • Have we documented the measures taken to ensure compliance with applicable regulations?
  7. Security Culture
    • Are our staff trained and aware of AI-related security practices?
    • Do we promote a corporate culture that values information security in the use of AI?

This checklist helps assess the implementation of security controls relevant to IA according to ISO/IEC 27001. A proactive approach to managing these aspects strengthens the overall security of AI systems within the organisation.

Posted on by Leave a comment

The cost of consulting for NIS 2 Directive compliance: practical examples

The NIS 2 Directive, issued by the European Union, has established new cybersecurity standards for operators of essential services and digital service providers. Compliance with these regulations requires specialized expertise, and many organizations turn to expert consultants for support. But how much does NIS 2 consulting cost? In this article, we will explore the key factors that determine the fees and provide practical examples.


Factors influencing consulting fees

  1. Size of the organization
    • Larger organizations with complex IT infrastructures require more detailed consulting, resulting in higher costs.
  2. Type of services requested
    • Some companies need a comprehensive review of their security policies, while others may require specific interventions, such as drafting a Risk Assessment or conducting a Vulnerability Assessment.
  3. Consultant’s experience
    • Professionals with years of experience in cybersecurity and in-depth knowledge of the NIS 2 Directive typically charge higher rates than less experienced consultants.
  4. Duration and complexity of the project
    • A full compliance project may take months, with costs proportional to the hours or working days involved.
  5. Consultant certifications

Practical examples of consulting fees

1. Basic consulting for an SME

  • Scenario: An SME in the manufacturing sector requires an initial assessment of its compliance with the NIS 2 Directive.
  • Tasks performed:
    • Initial analysis of processes and IT infrastructures.
    • Drafting an action plan for compliance.
  • Duration: 5 working days.
  • Average cost: €5,000 – €7,500.

2. Full compliance for a large organization

  • Scenario: An energy company needs to implement all the security measures required by the regulation.
  • Tasks performed:
    • Comprehensive IT infrastructure audit.
    • Drafting security procedures and policies.
    • Internal staff training.
    • Penetration Testing.
  • Duration: 6 months.
  • Average cost: €100,000 – €200,000.

3. Staff training and awareness

  • Scenario: A transportation company wants to train its employees on cybersecurity best practices.
  • Tasks performed:
    • Creating a customized training program.
    • Delivering training sessions in person or online.
  • Duration: 3 training days.
  • Average cost: €3,000 – €5,000.

4. Ongoing consulting services

  • Scenario: A digital service provider requires continuous support to ensure ongoing compliance with the NIS 2 Directive.
  • Tasks performed:
    • Periodic vulnerability monitoring.
    • Regulatory updates.
    • Incident management support.
  • Duration: Annual contract.
  • Average cost: €20,000 – €50,000 per year.

Conclusion

The cost of NIS 2 consulting varies significantly depending on the specific needs of the organization, the complexity of the tasks, and the consultant’s experience. Investing in professional support not only ensures regulatory compliance but also strengthens the organization’s resilience against cybersecurity threats. Therefore, it is essential to carefully evaluate the cost-benefit ratio and choose a qualified consultant capable of providing tailored solutions.

Posted on by Leave a comment

Unlocking Professional Opportunities with the DORA Act for Legal, IT, and Privacy Consultants

The Digital Operational Resilience Act (DORA), recently enacted by the European Union, is not just a regulatory requirement; it is a golden opportunity for professionals in legal, IT, and data privacy fields. By ensuring operational resilience in the financial sector, DORA opens doors for consultants to expand their expertise, enhance their services, and meet the growing demand for compliance solutions.

Opportunities for Legal Consultants

Legal professionals are critical to interpreting the complex provisions of DORA, drafting policies, and ensuring organizations align with the regulatory framework. They play a key role in:

  • Drafting contracts and service agreements compliant with DORA requirements.
  • Advising on liability and risk-sharing agreements in outsourcing and ICT third-party relationships.
  • Representing clients in compliance audits and addressing regulatory disputes.

Opportunities for IT Consultants

IT specialists are indispensable in implementing the technical requirements of DORA. Their contributions include:

  • Developing robust cybersecurity measures to meet DORA’s stringent standards.
  • Conducting risk assessments and testing IT systems for resilience.
  • Implementing secure and monitored ICT systems to prevent disruptions.

Opportunities for Privacy Consultants and DPOs

With the increased focus on data integrity and confidentiality, privacy consultants and Data Protection Officers (DPOs) are integral to DORA compliance:

  • Ensuring data protection policies align with both DORA and GDPR requirements.
  • Assisting in secure data processing, storage, and sharing protocols.
  • Providing guidance during regulatory reporting of ICT-related incidents involving personal data.

