In the face of mounting concern over increased cyber threats, two initiatives were introduced last week that each aim to protect the varying entities and industries impacted by this trend. One comes from the EU where lawmakers came to an agreement on Friday that will strengthen rules for both private and public sectors. The other was launched by the Linux Foundation and Open Source Security Foundation (OpenSSF) to address the rising cybersecurity issues challenging the open source and supply chain communities. Let us dive in.
Strengthening Cybersecurity Rules: EU’s NIS 2 Directive
After proposing additional rules to be added to NIS Directive two years ago, EU countries and lawmakers just approved the version known as NIS 2 Directive. The expansion outlines requirements “on the cybersecurity of network and information systems,” as described by Reuters.
In response to the growing target placed on infrastructure, the directive is dedicated to enhancing security practices for organizations within fields including energy, transport, banking, financial market infrastructure, health, vaccines, and medical devices, drinking water, wastewater, digital infrastructure, and public administration.
However, other sectors like postal services, food manufacturing, online marketplaces, social networking platforms and more are also covered in the initiative.
Compliance Requirements and Penalties for Organizations
Under the regulations, these organizations have been instructed to conduct cybersecurity risk assessments and notify authorities of any suspicious findings within a 24-hour window. They must also patch such vulnerabilities uncovered and implement risk management plans to avoid them in the future.
If organizations fail to take these steps, they may be forced to pay fines. While pointed out that some are worried that this legislation could undercut end-to-end encryption (E2EE) guards, The Hacker News reported that the directive “stressed that ‘Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.’”
Therefore, there are a number of industries that it has not included such as defense, national security, law enforcement and central banks.
Critical Supply Chain Review under NIS 2 Directive
As a part of the NIS 2 Directive, EU countries and the EU cybersecurity agency, ENISA, have also been granted permission to review the risks associated with critical supply chains, which relates to another mission discussed at a recent convening of executives and other leaders.
The 10-Point Plan for Open Source and Supply Chain Security
Hosted as a follow-up to the White House summit in January that came as the Log4j vulnerability’s widespread impact was being exposed, the meeting was held by the Linux Foundation and OpenSSF to announce the release of a 10-point plan designed to better open source and supply chain security.
Industry Support and Funding Commitments
According to Cybersecurity Dive’s coverage, around 90 industry figures attended and agreed to collectively contribute more than $150 million over the course of two years to fix and shield against the recurrence of such detrimental exploits.
Among the companies taking part in the pledge are Amazon, Ericsson, Google, Intel, and Microsoft. Although significant, an OpenSSF representative noted that this amount of funding is minor compared to what costs could be if action in this field of security is not taken.
Stay informed and proactive in the ever-evolving world of cybersecurity within the EU open source community. To learn more about how Option3 can help protect your organization with cutting-edge cybersecurity solutions, don’t hesitate to contact us. Together, we can build a more secure digital future.
Key Takeaways:
“EU governments, lawmakers agree on tougher cybersecurity rules for key sectors” – Foo Yun Chee, Reuters
- After proposing additional rules to be added to NIS Directive two years ago, EU countries and lawmakers just recently approved the version known as NIS 2 Directive.
- The expansion outlines requirements “on the cybersecurity of network and information systems,” as described by Reuters.
- The directive is dedicated to enhancing security practices for organizations within fields including energy, transport, banking, financial market infrastructure, health, vaccines, and medical devices, drinking water, wastewater, digital infrastructure, public administration and more.
“Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity” – Ravie Lakshmanan, The Hacker News
https://thehackernews.com/2022/05/europe-agrees-to-adopt-new-nis2.html
- Under the NIS 2 Directive, organizations have been instructed to conduct cybersecurity risk assessments and notify authorities of any suspicious findings within a 24-hour window.
- They must also patch such vulnerabilities uncovered and implement risk management plans to avoid them in the future.
- If organizations fail to take these steps, they may be forced to pay fines.
“Tech giants pledge multimillion down payment to secure open source” – David Jones, Cybersecurity Dive
https://www.cybersecuritydive.com/news/open-source-security-Washington/623731/
- The Linux Foundation and OpenSSF held a convening to announce the release of a 10-point plan designed to better open source and supply chain security.
- Around ninety industry figures attended and agreed to collectively contribute more than $150 million over the course of two years to fix and shield against the recurrence of detrimental exploits like Log4j.
- Among the companies taking part in the pledge are Amazon, Ericsson, Google, Intel, and Microsoft.