NIS2 - will it make a difference?

The EU directive on measures for a high common level of cybersecurity across the Union (a.k.a. NIS2) is being implemented across the EU, and is influencing legislation even in neighboring countries such as Bosnia and Herzegovina and Serbia (via the Brussels effect).

At its core, NIS2 introduces a risk and asset management approach to cybersecurity, and this is good news: cybersecurity attacks often result from poor maintenance, unmonitored sprawling IT infrastructure, incomplete asset inventories, exposed entry points with poor authentication (i.e. password only), etc. All this indicates companies need to continuously monitor their assets and assess the inherent risks in the attack surface. Here, assets include user identities as well, besides servers, endpoints, various networked devices and cloud resources.

By continuously assigning risk scores to assets and tracking the evolution of risk across time, the hope is to make cybersecurity a more proactive practice, rather than focus on reactive and narrow measures such as "antimalware" detection or "network intrusion prevention". Frameworks to operationalize this process are already well known and should be relatively easy to implement (such as the NIST SP 800-30 guide for conducting risk assessments - see an example implementation here).

However, as the EU directive is being transposed into national legislations, it is being subjected to a myriad of subordinate acts, imposing subtly different requirements from country to country, and sometimes colliding with core principles of risk management and NIS2 itself.

The recent Report on the future of European competitiveness (the well known Mario Draghi report - see here), makes it clear that regulatory burden is one of the key reasons why EU is witnessing a generational productivity lag, which the report calls an "existential challenge" for the EU.

Especially in the technology and digital sector, the EU seems quite hyperactive, having built a 100+ regulation portfolio - prompting one to wonder who'll enforce all of this and who'll ensure compliance:

Furthermore, the Mario Draghi report dwells a lot on the phenomenon of so-called regulatory "gold plating". The European Commission describes this as the process by which a Member State, which has to transpose EU legislation into national law or implement EU legislation, imposes additional requirements, obligations or standards in its national law that go beyond the requirements or standards of EU law – thereby imposing additional and avoidable regulatory uncertainties and costs (see more here). This can happen throughout the policy cycle, from the transposition of primary law to the implementation via delegated or implementing acts, to national enforcement of regulation.

EU directives such as the NIS2 usually just set policy goals to be achieved by the Member States but leave up to each country the exact measures to be put in place to achieve them. Also, EU legislation may deliberately leave flexibility in the level of harmonization or Member States’ practice.

NIS2 - gold plating in action?

With respect to NIS2, we're already seeing lots of divergencies in details, with countries like Czech Republic, Croatia, and Poland expanding the scope of NIS2 by adding sectors such as education, public transportation, and cement production (see here).

Reporting timelines and supervisory measures also differ. For instance, Germany features a graduated reporting system for cybersecurity incidents, while Hungary mandates an extensive audit and certification process (see here).

The Hungary NIS2 implementation act includes a 120-page document containing precise specifications for cyber security certification and monitoring with regard to risk management, as well as a catalog of measures and a catalog of hazards. The catalog of measures includes more than 160 test points for the “simple” protection class, more than 300 for the “significant” protection class and almost 400 mandatory test and inspection points and associated measures for the “high” protection class.

In Croatia, there's a similar approach to implementation of NIS2: the regulator is defining technical requirements for risk management measures as part of a subordinate act (to be enacted 9 months after the core law, in place since February 2024).

Although not as extensive as in Hungary, this one still goes into too much detail, listing a 100 measures and technologies that organizations need to have in order to comply. Most of these apply even at the most "basic" level of protection required.

The risks with too many "risk management" prescriptions

By overprescribing without little sense of prioritization, organizations must focus on implementing too many measures, potentially missing the most important ones. This is precisely the opposite of sound risk management, where one seeks to first tackle the measures with most relative risk reduction (Pareto principle).

For example, it is well known that ransomware operators currently focus on systems with poor authentication and lots of self-hosted assets (such as VPN boxes exposed on the public internet). There have been successful attacks against key institutions in the region precisely relying on these weaknesses (see an example here and here).

Typically, lack of multifactor authentication (MFA) and a complex self-hosted IT infrastructure with high-risk assets is the biggest predictor of ransomware attacks. So it would make sense to make MFA pervasive wherever possible and prioritize this measure.

Yet MFA is not adequately prioritized in NIS2 implementation acts across EU member states. Faced with a multitude of "measures" the organization is placed in a "can't see the forest for the trees" situation, missing key risks.

Another issue is that by going into too much technical detail, the regulator is betting today's cyber hygiene practices will change little in the future. That is likely not to be the case: technology changes, systems are modernized and new risks and mitigation measures are bound to emerge in the future.

Also, new attack techniques will become more prevalent as ransomware groups and other threat actors respond to technology change, prompting dynamic prioritization of risk management measures (and risk recalculation!).

To remain on the example of MFA, consider how changing techniques are already prompting new measures. Starting from 2021, threat actors have begun to incorporate MFA bypass techniques into their phishing-as-a-service kits - from prompt bombing to Adversary-in-the-Middle (AitM) proxy services. Also, in order to subvert MFA, attackers are increasingly relying on helpdesk social engineering techniques.

The current risk management measures as envisioned by NIS2 implementation are oblivious to these emerging trends, preferring to enforce an already outdated and over-simplified stance: "implement multifactor authentication", making compliant organizations exposed to significant risks.

A More Sensible Approach?

With this in mind, the regulator’s goal should not be to focus on technical details, but to reference existing, continuously updated industry practices. Whether from private or publicly funded organizations, there is already plenty of cybersecurity expertise and advice available. Therefore, there’s no need to enact and maintain a potentially outdated compliance checklist with hundreds of test and inspection points.

It is much better to leave it to companies to determine their preferred path to risk mitigation, by focusing on what's most important (the "low hanging fruit"). That's the core principle in NIS2, yet it's being subverted by overregulation at national level.

A risk management approach to cybersecurity is more than welcome. In fact, risk management principles, especially applied to attack surface, are as relevant as ever. But the current "gold plating" approach to NIS2 could well result in (yet again!) increased compliance costs and regulatory uncertainty for businesses, without noticeably improving the overall security posture of organizations across the EU.