The DORA Act thus provides a fertile ground for growth and specialization. Professionals who seize this opportunity can position themselves as indispensable partners in helping organizations achieve compliance and operational excellence.

Posted on by Leave a comment

NIS 2 EU Implementing Regulation 2024/2690 – 17/10/2024

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down detailed rules for the implementation of Directive (EU) 2022/2555 as regards technical and methodological requirements for cybersecurity risk management measures and further specification of when an incident is considered significant with regard to DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social network service platforms, and trust service providers.


DOWNLOAD DOCUMENT

The technical and methodological requirements are described in the annex, the required procedures are available in Edirama’s NIS 2 Documentation Kit

1 Information Systems and Network Security Policy [art.21.2a NIS2]
2 Risk management policy [Art. 21.2a NIS2].
3 Incident management [Art. 21.2b NIS2].
4 Business continuity and crisis management [NIS2 Art. 21.2c].
5 Supply chain security [NIS2 Art. 21.2d].
6 Security of acquisition, development and maintenance of information and network systems [Art.21.2e NIS2]
7 Strategies and procedures for evaluating the effectiveness of cybersecurity risk management measures [art.21.2f NIS2]
8 Basic computer hygiene practices and security training [NIS2 Art. 21.2g].
9 Cryptography [Article 21.2h NIS2].
10 Human Resources Security [Art.21.2i NIS2].
11 Access control [Art. 21.2i/j NIS2]
12 Resource management [Art.21.2i NIS2]

Posted on by Leave a comment

Who Must Comply with the DORA Regulation?

The DORA (Digital Operational Resilience Act) regulation represents a milestone in the European Union’s strategy to strengthen the digital operational resilience of the financial sector. While DORA entered into force on January 16, 2023, its main provisions will become applicable from January 17, 2025. DORA aims to ensure that all financial entities are adequately prepared to manage challenges posed by cyber threats and technological disruptions. But who exactly is required to comply with this regulation? In this article, we will explore the scope of DORA and identify the entities obligated to adhere to its requirements.



1. Regulated Financial Entities

DORA applies to a wide range of financial entities operating within the European Union. These include:

  • Banks: All credit institutions subject to the Capital Requirements Directive (CRD IV).
  • Investment Firms: Companies providing investment services to clients, including those regulated by MiFID II.
  • Insurance and Reinsurance Companies: Including firms operating in life and non-life sectors.
  • Payment Institutions and Electronic Money Institutions: Regulated by the Payment Services Directive (PSD2).
  • Investment Funds: Including UCITS and AIFs (Alternative Investment Funds).
  • Asset Management Companies: That manage funds on behalf of investors.
  • Financial Market Infrastructures: Such as central counterparties, central securities depositories, and regulated market operators.

2. Critical Third-Party ICT Service Providers

In addition to traditional financial entities, DORA extends its application to third-party ICT service providers that offer critical services to financial institutions. These include:

  • Cloud Service Providers: Offering infrastructure, platforms, or software as a service.
  • Data Analytics Providers: Managing or processing sensitive financial data.
  • Network and Communication Service Providers: Ensuring connectivity and security of communications.
  • Other ICT Service Providers: Supplying essential software, hardware, or related services for financial operations.

3. Third Parties and Outsourcing

The regulation recognizes the importance of managing risks associated with outsourcing and the use of third-party providers. Financial entities must:

  • Assess the risks associated with third-party ICT service providers.
  • Continuously monitor the performance and compliance of providers.
  • Establish clear contractual agreements, defining roles, responsibilities, and resilience requirements.

4. Supervisory and Regulatory Authorities

Competent national and European authorities are tasked with:

  • Supervising the compliance of regulated entities with the DORA regulation.
  • Conducting periodic assessments of the digital operational resilience of the sector.
  • Imposing sanctions in case of non-compliance or significant violations.

5. SMEs and Smaller Entities

While DORA has broad applicability, it also recognizes the principle of proportionality. Small and medium-sized enterprises (SMEs) and entities with a lower risk profile may benefit from requirements adapted to their size and operational complexity.

Conclusion

The DORA regulation represents a crucial step towards a more resilient and secure financial ecosystem within the European Union. Its wide application underscores the importance of comprehensive and coordinated preparation against digital threats. With the main provisions becoming applicable from January 2025, it is essential that all affected entities:

  • Fully understand the specific requirements of the regulation.
  • Implement adequate measures to strengthen their digital operational resilience.
  • Actively collaborate with third-party providers and supervisory authorities to ensure continuous compliance.

