The final text of the revised European Network and Information Security Directive (NIS 2 Directive) has now been published. This doesn’t formally apply in the UK, but does have some helpful comments on using data protection law to support network and information security. I’ve blogged about these previously but, since the final version significantly changes the draft numbering, I thought it was worth posting a revised index to those posts:
CSIRT (international) Information Sharing: Draft Recital 69, which encouraged incident response and information sharing, is now split across Recitals 120 and 121. The former is now even more explicit that “entities should be encouraged and assisted by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately prevent, detect, respond to or recover from incidents or to mitigate their impact”. The societal importance of this is still in Recital 3.
CSIRT Collaboration: Helpfully, the Directive separates “reporting obligations” (Article 23) of various kinds of regulated entities from more general “exchange on a voluntary basis” (Article 29, formerly 27), which should involve anyone with relevant information and skills to improve the security of networks, systems and data. The latter might include “information relating to cyber threats, near misses, vulnerabilities, techniques and procedures, indicators of compromise, adversarial tactics, threat-actor-specific information, cybersecurity alerts and recommendations regarding configuration of cybersecurity tools to detect cyberattacks”, so long as the aim is “to prevent, detect, respond to or recover from incidents or to mitigate their impact” with the effect of “enhanc[ing] the level of cybersecurity”, again with an extensive range of examples: “raising awareness in relation to cyber threats, limiting or impeding the ability of such threats to spread, supporting a range of defensive capabilities, vulnerability remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, or response and recovery stages or promoting collaborative cyber threat research between public and private entities”.
Lots here to support our activities.