Publication on Januray 30th of Commission Implementing Regulation 2018/151 defines the technical and organizational controls that digital services providers (aka. online marketplaces, online search engines and cloud computing services) have to adopt following article 16 of NIS Directive (2016/1148).
Implementing Regulation Analysis
It is a really simple document that only have 5 articles, of which, discounting the objective and the entry into force, we are only left 2 articles settled to evaluate incident impact for notification effects and 1 [yes, one, you are right] for the security measures that digital service providers have to implement (article 2. Security elements); which is the focus of this post.
Obligations that this article defines for this kind of providers in Euroe are the following:
- Carry out a systematic management of network and information systems, establishing "appropriate" security policies, including risk management.
- Implement physical and environmental security measures based on a risk approach.
- Assure the security of supplies for being able to ensure the service provision.
- Control physical and logical access to network and systems.
- In relation to incident management: to have processes and procedures to detect, notify and response evaluating criticallity (includes weaknesses and vulnerabilities detection).
- Establish contingency planning and recovery capacities in case of disruptive incident (and to carry on tests on them)
- Carry out periodic tests to assure that systems and networks are working as presumed.
- Finally, providers have to make available to authorities documentation on how they are compliant with previous elements.
Consequences on digital service providers
Nothing. Life goes on. Well, no, at least you should have to assure to implement (not certified) an information security management system.
Conclusions for digital service users
We regret to inform you that UE governing bodies have left you alone:
If you want to assure that digital services you are using are secure enough for your purpose, you are going to require your providers that provide you with a security rating or any other similar mechanism to know the real security posture of the service.
Because NIS Directive coming into effect is not going to mean any relevant change in status quo. It is sad to see that the hope we have placed into this Directive when we saw that it was developed "with a view to achieving a high common level of security of network and information systems within the Union" has fade away with this Implementing Regulation.
This Regulation is empty. It does not obligue to anything. Anything is valid to say that you are compliant.
Can we think that digital services are going to be more secure after comming into force? NO
Can we think in any adventage for european providers? NO
Can we think that, at least, there is a framework to require more security to providers? NO
Then, why it is published? To say that it has been published and pretend that something is being doing on cybersecurity issue.
So, as we stated in the title, this Regulation makes security rating essential as THE BEST tool to know the security level of digital services.
You can follow us on twitter.com/leet_security