In an increasingly digital world, operational resilience is not just a regulatory necessity but a fundamental element for customer trust and the stability of the financial market.

Note: This article provides a general overview of the DORA regulation. For specific advice, it is recommended to consult legal or compliance experts.

Posted on by Leave a comment

NIS2 and DORA – What Kind of Consulting Opportunities Do They Provide?

As the European Union continues to evolve its cybersecurity and digital resilience framework, the implementation of the NIS2 Directive and DORA (Digital Operational Resilience Act) has opened up new and diverse consulting opportunities. Both frameworks aim to enhance the cybersecurity posture and operational resilience of critical sectors, presenting a valuable chance for consultants to offer expertise. In this article, we’ll explore the consulting prospects these regulations bring to the market and the specific types of support organizations will need.

1. Risk Assessment and Compliance Readiness

One of the primary consulting needs stemming from NIS2 and DORA is helping organizations assess and understand their current level of compliance. Consultants can:

  • Conduct initial gap analyses to identify areas where a company’s current practices fall short of the regulatory requirements.
  • Evaluate risk exposure, including analyzing existing cyber threats, business continuity plans, and potential vulnerabilities.
  • Develop compliance roadmaps by setting up actionable steps for companies to close gaps and align with the new directives.

2. Policy Development and Implementation

Both NIS2 and DORA require organizations to adopt stringent policies covering various cybersecurity and operational resilience areas. This creates a need for consulting services in:

  • Drafting tailored security policies that address the specific requirements of each directive, as well as the organization’s operational and industry needs.
  • Establishing incident response plans that outline structured procedures to react swiftly to cyber incidents, aligned with regulatory expectations.
  • Policy enforcement training to ensure that policies are not only developed but also implemented across all departments effectively.

3. Cyber Hygiene and Awareness Training

One of the cornerstones of both regulations is ensuring that employees at all levels understand the importance of cybersecurity practices. Consulting services can focus on:

  • Developing and delivering cybersecurity training that covers essential topics, including password management, phishing prevention, and secure handling of sensitive data.
  • Building a culture of cyber resilience by instilling best practices through awareness programs that engage all levels of the workforce.
  • Creating training materials and protocols that comply with NIS2 and DORA standards, ensuring consistent, organization-wide understanding.

4. Incident Management and Response Consulting

Incident response is a critical focus in both NIS2 and DORA, which demand that companies have robust mechanisms in place to handle cybersecurity incidents effectively. Consultants can support by:

  • Establishing incident response teams and workflows that align with the directives’ requirements for timely and organized response to threats.
  • Providing simulation exercises to prepare organizations for potential attacks, such as mock phishing campaigns and cyber-attack simulations.
  • Offering post-incident analysis and improvement plans to refine processes based on lessons learned from previous incidents.

5. Business Continuity and Disaster Recovery Planning

NIS2 and DORA stress the need for comprehensive business continuity and disaster recovery (BC/DR) plans to ensure resilience in the face of disruptions. Consultants can assist by:

6. Supply Chain Risk Management

Both directives emphasize the need for enhanced scrutiny and oversight of third-party vendors and supply chains, as vulnerabilities in these areas can expose organizations to risk. Consulting opportunities here include:

  • Assessing third-party risk by evaluating the security posture of key suppliers and vendors and identifying potential vulnerabilities.
  • Establishing vendor management frameworks that ensure compliance with regulatory requirements while maintaining resilience.
  • Developing vendor risk assessment processes that can be integrated into the organization’s procurement policies to improve security oversight.

7. Cloud Security and Digital Infrastructure Management

With increasing adoption of cloud services, both NIS2 and DORA require organizations to ensure secure management of their digital infrastructure. Consulting opportunities in this area include:

  • Guiding secure cloud migration strategies that align with regulatory requirements, covering aspects like data encryption, access control, and vulnerability management.
  • Auditing cloud providers to ensure they meet necessary security standards, reducing risk exposure from third-party cloud services.
  • Implementing infrastructure monitoring solutions that provide continuous visibility into potential threats and vulnerabilities within an organization’s digital assets.

8. Assistance with Regulatory Reporting and Documentation

NIS2 and DORA impose strict reporting requirements for cyber incidents and regulatory compliance. Consultants can offer support by:

  • Developing standardized reporting protocols to streamline incident reporting processes and maintain clear documentation for regulators.
  • Setting up monitoring systems that can detect and report incidents as per the regulatory requirements.
  • Providing audit preparation and support to ensure that organizations are well-prepared for regulatory inspections and reviews.

