Will NIS Directive forget about cybersecurity of supply chain?

(Article originally posted at Red Segurid@d - only in Spanish)

That NIS Directive will mean a significative advance in cybersecurity in Member States as it gets past is doubtless. An intengral approach all over EU, the need to report to national authorities (that should be name) the security incidents or the setting-up of a network of Computer Security Incident Response Teams (CSIRT) are its main elements.

But, by contrast, it will only require measures for improving resilience against attacks to organizations providing essential services (essential services operators) -which includes digital services like search engines, online shops or cloud services- and, besides, exclude SMEs, according to definition included in European Commission Recomendation 2003/361/EC, it means, those entities invoicing less than 10 millions euros and up to 50 employees.

This scope definition has a problem: It forgets that small or very small companies can have huge capacity processing capabilites and, moreover, they can be used as a bridge to attack bigger organizations.

For this reason, and understanding that politically it is not desirable to impact excessively in the economic activity of european corporations and penalize them in relation with others that are not required to adopt this kind of measures, the Directive should not forget the importance of ICT supply chain and, at least, require to operators obliged by the Directive to assure that their providers are not the weakest link of the chain.

This approach, besides, will be coherent with the posture of bodies like the European Central Bank that has expressed its preocupation about the supervision mechanisms of providers that financial entities have implemented regarding cybersecurity. This approach will allow to limit the problem to those SMEs that really could have an impact on essential services and it is something that organizations are o will be doing as part of their process of Vendor Risk Management.

It should be the service provided and the information managed what should be considered to include or not a company in this kind of obligations, and not its size.

The security labelling of services is an easy and understandable way to implement this process efficiently and without meaning a cost for the economic sector, as the efficiencies achieved overcome significatively the rating cost.