NIS 2 Directive: cybersecurity improvement for all

The final text of the revised European Network and Information Security Directive (NIS 2 Directive) has now been published. This doesn’t formally apply in the UK, but does have some helpful comments on using data protection law to support network and information security. I’ve blogged about these previously but, since the final version significantly changes the draft numbering, I thought it was worth posting a revised index to those posts:

CSIRT (international) Information Sharing: Draft Recital 69, which encouraged incident response and information sharing, is now split across Recitals 120 and 121. The former is now even more explicit that “entities should be encouraged and assisted by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately prevent, detect, respond to or recover from incidents or to mitigate their impact”. The societal importance of this is still in Recital 3.

CSIRT Collaboration: Helpfully, the Directive separates “reporting obligations” (Article 23) of various kinds of regulated entities from more general “exchange on a voluntary basis” (Article 29, formerly 27), which should  involve anyone with relevant information and skills to improve the security of networks, systems and data. The latter might include “information relating to cyber threats, near misses, vulnerabilities, techniques and procedures, indicators of compromise, adversarial tactics, threat-actor-specific information, cybersecurity alerts and recommendations regarding configuration of cybersecurity tools to detect cyberattacks”, so long as the aim is “to prevent, detect, respond to or recover from incidents or to mitigate their impact” with the effect of “enhanc[ing] the level of cybersecurity”, again with an extensive range of examples: “raising awareness in relation to cyber threats, limiting or impeding the ability of such threats to spread, supporting a range of defensive capabilities, vulnerability remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, or response and recovery stages or promoting collaborative cyber threat research between public and private entities”.

Lots here to support our activities.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *