Today, digital information security (commonly referred to as cybersecurity) contributes to the strength of modern societies, as it is a fundamental pillar for managing and protecting the most important assets of individuals, companies and even societies.
In a global context where there are several wars between nations, every day there are episodes of cyber-attacks on companies, hospitals, universities, non-profit institutions, and even critical infrastructures, to damage, conditioning or prevent the use of computer systems.
Even outside the context of war, cyber-attacks are increasingly present in the daily lives of societies, jeopardizing justice, education, health, freedom of expression and even critical infrastructures such as water supply, telecommunications, fuel, or electricity.
Therefore, it is necessary to take preventive measures to combat technological risks, by training and raising awareness among people, creating appropriate legislation, adopting suitable technologies, and implementing and monitoring management processes that prove to be truly effective.
Cybersecurity: what does the current legislation say?
As far as legislation is concerned, we have seen a great deal of concern from the more developed countries in adopting regulations that aim to guide or even force companies and organizations to adopt behaviours, defences and response mechanisms that mitigate the risks associated with cyber-attacks.
NIS1
Presented in the European Cybersecurity Strategy, Directive (EU) 2016/1148 (known as NIS) was adopted in the European Union (EU) on July 6, 2016, to strengthen the resilience of the European Cybersecurity space. This directive proposed a wide range of measures to strengthen the level of security of networks and information systems to protect vital services for society and the economy of the European Union. The directive focused on ensuring that EU countries would be properly prepared and ready to face and react to cyberattacks by designating competent authorities, setting up computer security incident response teams (CSIRTs) and adopting national cybersecurity strategies.
In Portugal, this directive was transposed by Law no. 46/2018, of August 13, which establishes the legal framework for cyberspace security and defines a set of rules to be applied to public administration, critical infrastructure operators, essential service operators, digital service providers, as well as any other entities that use networks and information systems (particularly regarding voluntary incident reporting). Naturally, this law has been made compatible with other laws and regulations published in the meantime, such as the General Data Protection Regulation (Regulation 2016/679 of the European Parliament, published on April 27, 2016, and whose application began in May 2018).
Later, in 2019, a new Regulation (EU) 2019/881 was approved by the European Parliament, which clarified the scope of intervention of ENISA (the European Union Agency for Cybersecurity) and defined a set of standards for certification in the field of cybersecurity. By transposing this regulation into national law, it was defined that the National Cybersecurity Center (CNCS) would be the National Cybersecurity Certification Authority. Decree-Law no. 65/2021 of July 30 also defined a set of rules to be complied with by organizations, such as:
- The definition of a permanent and responsible security point of contact;
- The obligation to communicate the list of essential assets;
- The need to carry out global and partial risk analyses;
- The need to draw up and keep up-to-date a security plan and produce an annual report;
- And the implementation of means to detect, classify and report security incidents to the CNCS.
NIS2
More recently, in December 2022, the EU issued a new directive (NIS2) which broadens the scope of the previous directive, adding to the list of critical sectors other public administration organizations, postal services and transport, food companies, the manufacturing industry, companies that manage waste or treat wastewater, digital service providers, research entities and other IT service providers (exempting some organizations based on the number of employees or turnover).
Some of the obligations arising from the new directive (which has a deadline of October 17, 2024, for transposition into national law) are:
- Systematic risk and security analysis;
- Handling incidents related to information technologies;
- Development of business continuity plans, including new requirements associated with backup policies;
- Implementation of security mechanisms in the supply chain;
- Evaluating the effectiveness of risk management measures;
- Development of "cyber-hygiene" practices and training in cybersecurity, increasing the level of security associated with human resources;
- Use of encryption and scrambling mechanisms;
- Use of multi-factor authentication or continuous authentication solutions.
Thus, NIS2 redefines the original scope to be clearer regarding the coverage of "essential services" and broadens the typology of entities whose cyber resilience is considered essential.
It also aims to reduce inconsistencies and bring management bodies closer to the issue of information security, forcing them to create more effective communication channels with technical teams. At the same time, it makes it compulsory to respond to incidents, reducing the reporting time to the competent authorities (which is now 24 hours for the initial report).
Article 20 of this directive states that "the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article".
This means that management teams in organizations must be aware of security risks and must ensure that all management plans and policies (whether in the area of incident management, assessment of supply chains, or use of multi-factor authentication) comply with the requirements of the legislation, under pain of significant penalties (as was already the case with the processing of personal data).
Sectorally, there are also other legislative ecosystems, such as the DORA (Digital Operational Resilience Act), applicable to the financial sector, which relates to various other pieces of legislation, initiatives, guidelines, recommendations, standards and principles on digital finance, cybersecurity, data, and digital services. This topic has been gaining prominence since the European Central Bank announced its intention to develop exercises to test banks' resilience to cyber-attacks.
Certification as a path to digital maturity and security
Despite all the obligations arising from European legislation and regulations on cyberspace, these should be used as instruments capable of providing guidelines for countries and organizations to develop their maturity models, creating institutional resources capable of producing tools, sharing content, and creating relevant dynamics in the field of cybersecurity.
In this context, various initiatives have been developed in Portugal, such as the National Cybersecurity Reference Framework (issued by the CNCS), the Cybersecurity Observatory, the Information Sharing and Analysis Centers (ISAC) and various training and certification programs.
One of the most recent examples in Portugal is the Cybersecurity Digital Maturity Certification program, which is one of the measures in the Digital Transition Action Plan to promote the digital transformation of the economy. This initiative, funded under the Recovery and Resilience Plan (PRR), is being developed in partnership with the Portuguese Accreditation Institute, the Portuguese Quality Institute, the National Mint Press and certification bodies and is accessible to any organization, from the private or public sector, which can verify its compliance and become certified at one of three levels: Bronze, Silver or Gold, according to its stage of maturity.
Since its conception, DataCoLAB has made a strong commitment to cybersecurity and immediately went ahead with the Digital Cybersecurity Maturity Certification process, obtaining this recognition in June 2022. Already this year, the first follow-up audit has been carried out, allowing us to confirm that our level of compliance has been maintained and to dynamically adjust our strategy in this field.
From our experience, we believe that the path of cybersecurity certification will allow for a significant improvement in the level of digital maturity of companies and organizations, as it will allow for the identification and protection of critical assets, the creation of incident response mechanisms and the consolidation of risk management processes, guaranteeing an adequate level of resilience.
At the end of this process, organizations' management bodies will be able to focus on their objectives with confidence and peace of mind, as they are fully aware that they are complying with all legal and regulatory requirements.
Technical teams will also be able to react more quickly and effectively to any incident, as the necessary mechanisms have been identified in good time and will be available now of crisis. And in the event of an attack, its impact can be more easily controlled, because all the preventive measures have been taken and all the parties involved are aligned.
On the other hand, regular verification of compliance with certification requirements will protect the reputation of organizations (and the people who make them up) because, in the event of a cyber-attack, all stakeholders will recognize that despite its impact, the protection and response mechanisms were properly implemented.
Carlos Domingues
IT & Security Coordinator