At a glance.
- NIS2 directive focuses on coordinating EU cybersecurity.
- DOD releases plan for adoption of zero trust strategies.
- German data protection report could put Microsoft in legal hot water.
NIS2 directive focuses on coordinating EU cybersecurity.
The European Council yesterday issued a press release announcing the adoption of a new cybersecurity directive focused on improving the resilience and incident response readiness across the EU. Replacing the current NIS directive, NIS2 will establish the baseline for risk management measures and reporting requirements across sectors, with the goal of coordinating cybersecurity rules across the EU’s member states. The press release reads, “NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure.”
As CSO Online explains, NIS2 also updates the list of sectors and activities that are subject to the directive’s measures and provides methods of enforcement. The press release also notes establishment of the European Cyber Crises Liaison Organization Network (EU-CyCLONe), designed to provide coordinator support in the case of large-scale cybersecurity incidents. Among the updates, NIS2 establishes a new “size-cap rule” dictating that all medium and large entities operating within the directive’s covered sectors or providing covered services will fall within its scope. The directive will not apply to entities focused on defense or national security, public security, law enforcement, nor will it cover judiciary, parliaments, or central banks. NIS2 has also been aligned with sector-specific legislation, like the Digital Operational Resilience Act (DORA) for the financial sector, and the Center for European Reform (CER), which focuses on the resilience of critical entities.
DOD releases plan for adoption of zero trust strategies.
Last week the US Department of Defense (DOD) released its Zero Trust Strategy and Roadmap, outlining a five-year-plan for reducing network attack surfaces, facilitating risk management and effective data-sharing, and defending against adversary activities. DOD acting chief information officer David McKeown stated, "Zero trust is a framework for moving beyond relying on perimeter-based cybersecurity defense tools alone and basically assuming that breach has occurred within our boundary and responding accordingly." The DOD has been working on the strategy for a year in collaboration with the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, US Cyber Command and the military services.
The Zero Trust Portfolio Management Office was established earlier this year, headed by Randy Resnick, which will be largely responsible for the implementation of the plan’s goals. Resnick explains, "With zero trust, we are assuming that a network is already compromised. And through recurring user authentication and authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited." The strategy is defined by four high-level goals (Zero Trust Cultural Adoption, DOD information Systems Secured and Defended, Technology Acceleration, and Zero Trust Enablement) composed of a total of forty-five capabilities and over one hundred activities derived from those capabilities.
German data protection report could put Microsoft in legal hot water.
The EU’s data protection supervisor (EDPS), which oversees compliance with the General Data Protection Regulation (GDPR), has been investigating privacy concerns linked to the European Commission’s use of Microsoft Office 365 since May last year, and an update from a German data protection working group says Microsoft has been unable to resolve any of its compliance issues. As TechCrunch explains, the group references a lack of clarity in Microsoft’s contracts and processing for 365, and its claims of processing data for “legitimate business purposes.” A central issue involves difficulty determining in which cases Microsoft acts as a data controller, (which carries heavier responsibilities under EU data protection law), and in which cases it’s only a processor. To put it bluntly, the group’s opinion is there’s no way to use Microsoft 365 in compliance with the GDPR as the platform currently operates. The group’s update could mean legal trouble for Microsoft, not only in Germany, but also across the EU where the GDPR applies.
The European Data Protection Board (EDPB) also launched a coordinated enforcement action in February focused on the public sector’s use of cloud services. In an April update on the probe, the DPS wrote, “Use of non-compliant ICT products and services by the public sector threatens the protection of personal data of all EU residents. Public sector bodies at national and EU level have a duty to lead by example, including when it comes to outsourcing and transfers of personal data within and outside the EEA [European Economic Area].”