Final Thoughts

The NIS2 Directive and DORA are reshaping the cybersecurity and resilience landscape in Europe, creating a high demand for consulting services across various domains. For consultants, this is an opportunity to offer specialized guidance, from initial compliance assessments to detailed policy implementation and incident management strategies. By supporting organizations in meeting these regulatory requirements, consultants can help clients not only achieve compliance but also build robust, resilient systems that are well-prepared to handle the cybersecurity challenges of the future.

Posted on by Leave a comment

FAQ: What to Do If a Company Believes It Is Not Subject to NIS 2 Despite Potential Inclusion

1. How can I determine if my company is subject to the NIS 2 Directive?

Conduct a comprehensive analysis to determine if your company meets the criteria set by NIS 2. Consider the following:

  • Sector of Activity: Check if you operate in a sector designated as essential, such as energy, transport, health, or financial services.
  • Company Size: Evaluate based on employee count, annual turnover, and balance sheet size.
  • Impact and Criticality: Determine if your services have significant impact on public security or economic stability.

2. What actions should we take if we conclude that our company is not subject to NIS 2?

  • Draft a Compliance Assessment Report: Create a formal document outlining why your company does not meet the NIS 2 criteria.
  • Secure Internal Approval: Ensure the Board of Directors formally endorses the assessment.

3. Which documents should be prepared to support our exclusion?

  • Assessment Report: A comprehensive analysis explaining the criteria and your conclusions.
  • Management Meeting Minutes: Document the Board’s approval of the assessment.
  • Review Plan: Schedule periodic reassessment to ensure ongoing alignment with regulatory updates.

4. Should we consult an external expert?

It is recommended but not required. Consulting an expert in cybersecurity and compliance can confirm the accuracy of your evaluation.

5. What if our circumstances change?

If your company grows or regulatory changes occur, re-evaluate your status. Notify relevant authorities if you then fall under NIS 2.

Posted on by Leave a comment

NIS 2 Directive and DORA Regulation – The differences in less than 1 minute


FeatureNIS 2DORA ACT
Full NameNetwork and Information Systems Security Directive 2Digital Operational Resilience Act (DORA)
Adoption Date2022 (Member States must transpose it by October 2024)2022, effective from January 2025
ScopeAll entities operating in essential sectors, including energy, transport, health, finance, and critical infrastructuresFinancial sector and its ICT service providers
Main ObjectiveStrengthening cybersecurity in essential and digital sectors, enhancing the resilience of critical infrastructuresEnsuring digital operational resilience of financial entities against cyber incidents or cyberattacks
Type of RegulationDirective (requires transposition into national laws)Regulation (directly applicable in Member States)
Involved EntitiesCompanies in essential sectors (health, energy, transport, water, public administration) and digital service providers (cloud, online platforms, search engines, etc.)Banks, financial institutions, insurers, asset managers, and digital service providers in the financial sector
Security ObligationsIntroduction of cybersecurity requirements for affected entities, including risk management, periodic assessments, and technical and organizational measuresDefining requirements to manage ICT and operational risks, with a focus on operational resilience and third-party risk management
Incident ReportingObligation to report relevant incidents within 24 hours of detection, with follow-up within 72 hours and final reportingObligation to report major cyber incidents to relevant authorities within a specified timeframe (to be defined in the regulation)
SanctionsMember States must provide for effective and proportionate sanctions, with fines of up to 2% of global annual turnover or up to €10 millionSimilar sanctions to NIS 2, with a focus on violations in the financial sector
ICT Risk ManagementICT risk is part of the overall risk management frameworkICT risk is central, with specific obligations for managing third-party providers and operational risks
Supervision and ControlSupervision by national competent authorities in each Member StateSupervision by European financial authorities, such as the European Banking Authority (EBA)
Third-party ProvidersFocus on the security of essential digital service providersStringent obligations for managing risks related to critical ICT providers
Posted on by Leave a comment

What are the steps to comply with DORA

The Digital Operational Resilience Act (DORA) requires financial institutions to meet specific criteria to ensure digital operational resilience. Here are the key steps for compliance:

  1. Risk assessment: Identify and assess operational and cybersecurity risks.
  2. Governance and risk management: Establish strong governance to oversee cyber risk management.
  3. Cyber resilience: Ensure IT systems are resilient against cyberattacks.
  4. Operational resilience testing: Conduct regular vulnerability assessments and attack scenario testing to measure control effectiveness.
  5. Incident management: Develop procedures for rapid response and recovery from cyber incidents.
  6. Continuous monitoring: Implement continuous monitoring to quickly detect and respond to threats.
  7. Outsourcing and third parties: Manage risks from external vendors with appropriate security agreements.